Apache HTTP Server Integration
Overview
This integration collects Apache HTTP Server access logs, error logs, and optional ModSecurity WAF audit logs for web attack detection and application security monitoring. Apache holds 30-40% of the Korean web server market alongside Nginx.
Supported versions: Apache 2.4.x
Prerequisites
- A KYRA MDR Collector installed and running (Installation Guide)
- Root or sudo access on the Apache server
- Network connectivity from the server to the collector on port 514
Configuration
rsyslog File Monitoring (Recommended)
Create a rsyslog configuration to tail Apache log files and forward them to the collector:
module(load="imfile")input(type="imfile" File="/var/log/apache2/access.log" Tag="apache-access" Facility="local6")input(type="imfile" File="/var/log/apache2/error.log" Tag="apache-error" Facility="local6")local6.* @@KYRA_COLLECTOR_IP:514Restart rsyslog: sudo systemctl restart rsyslog
Combined Log Format
Ensure Apache uses the combined log format for full request context:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedCustomLog /var/log/apache2/access.log combinedModSecurity WAF Logs (Optional)
If ModSecurity is installed, enable audit logging for advanced attack detection:
SecAuditLog /var/log/apache2/modsec_audit.logSecAuditLogType SerialCollected Log Types
| Log Type | Security Use | Priority |
|---|---|---|
| Access logs | SQL injection, XSS, path traversal detection | Critical |
| Error logs | Attack attempt identification, server errors | High |
| ModSecurity audit | WAF rule matches, blocked attacks | Critical |
| 4xx responses | Directory scanning, enumeration attempts | Medium |
| 5xx responses | Application errors, potential DoS | High |
| User-Agent analysis | Bot detection, known attack tools | Medium |
Troubleshooting
No Logs Received
- Verify Apache is writing to the expected log paths (
/var/log/apache2/) - Check the rsyslog configuration references the correct file paths
- Ensure port 514 is open between the server and collector
- Restart rsyslog after config changes:
sudo systemctl restart rsyslog
Logs Not Parsing
- Ensure the
combinedlog format is configured in your virtual hosts - On CentOS/RHEL, log paths may be
/var/log/httpd/instead of/var/log/apache2/
For additional help, contact kyra@seekerslab.com.