You can use this document to add a remote log collector to an Apache HTTP Server remote device (log source). 

Pre-deployment considerations

For remote log collection, you must have Log Relay added to your account.  

Create A Remote Log Source

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.
  2. Click External Sources.
  3. Click Log Relay Source.
  4. Click the plus ( + ) sign. 
  5. Complete the missing fields:
    1. In Endpoint, select the available Armor Endpoint.
    2. In Log Source Type, select Apache HTTP Server
    3. In Hostname, enter the system hostname that matches the system for syslog collection. For example, in Mar 10 08:52:55 node-77 systemd: < redacted >, the hostname would be node-77.

      1. The hostname is case-sensitive and must match the same letter casing as the logs that are sent into this log source.
    4. In Protocol, select TLS Syslog
  6. Click Save Log Source.

Implement Server

Before you begin, ensure that the following pages are installed:

  • rsyslog-gnutls
    • apt-get install -y rsyslog-gnutls
  1. Create a directory to hold Armor pem file: 
  2. Change to the newly created directory: 
  3. Download Armor PEM files: 
  4. Create a file called /etc/rsyslog.d/54-nginx.conf with the template below. 
  5. Create a file called /etc/rsyslog.d/55-armor.conf with the template below. 
  6. Ensure that rsyslog configuration has no syntax errors:

  7. Restart rsyslog: 

  8. Verify.