<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3562" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=218061800-22072009>Yes, first you need to get Apache to send its messages
into the syslog system. That's the key. Once the messages are
in the system you will be able to instruct syslog-ng to filter
them any way you want and send them anywhere you want. It's very
flexible.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=218061800-22072009></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=218061800-22072009>Joe.</SPAN></FONT></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> syslog-ng-bounces@lists.balabit.hu
[mailto:syslog-ng-bounces@lists.balabit.hu] <B>On Behalf Of </B>lance
raymond<BR><B>Sent:</B> 21 July 2009 20:49<BR><B>To:</B> Syslog-ng users' and
developers' mailing list<BR><B>Subject:</B> Re: [syslog-ng] Before the basic 101
questions<BR></FONT><BR></DIV>
<DIV></DIV>lol on the signature line! But thanks. I am
going to end this thread with this last question (and answer) then move to the
next. I will have to look at a filter then as I don't want ALL the
messages to goto the remote log, just the apache ones. Wait as I type and
think. I will in fact have apache write them to /var/log/messages, but
there will be a filter setup (somehow) to take the web-ones, and based on that
filter use a different destination (that is part 2)..<BR><BR>Right? Please
say right, please say right... And yes if so, It's more the apache URL
posted a bit earlier to read and undersand to send the logs to syslog not the
actual file. My head hurts :(<BR><BR>
<DIV class=gmail_quote>On Tue, Jul 21, 2009 at 2:23 PM, Fegan, Joe <SPAN
dir=ltr><<A href="mailto:Joe.Fegan@hp.com">Joe.Fegan@hp.com</A>></SPAN>
wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>I
think you're missing part of the picture. Apache writes its messages to
private log files and what you are trying to do (though I'm not sure you know
that) is feed the live content of those files into the syslog-ng logging
system in real time. Once you get that feed into syslog-ng working
then yes forwarding syslog-ng messages to a remote location is fairly
straightforward and people will be able to give you lots of example of how to
do that. But you need to get step one working first.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>So I think
you need to adopt a three phase approach. First get your Apache logs feeding
into syslog-ng on the local nodes and thereby appearing in /var/log/messages.
Once you have that working, figure how to filter them out from the
rest of the syslog traffic and send them to local files written by syslog-ng.
Third figure out how to send them to a remote server.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Those are
my thoughts anyway, your mileage may vary.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>Joe.</FONT></SPAN></DIV><BR>
<DIV lang=en-us dir=ltr align=left>
<HR>
<FONT face=Tahoma size=2>
<DIV class=im><B>From:</B> <A href="mailto:syslog-ng-bounces@lists.balabit.hu"
target=_blank>syslog-ng-bounces@lists.balabit.hu</A> [mailto:<A
href="mailto:syslog-ng-bounces@lists.balabit.hu"
target=_blank>syslog-ng-bounces@lists.balabit.hu</A>] <B>On Behalf Of
</B>lance raymond<BR></DIV><B>Sent:</B> 21 July 2009 16:33
<DIV>
<DIV></DIV>
<DIV class=h5><BR><B>To:</B> Syslog-ng users' and developers' mailing
list<BR><B>Subject:</B> Re: [syslog-ng] Before the basic 101
questions<BR></DIV></DIV></FONT><BR></DIV>
<DIV>
<DIV></DIV>
<DIV class=h5>
<DIV></DIV>Not sure on that last post. Each webserver's vhosts name the
logs in the following manner (ws =
webserver);<BR>ws1.sitename.com-access<BR>ws1.sitename,com-error<BR>ws1.othersite.com-access
... and so on. <BR><BR>So I simply want to send every file (rather than
logging local) to goto the central. When I look at the central, I will
have only log folder
with;<BR>ws1.sitename.com-access<BR>ws2.sitename.com-access ... and so
on<BR><BR>The post above noticed I was doing a folder (/var/log/apache2) where
I don't know if you can say for the source /var/log/apache2/* or
something.<BR><BR>I am also puzzled as this to me is a real basic thing.
