The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

This content pack is designed for Apache Tomcat servers running on Ubuntu systems. It parses and configures both Apache Tomcat access logs and Catalina logs.

Supported Version(s)

  • Tested with Apache Tomcat version 11.0.5

Requirements

  • The supported log delivery is via Filebeat with Graylog Sidecar.

  • The pack only supports Ubuntu and Linux versions with the same path and file structure.

  • The pack only supports the standard log folder for Ubuntu.

Stream Configuration

This technology pack includes one stream:

  • "Illuminate:Apache Tomcat Device Messages"

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes one index set definition:

  • “Apache Tomcat Logs”

Hint: If this index set is already defined, then nothing will be changed. Index settings can be adjusted as required after installation.

What is Provided?

  • Parsing rules to extract Apache Tomcat logs into Graylog schema-compatible fields. Apache Tomcat logs receive the GIM code 180200 (http.communication).

Log Format Example

Access Logs

"34.20.30.15 - - [28/Mar/2025:23:34:30 +0000] "PUT /stefan.session HTTP/1.1" 201 -"

"11.20.29.124 - admin [02/Mar/2023:18:58:17 +0530] "POST /host-manager/images/asf-logo.svg HTTP/1.1" 200 20486 X 400 "http://localhost:8080/host-manager/html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" X-Forwarded-For="127.0.0.1"

Catalina Logs

26-Mar-2025 15:27:08.188 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]

Input via Filebeat together with Graylog Sidecar

Please use the official Graylog Sidecar documentation to configure your Graylog server and your client(s).

  1. Create an input and an API key and set up Graylog Sidecar.

  2. Add your client(s), e.g. web server.

Hint: It is possible to run the Apache Tomcat Server and Graylog on the same machine.

Graylog Server Settings

1. Create a global Beats input in Graylog.

2. Create a Graylog REST API access token and save it.

3. Create a (Linux) filebeat configuration under Sidercar > Configuration with a "Filebeat on Linux" collector.

4. Configure the file and add:

  • The correct IP (Graylog server IP) under hosts.

  • The log source configured to the desired value and a field event_source_product with the value apache_tomcat.

Copy 
filebeat.inputs:
- input_type: log
  paths:
    - /opt/tomcat/updated/logs/*
  type: filestream
  fields_under_root: true
  fields:
    event_source_product: apache_tomcat

Warning: There must be two spaces in front of event_source_product and - /var... .

This setting will pull all logs in the - /opt/tomcat/updated/logs/* folder. If needed, only select access logs or Catalina logs.

5. Finally, save the configuration to complete setup.

Configure a Client with Filebeat and Graylog Sidecar

1. Install Sidecar on the remote machine.

Copy 
wget https://packages.graylog2.org/repo/packages/graylog-sidecar-repository_1-5_all.deb
sudo dpkg -i graylog-sidecar-repository_1-5_all.deb
sudo apt-get update && sudo apt-get install graylog-sidecar

2. Edit the /etc/graylog/sidecar/sidecar.yml file and configure:

  • server_url: GraylogServerIP

  • server_api_token: Your API token

Copy 
sudo gedit /etc/graylog/sidecar/sidecar.yml
server_url: "http://192.168.122.52:9000/api/"
server_api_token: "65ol7edseo24mub8o7pu86h2rsr8j9fjjpimtrm9nrpbjso7cnv"

3. Install, enable, and verify the Sidecar service.

Copy 
sudo graylog-sidecar -service install
sudo systemctl enable graylog-sidecar
sudo systemctl start graylog-sidecar
sudo systemctl status graylog-sidecar

Warning: The provided commands are only examples; please use your IP and API token. For example commands for Ubuntu, refer the official documentation.

4. Install filebeats according to the documentation. Or, here is the download link for the OSS version.

  • If you install it manually, install it again under /etc/filebeat.

  • If you install it via apt-get, then it is in the correct folder.

Example commands for Ubuntu:

Copy 
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt-get install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/oss-8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list
sudo apt-get update && sudo apt-get install filebeat
sudo systemctl enable filebeat
sudo systemctl start filebeat
sudo systemctl status filebeat

5. (Optional) Edit the filebeat.yml file as needed. You do this via the Sidecar configuration in the Graylog interface.
6. Start the deamon.
7. If there is a permission issue, you can resolve with:

Copy 
sudo chown root filebeat.yml

8. In Graylog, assign a configuration to your machine.

Warning: This pack was tested on Ubuntu and may not work as designed with other Linux-based systems due to different path and file names. Error logs are not parsed.