Syslog-ng apache filters
Dear community, I am currently trying to setup a central syslog-ng server. Almost everything is working, I just have some issue with filtering apache2 logs. On the remote host I use the following to send apache2 : source vhost_access { file("/var/log/apache2/vhost-access.log"); }; This is working the central syslog server get the messages. I setup a filter on the server to filter apache2 log such as : filter f_apache { match("hostname.mydomain.fr"); }; this works. The issue is that my apache2 logs match other filter, so I am logging messages 3 times : filter f_messages { level(info,notice,warn) and not facility(auth,authpriv,cron,daemon,mail,news); }; and : filter f_user { facility(user) and not filter(f_debug); }; It seems that I have to play with default-priority() and default-facility() parameters. I would like to know how do you deal with this kind of situation ? Regards, Hugo
Hugo Deprez <hugo.deprez@gmail.com> writes:
The issue is that my apache2 logs match other filter, so I am logging messages 3 times : [...] I would like to know how do you deal with this kind of situation ?
Put your apache2 logpath first, and use flags(final): log { source(s_whatever); filter(f_apache); destination(d_whatever); flags(final); }; The flags(final) option will tell syslog-ng to stop processing the message there and then: it won't be sent forward to the rest of the logpaths. Hope this helps! -- |8]
Thank you for the answer. Seems to be what I am looking for, but I am not able to make it works : log { source(stunnel); filter(f_apache); destination(remoteclient_apache); flags(final); }; Any idea ? I am running syslog-ng :3.1.3 on debian squeeze. Regards, On 11 April 2012 12:12, Gergely Nagy <algernon@balabit.hu> wrote:
Hugo Deprez <hugo.deprez@gmail.com> writes:
The issue is that my apache2 logs match other filter, so I am logging messages 3 times : [...] I would like to know how do you deal with this kind of situation ?
Put your apache2 logpath first, and use flags(final):
log { source(s_whatever); filter(f_apache); destination(d_whatever); flags(final); };
The flags(final) option will tell syslog-ng to stop processing the message there and then: it won't be sent forward to the rest of the logpaths.
Hope this helps!
-- |8]
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hugo Deprez <hugo.deprez@gmail.com> writes:
Thank you for the answer.
Seems to be what I am looking for, but I am not able to make it works :
log { source(stunnel); filter(f_apache); destination(remoteclient_apache); flags(final); };
This should work, I believe. Do you see duplicated logs, or an error message during parsing, or what exactly does not work? -- |8]
I see duplicated logs on different files. I don't see any error. On 11 April 2012 16:00, Gergely Nagy <algernon@balabit.hu> wrote:
Hugo Deprez <hugo.deprez@gmail.com> writes:
Thank you for the answer.
Seems to be what I am looking for, but I am not able to make it works :
log { source(stunnel); filter(f_apache); destination(remoteclient_apache); flags(final); };
This should work, I believe. Do you see duplicated logs, or an error message during parsing, or what exactly does not work?
-- |8]
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hugo Deprez <hugo.deprez@gmail.com> writes:
I see duplicated logs on different files.
Do you have any log{} statements before the apache one? -- |8]
Yes I do, should I specify those one first ? Regards, On 11 April 2012 19:06, Gergely Nagy <algernon@balabit.hu> wrote:
Hugo Deprez <hugo.deprez@gmail.com> writes:
I see duplicated logs on different files.
Do you have any log{} statements before the apache one?
-- |8]
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hugo Deprez <hugo.deprez@gmail.com> writes:
Yes I do, should I specify those one first ?
The apache one should come first, otherwise your logs will go through the ones before it (if any of the filters match, of course), resulting in duplicate logs. Put the apache one first, and flags(final) will not let matching logs through to the others. -- |8]
Hello, thank you ! that was my issue. I do have issue to find a proper filter for apache2. vhost mixed up as filtering on the FQDN is not enough. Some apache2 logs doesn't contain the FQDN. Any idea ? Regards, Hugo On 12 April 2012 10:51, Gergely Nagy <algernon@balabit.hu> wrote:
Hugo Deprez <hugo.deprez@gmail.com> writes:
Yes I do, should I specify those one first ?
The apache one should come first, otherwise your logs will go through the ones before it (if any of the filters match, of course), resulting in duplicate logs.
Put the apache one first, and flags(final) will not let matching logs through to the others.
-- |8]
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Gergely Nagy
-
Hugo Deprez