[syslog-ng] apache logs over syslog-ng sychronized
Balazs Scheidler
bazsi at balabit.hu
Thu Sep 4 09:34:52 CEST 2008
On Wed, 2008-09-03 at 18:02 +0300, Eli Shemer wrote:
> source s_apachelogs { file("/etc/apache2/logs/test/2008-09-03-test.log" follow-freq(1) log_prefix("test") ); };
>
> is it possible to somehow get the log_prefix string from the string in the file() ?
> otherwise I will have to write down close to 200 source definitions.
Not currently with 2.0 or 2.1 I'm afraid.
With the next major release currently in the works it is.
You can do things like:
source s_apachelogs { file("/etc/apache2/logs/test/2008-09-03-test.log" follow-freq(1)); };
parser p_csvparser { csv_parser(columns('APACHE.VHOST_NAME', 'APACHE.CLIENT_IP', ...)); };
destination d_apache_files { file("/var/log/apache/access.log-${APACHE.VHOST_NAME}"); };
log { source(s_apachelogs); parser(p_csvparser); destination(d_apache_files); };
The key is the parser here, it extracts information from the log message and puts
them into "values". A value is a name-value pair, associated with a message. You can
use these user-defined values anywhere you could use template() before.
You can also rewrite these values, or the message itself:
rewrite r_sample { set("$FILE_NAME $MSG" value("MESSAGE")); };
This changes the contents of the "MESSAGE" value (that is the message payload itself),
or for that matter, you can change custom values:
rewrite r_sample { set("$FILE_NAME $MSG" value("USER.DEFINED.VALUE")); };
And then reference ${USER.DEFINED.VALUE} in your config.
I'd really want to publish these features now, I'd only need about 1 day of silence which
is difficult to get, as I'm involved in a load of other projects.
However I'm leaving for a holiday on Friday, and probably will be able to do this.
--
Bazsi
More information about the syslog-ng
mailing list