Take ALL apache logs and send to remote box. No-one has come and said,
here is my config and it works fine. Just something that I can look at
an entire server and client to see how it's done (which is why I posted
mine).<BR><BR>Really thought this was an easy thing. Even using
webmin. There is no clear cut, a server is setup like this, remote
client like that. Fustrating is not even the start of how to describe
this, but thanks for all replies so far.<BR><BR>
<DIV class=gmail_quote>On Tue, Jul 21, 2009 at 3:44 AM, Siem Korteweg <SPAN
dir=ltr><<A href="mailto:Siem.Korteweg@qnh.nl"
target=_blank>Siem.Korteweg@qnh.nl</A>></SPAN> wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">Lance,<BR><BR>Depending
on how you want to process the collected logfiles, you can also<BR>configure
Apache:<BR><BR>ErrorLog syslog:local1<BR>CustomLog "|/usr/bin/logger -t
apache -i -p local6.notice" combined<BR><BR>This can be done global (for all
virtual hosts) or per virtual host. How to<BR>add the name of the virtual
host to the messages in the access logs can be<BR>found here: <A
href="http://httpd.apache.org/docs/2.0/logs.html"
target=_blank>http://httpd.apache.org/docs/2.0/logs.html</A><BR><BR>All that
remains to be done is to forward syslog from the client with
the<BR>webservers to the syslog-ng server.<BR><BR>regards,<BR><BR>Siem
Korteweg<BR><BR>-----Oorspronkelijk bericht-----<BR>Van: <A
href="mailto:syslog-ng-bounces@lists.balabit.hu"
target=_blank>syslog-ng-bounces@lists.balabit.hu</A> namens lance
raymond<BR>Verzonden: di 21-7-2009 4:07<BR>Aan: Syslog-ng users' and
developers' mailing list<BR>Onderwerp: Re: [syslog-ng] Before the basic 101
questions<BR>
<DIV>
<DIV></DIV>
<DIV><BR>Joe, thanks for the update. Yes, that is the directory
name. Now<BR>regarding the "file", I will start a little more reading,
but I don't think<BR>I would have to do this for each file right? This
server (along with the<BR>others in the cluster) have 12 or so virtual
sites, each with it's own<BR>access and error log, so that would be at least
24 'file' sources. Is there<BR>a way to wildcard it?<BR><BR>Also, (I
know this too is a basic Q) but are these defined on the<BR>server/client or
both? I still don't see how they mesh, but soon, oh soon<BR>when that
light comes on!<BR><BR>Thanks<BR><BR>On Mon, Jul 20, 2009 at 8:38 PM, Fegan,
Joe <<A href="mailto:Joe.Fegan@hp.com"
target=_blank>Joe.Fegan@hp.com</A>> wrote:<BR><BR>> I'm no
apache expert, but I think /var/log/apache2 is the name of a<BR>>
directory that contains apache log files, right? But you have defined it
as<BR>> a unix-stream source:<BR>><BR>> source inputs {
internal();<BR>>
unix-stream("/var/log/apache2");<BR>>
udp();<BR>>
tcp(max_connections(100)); };<BR>><BR>>
unix-stream is for reading a socket, not a directory, so this can't
work...<BR>><BR>> You can use "file" sources for individual files in
that directory..<BR>><BR>>
------------------------------<BR>> *From:* <A
href="mailto:syslog-ng-bounces@lists.balabit.hu"
target=_blank>syslog-ng-bounces@lists.balabit.hu</A> [mailto:<BR>> <A
href="mailto:syslog-ng-bounces@lists.balabit.hu"
target=_blank>syslog-ng-bounces@lists.balabit.hu</A>] *On Behalf Of *lance
raymond<BR>> *Sent:* 20 July 2009 21:52<BR>> *To:* Syslog-ng users'
and developers' mailing list<BR>> *Subject:* Re: [syslog-ng] Before the
basic 101 questions<BR>><BR>> ok, here is the update. I have built a
standalone ubuntu box to be the<BR>> central server so now have that I
can 'play' with. It's a clean<BR>install,and<BR>> really not sure
what to do as this list seems to be the best resource. So,<BR>> I
would think you can specify 'a' logfile, but I need ALL the apache
logs<BR>> centrally located, so going to say, take everything from
/var/log/apache2<BR>> and send it to the central log
server.<BR>><BR>> The central log server as I said is a default setup,
due to size, I copied<BR>> them up to a play webserver, the server can be
seen here;<BR></DIV></DIV>> server.conf <<A
href="http://www.darkerforce.com/server.conf"
target=_blank>http://www.darkerforce.com/server.conf</A>><BR>
<DIV>> and the client here (the only thing changed is the remote
IP)<BR></DIV>> client.conf <<A
href="http://www.darkerforce.com/client.conf"
target=_blank>http://www.darkerforce.com/client.conf</A>><BR>
<DIV>
<DIV></DIV>
<DIV>><BR>> When left like that and syslog-ng is started on the client
I get the<BR>> following;<BR>><BR>> Error binding socket;
addr='AF_UNIX(/var/log/apache2)', error='Address<BR>> already in use
(98)'<BR>> Error initializing source driver;
source='inputs'<BR>><BR>> As I said before, I am not looking for
anything complex, etc. Just want<BR>> ALL the weblogs to goto one
box which is really the function of syslog-ng.<BR>> I am sure there is
one or two things that need a tweak, and I can go from<BR>>
there.<BR>><BR>> Thanks.<BR>><BR>><BR>> On Wed, Jul 15, 2009
at 3:45 AM, Sandor Geller <<BR>> <A
href="mailto:Sandor.Geller@morganstanley.com"
target=_blank>Sandor.Geller@morganstanley.com</A>>
wrote:<BR>><BR>>> Hi,<BR>>><BR>>> On Tue, Jul 14, 2009
at 10:06 PM, lance raymond<<A href="mailto:lance.raymond@gmail.com"
target=_blank>lance.raymond@gmail.com</A>><BR>>> wrote:<BR>>>
> What I thought of was to make each file unique;<BR>>> > ws =
webserver;<BR>>> ><BR>>> >
ws1.domain.com-access_log<BR>>> >
ws2.domain.com-access_log<BR>>> ><BR>>> > and just write
them each to an nfs share.<BR>>><BR>>> It'd not the name of the
files which matter. When a single process<BR>>> (like syslog-ng)
writes to a file then NFS behaves well. The problems<BR>>> start when
there are multiple processes trying to access the same<BR>>> file.
