Configuring the export of Angie events

To configure the export of Angie events:

1. Check the configuration file for any syntax errors by running the following command:

   sudo angie -t

   Possible messages when checking the configuration file

   If there are no syntax errors in the configuration file, Angie displays the following notifications:

   angie: the configuration file /etc/angie/angie.conf syntax is ok

   angie: configuration file /etc/angie/angie.conf test is successful

   If any syntax errors are found in the configuration file, Angie tells you what the error is, for example:

   angie: [emerg] "http" directive is not allowed here in etc/angie/http.d/angie-to-siem.conf:1

   angie: configuration file /etc/angie/angie.conf test failed

   For more information about configuration file syntax, refer to the official documentation of Angie.

2. If the syntax check is successful (the result is test is successful), back up the original configuration file using the following command:

   sudo cp /etc/angie/angie.conf /etc/angie/angie_backup.conf

3. Open the angie.conf configuration file by running the following command:

   sudo vi /etc/angie/angie.conf

   By default, the standard angie.conf configuration file is stored in the /etc/angie directory.

   If a non-standard configuration file is used in the operation of the Angie web server, you must open that file. You can locate this file using the following command:

   sudo angie -V

   The location of the file is specified in the --config-path option.

4. Make sure that in the http context, the include directive is specified, which allows managing configuration using child configuration files, by running the following command:

   include /etc/angie/http.d/*.conf

5. Create the -to-siem.conf configuration file in the /etc/angie/http.d/ directory by running the following command:

   touch /etc/angie/http.d/angie-to-siem.conf

6. Open the angie-to-siem.conf configuration file by running the sudo vi /etc/angie/http.d/angie-to-siem.conf command.
7. In the log_format directive, specify the format of the events to be sent as follows:

   log_format syslog device_event_category=access_log|time=$time_iso8601|version=$angie_version|http_method=$request_method|req_body=$request_body|uri=$uri|abs_path=$request_filename|status_code=$status|srv_ip=$server_addr|srv_host=$server_name|srv_port=$server_port|srv_proxy_ip=$proxy_protocol_server_addr|srv_proxy_port=$proxy_protocol_server_port|client_ip=$remote_addr|client_port=$remote_port|client_user=$remote_user|client_proxy_ip=$proxy_protocol_addr|client_proxy_port=$proxy_protocol_port|http_context=$request|trace_id=$request_id|scheme=$scheme|bytes_out=$bytes_sent|worker_pid=$pid|user_agent=$http_user_agent|cookie=$http_cookie;

8. In the access_log directive, specify the method to be used to send event information via Syslog:

   access_log syslog:server=<collector_IP>:<port> syslog

9. If you also need to send information about events with errors, add a line with the error_log directive:

   error_log syslog:server=<collector_IP>:<port>

   The message format from the error_log directive cannot be changed; the message is always sent in the following form:

   YYYY/MM/DD HH:MM:SS [LEVEL] PID#TID: *CID MESSAGE

   where:

   • YYYY/MM/DD is the date in the year/month/day format.
   • HH:MM:SS is the time in the hours:minutes:seconds format.
   • [LEVEL] is the error severity level.
   • PID#TID is the process ID (PID) and thread ID (TID).
   • *CID is the unique connection number (Connection ID).
   • MESSAGE is the text of the error or warning message.
10. Check the syntax of the configuration file for errors using the sudo angie -t command, as described in step 1 earlier in this section.
11. Reload the configuration by running the following command:

    sudo service angie reload

The export of events from Angie is configured.

Page top