change from rsyslog to syslog-ng
Hello everybody! I finished to configure my syslog system. I am using rsyslog on clients side and syslog-ng on the server side. It works well, but I have a little problem with Apache vhosts logs. I want to send all vhosts logs to my syslog-ng server, but I don't know how to do with rsyslog. Is possible to do with syslog-ng? My Apache logs are configured this way: ErrorLog /var/www/domain1/log/error.log LogLevel warn SetEnvIf Remote_Addr "x\.x\.x\.x" dontlog SetEnvIf Remote_Addr "y\.y\.y\.y" dontlog CustomLog /var/www/domain1/log/access.log common env=!dontlog On the same machine I have lots of vhost logs: /var/www/domain1/log/error.log /var/www/domain1/log/access.log /var/www/domain2/log/error.log /var/www/domain2/log/access.log /var/www/domain3/log/error.log /var/www/domain3/log/access.log ... Is preferable to change all rsyslog to syslog-ng? Thanks for your great help. Best regards.
On 2011-07-08, Josu Lazkano wrote:
I want to send all vhosts logs to my syslog-ng server, but I don't know how to do with rsyslog. Is possible to do with syslog-ng? My Apache logs are configured this way: ErrorLog /var/www/domain1/log/error.log CustomLog /var/www/domain1/log/access.log common env=!dontlog
On the same machine I have lots of vhost logs: /var/www/domain1/log/error.log [...] /var/www/domain3/log/access.log
First of all - I'm not familiar with rsyslog, so I'll focus on syslog-ng side; sorry about that. Globbing in file() source driver is - as far as I recall - only available in syslog-ng PE. If you'd like syslog-ng OSE to follow all your logfiles, you'd have to specify every path to every log file. This is hard to manage. You have another possibility, though: you can include vhost name in your CustomLog format, and put all accesslogs into one file (which you can then easily follow with syslog-ng, or even use a pipe() instead), so it looks like this: domain1.com i.p.add.ress - - [10/Jun/.... domain2.com ano.ther.i.p - - [10/Jun/.... Send this to your central syslog-ng server, and there you can split the vhost name and the rest of the line (ie. using csv parser). Then use the first field (vhost name) as a macro in the filename template of your file() destination. This approach has been demonstrated on many blog notes (can't recall exact URLs at the moment, so apologies to those whose I should mention here). It has one drawback, however. In Apache HTTPd, you cannot use custom log formats for anything else than access log. This applies to all 1.3, 2.0 and 2.x branches and is a major PITA, because it forces you either to use different ErrorLog for every vhost (which in turn makes apache use a lot of file descriptors), or use single destination (file, or syslog - yes, apache can log errorlog directly to syslog) for all vhosts, but this has the drawback of not knowing which log message corresponds to which vhost. What I did to workaround this problem - I've patched apache sources to include ServerName (a.k.a. vhost) in every errorlog message in a hardcoded, non-runtime-configurable format, and then applied the same logic as I use for accesslogs. If anyone has another solution or sees flaws in mine - I'd be more than happy to hear their thoughts on that. HTH -- Jakub Jankowski|shasta@toxcorp.com|http://toxcorp.com/ GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D
participants (2)
-
Jakub Jankowski
-
Josu Lazkano