Disabling attribute caching in the NFS client could help, but<BR>>>
this could have a big impact on performance.<BR>>><BR>>> >
Not flaming the group at all, actually Bazsi your name shows up
more<BR>>> than<BR>>> > any of my normal mail :) But,
I have tried twice with a reply or two,<BR>>> and<BR>>> >
once conf files were sent up and/or shown the thread died. I see
some<BR>>> very<BR>>> > intersting questions, answers on the
group and it would be nice to see<BR>>> some<BR>>> > of these
things, but really, I am talking about a handful of webservers<BR>>>
> (nothing fancy) just to write to a central log and it's not
working.<BR>>> The<BR>>> > basic syslog @server worked
perfect, since the platform updates, just<BR>>> not<BR>>> >
working, but I appreciate the reply.<BR>>><BR>>> So could you
please tell what is the actual problem?<BR>>><BR>>>
Regards,<BR>>><BR>>>
Sandor<BR>>><BR>>><BR>_____________________________________________________________________________<BR>_<BR>>>
Member info: <A href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
target=_blank>https://lists.balabit.hu/mailman/listinfo/syslog-ng</A><BR>>>
Documentation:<BR>>> <A
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
target=_blank>http://www.balabit.com/support/documentation/?product=syslog-ng</A><BR>>>
FAQ: <A href="http://www.campin.net/syslog-ng/faq.html"
target=_blank>http://www.campin.net/syslog-ng/faq.html</A><BR>>><BR>>><BR>><BR>><BR>><BR>_____________________________________________________________________________<BR>_<BR>>
Member info: <A href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
target=_blank>https://lists.balabit.hu/mailman/listinfo/syslog-ng</A><BR>>
Documentation:<BR>> <A
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
target=_blank>http://www.balabit.com/support/documentation/?product=syslog-ng</A><BR>>
FAQ: <A href="http://www.campin.net/syslog-ng/faq.html"
target=_blank>http://www.campin.net/syslog-ng/faq.html</A><BR>><BR>><BR>><BR><BR></DIV></DIV><BR>______________________________________________________________________________<BR>Member
info: <A href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
target=_blank>https://lists.balabit.hu/mailman/listinfo/syslog-ng</A><BR>Documentation:
<A href="http://www.balabit.com/support/documentation/?product=syslog-ng"
target=_blank>http://www.balabit.com/support/documentation/?product=syslog-ng</A><BR>FAQ:
<A href="http://www.campin.net/syslog-ng/faq.html"
target=_blank>http://www.campin.net/syslog-ng/faq.html</A><BR><BR><BR></BLOCKQUOTE></DIV><BR></DIV></DIV></DIV><BR>______________________________________________________________________________<BR>Member
info: <A href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
target=_blank>https://lists.balabit.hu/mailman/listinfo/syslog-ng</A><BR>Documentation:
<A href="http://www.balabit.com/support/documentation/?product=syslog-ng"
target=_blank>http://www.balabit.com/support/documentation/?product=syslog-ng</A><BR>FAQ:
<A href="http://www.campin.net/syslog-ng/faq.html"
target=_blank>http://www.campin.net/syslog-ng/faq.html</A><BR><BR><BR></BLOCKQUOTE></DIV><BR></BODY></HTML>