We write all of our apache logs to an application ErrorLog "|/path/to/our/script site.fqdn.name error" LogFormat "%h %l %u %t \"%r\" %>s %b" common CustomLog "|/path/to/our/script site.fqdn.name access" common This script just writes the log line to syslog via script specific syslog API with an application name of httpd and a line prefix of access: site.fqdn.name: or error: site.fqdn.name: This allows the receiving end (central syslog server) to strip off the header and recreate files specific to each virtual host access_site.fqdn.name_datestamp error_site.fqdn.name_datestamp And these destination files will have the EXACT content that apache would have logged to disk on the source server. This permits us to feed web analytic tools in real time and provide them the exact source logs that these tools support. Works for us. Evan. On 05/07/2018 08:58 AM, Gergely Nagy wrote:
"Delon" == Delon Lee Di Lun <lee.delon2005@gmail.com> writes: Delon> In response to gergely, the 2nd option would require the changes to be made Delon> on the "apache side" of things right? If so, its unlikely possible in my Delon> use case.
No, you can do that with rsyslog and syslog-ng too. Both allow you to tinker with the syslog headers.
Ideally, changing the Apache-generated log format to conform to a syslog RFC would be ideal, but I understand that's not something most are willing - or able/allowed - to make. So the next best option is to fiddle with the syslog fields on the syslog side of things.