Web servers face escalating security threats, with organizations experiencing a 75% increase in weekly cyberattacks. Traditional rule-based intrusion detection systems struggle to identify novel attack patterns, requiring manual updates for each new threat. We present a real-time anomaly detection system that combines machine learning with stream processing to automatically detect anomalies in Apache web server logs. Through systematic evalua- tion of ten algorithms across classical and deep learning paradigms, we identify optimal configurations through hyperparameter opti- mization. Our optimized Support Vector Data Description model achieves F1-Score of 0.975, demonstrating 41% improvement over the professional Wazuh SIEM system. The system processes pro- duction logs with end-to-end latency under 2 seconds using Apache Kafka. Feature selection reveals five characteristics capture 89% of detection capability while reducing complexity by 88.6%. However, generalization to unseen attack types remains challenging, with 65.8% average performance degradation in Leave-One-Attack-Out evaluation. This work provides practical insights for deploying ML-based intrusion detection in production environments.