syslog-ng - Apache Logging
I have Apache logging working via a named pipe, however the log looks like: Jan 25 14:44:13 $HOSTNAME $VIRTUAL_HOST: 000.000.000.000 - - [25/Jan/2011:14:44:13 -0600] "GET /foo.html HTTP/1.0" 200 24040 "-" "Wget/1.10.2 (Red Hat modified)" I want to strip the syslog timestamp and $HOSTNAME. However, if I use "template("$MSGONLY\n")", it strips the timestamp, hostname *and* the $virtual_host (obtained from including "%V" in LogFormat and using 'vcommon' on apache server). Any ideas on how to remove the syslog data but leave the vhost data in place? Cheers!
On Tue, Jan 25, 2011 at 12:55:06PM -0800, Steven Shepherd wrote:
I have Apache logging working via a named pipe, however the log looks like:
Jan 25 14:44:13 $HOSTNAME $VIRTUAL_HOST: 000.000.000.000 - - [25/Jan/2011:14:44:13 -0600] "GET /foo.html HTTP/1.0" 200 24040 "-" "Wget/1.10.2 (Red Hat modified)"
I want to strip the syslog timestamp and $HOSTNAME. However, if I use "template("$MSGONLY\n")", it strips the timestamp, hostname *and* the $virtual_host (obtained from including "%V" in LogFormat and using 'vcommon' on apache server).
Any ideas on how to remove the syslog data but leave the vhost data in place?
Cheers!
You probably want to look at MSGHDR. The default syslog format is: By default, syslog-ng sends messages using the following template: $ISODATE $HOST $MSGHDR$MSG\n. (The $MSGHDR$MSG part is written together because the $MSGHDR macro includes a trailing whitespace.) -- http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid... Make sure to read over the definitions of the vars. You can use rewrites and sets to put the value of these locked (unchangeable) vars into other vars, and then edit the value of the new vars with PCRE and such, to contain just the desired data. Matthew.
That did the trick! Thanks :) ________________________________ From: Matthew Hall <mhall@mhcomputing.net> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Sent: Tue, January 25, 2011 4:51:38 PM Subject: Re: [syslog-ng] syslog-ng - Apache Logging On Tue, Jan 25, 2011 at 12:55:06PM -0800, Steven Shepherd wrote:
I have Apache logging working via a named pipe, however the log looks like:
Jan 25 14:44:13 $HOSTNAME $VIRTUAL_HOST: 000.000.000.000 - - [25/Jan/2011:14:44:13 -0600] "GET /foo.html HTTP/1.0" 200 24040 "-" "Wget/1.10.2
(Red Hat modified)"
I want to strip the syslog timestamp and $HOSTNAME. However, if I use "template("$MSGONLY\n")", it strips the timestamp, hostname *and* the $virtual_host (obtained from including "%V" in LogFormat and using 'vcommon' on
apache server).
Any ideas on how to remove the syslog data but leave the vhost data in place?
Cheers!
You probably want to look at MSGHDR. The default syslog format is: By default, syslog-ng sends messages using the following template: $ISODATE $HOST $MSGHDR$MSG\n. (The $MSGHDR$MSG part is written together because the $MSGHDR macro includes a trailing whitespace.) -- http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid... Make sure to read over the definitions of the vars. You can use rewrites and sets to put the value of these locked (unchangeable) vars into other vars, and then edit the value of the new vars with PCRE and such, to contain just the desired data. Matthew. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
participants (2)
-
Matthew Hall
-
Steven Shepherd