Conversation
There was a problem hiding this comment.
Pull request overview
Updates the Apache integration documentation to modernize the rsyslog configuration example used to forward Apache access/error logs to Sekoia.io.
Changes:
- Replaces legacy rsyslog
$InputFile*examples with RainerScriptinput()+ruleset()configuration. - Adjusts tags/state handling and adds a
stopto prevent further message processing after forwarding. - Fixes formatting/indentation in the “Further readings” list.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Newest code from squioc has been published to preview environment 🚀 Latest deployment was built on 2026-02-26 08:42:41 (375d4b56bb6e1d444577b23a6882ef07e787e900). |
squioc
force-pushed
the
fix/ApacheDocumentation
branch
2 times, most recently
from
8862700 to
f1bf5fb
Compare
squioc
force-pushed
the
fix/ApacheDocumentation
branch
from
f1bf5fb to
9cd1a9d
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| target="CONCENTRATOR_FQDN_OR_IP" | ||
| port="REMOTE_PORT" |
There was a problem hiding this comment.
The placeholder format is inconsistent with the established convention in this codebase. According to the pattern used in other integration documentation files (bind.md:101, haproxy.md:94, spamassassin.md:89-90), placeholders for rsyslog configuration should use angle brackets with mixed case (e.g., <Concentrator_FQDN_or_IP> and <Remote_Port>), not uppercase without angle brackets. Please change CONCENTRATOR_FQDN_OR_IP to <Concentrator_FQDN_or_IP> and REMOTE_PORT to <Remote_Port> to maintain consistency across the documentation.
| target="CONCENTRATOR_FQDN_OR_IP" | |
| port="REMOTE_PORT" | |
| target="<Concentrator_FQDN_or_IP>" | |
| port="<Remote_Port>" |
| module(load="imfile" PollingInterval="5") | ||
| module(load="omfwd") | ||
|
|
||
| input( | ||
| type="imfile" | ||
| File="/var/log/apache2/error.log" | ||
| Tag="apache-error:" | ||
| Facility="local5" | ||
| Severity="error" | ||
| StateFile="stat-apache-error" | ||
| PersistStateInterval="200" | ||
| Ruleset="apache-logs" | ||
| ) | ||
|
|
||
| input( | ||
| type="imfile" | ||
| File="/var/log/apache2/access.log" | ||
| Tag="apache-access:" | ||
| Facility="local5" | ||
| Severity="notice" | ||
| StateFile="stat-apache-access" | ||
| PersistStateInterval="200" | ||
| Ruleset="apache-logs" | ||
| ) | ||
|
|
||
| ruleset(name="apache-logs") { | ||
| # Forward to remote concentrator | ||
| action( | ||
| type="omfwd" | ||
| target="CONCENTRATOR_FQDN_OR_IP" | ||
| port="REMOTE_PORT" | ||
| protocol="tcp" | ||
| TCP_Framing="octet-counted" | ||
| ) | ||
| # Prevent further processing of these messages | ||
| stop | ||
| } |
There was a problem hiding this comment.
The code block content has extra indentation that should be removed. The rsyslog configuration lines (starting from line 75) should not have the leading 8 spaces of indentation. In markdown code blocks, the content should start at the left margin (or with minimal consistent indentation). Compare with similar examples in auditbeat_linux.md:234-254 or varonis_data_security.md:58-76 where the code block content starts at the left margin without extra indentation.
| module(load="imfile" PollingInterval="5") | |
| module(load="omfwd") | |
| input( | |
| type="imfile" | |
| File="/var/log/apache2/error.log" | |
| Tag="apache-error:" | |
| Facility="local5" | |
| Severity="error" | |
| StateFile="stat-apache-error" | |
| PersistStateInterval="200" | |
| Ruleset="apache-logs" | |
| ) | |
| input( | |
| type="imfile" | |
| File="/var/log/apache2/access.log" | |
| Tag="apache-access:" | |
| Facility="local5" | |
| Severity="notice" | |
| StateFile="stat-apache-access" | |
| PersistStateInterval="200" | |
| Ruleset="apache-logs" | |
| ) | |
| ruleset(name="apache-logs") { | |
| # Forward to remote concentrator | |
| action( | |
| type="omfwd" | |
| target="CONCENTRATOR_FQDN_OR_IP" | |
| port="REMOTE_PORT" | |
| protocol="tcp" | |
| TCP_Framing="octet-counted" | |
| ) | |
| # Prevent further processing of these messages | |
| stop | |
| } | |
| module(load="imfile" PollingInterval="5") | |
| module(load="omfwd") | |
| input( | |
| type="imfile" | |
| File="/var/log/apache2/error.log" | |
| Tag="apache-error:" | |
| Facility="local5" | |
| Severity="error" | |
| StateFile="stat-apache-error" | |
| PersistStateInterval="200" | |
| Ruleset="apache-logs" | |
| ) | |
| input( | |
| type="imfile" | |
| File="/var/log/apache2/access.log" | |
| Tag="apache-access:" | |
| Facility="local5" | |
| Severity="notice" | |
| StateFile="stat-apache-access" | |
| PersistStateInterval="200" | |
| Ruleset="apache-logs" | |
| ) | |
| ruleset(name="apache-logs") { | |
| # Forward to remote concentrator | |
| action( | |
| type="omfwd" | |
| target="CONCENTRATOR_FQDN_OR_IP" | |
| port="REMOTE_PORT" | |
| protocol="tcp" | |
| TCP_Framing="octet-counted" | |
| ) | |
| # Prevent further processing of these messages | |
| stop | |
| } |
| ruleset(name="apache-logs") { | ||
| # Forward to remote concentrator | ||
| action( | ||
| type="omfwd" | ||
| target="CONCENTRATOR_FQDN_OR_IP" | ||
| port="REMOTE_PORT" | ||
| protocol="tcp" | ||
| TCP_Framing="octet-counted" | ||
| ) |
There was a problem hiding this comment.
The example omfwd action forwards Apache logs over plain TCP without any transport encryption, which can expose log contents (URLs, cookies, tokens, or other sensitive data) to interception by an attacker on the network path. An adversary with access to the network between the Apache host and CONCENTRATOR_FQDN_OR_IP could passively capture or tamper with these logs. Consider documenting a configuration that uses TLS (e.g., gtls stream driver and certificate validation) for remote log forwarding, or clearly scoping this example to trusted, isolated networks where plaintext is acceptable.
No description provided.