[syslog-ng] no compatibility between syslog and apache log priority
Balazs Scheidler
bazsi at balabit.hu
Fri Jun 5 18:09:35 CEST 2009
On Thu, 2009-06-04 at 16:14 +0200, gatfi sami wrote:
> Hi i a successfully configured a centralised syslog server using
> syslog-ng 2.09 here is the structure:
>
> syslog-client(read apache error log) -------> send to a syslog-relay
> ---------> forword to a syslog server ----> centralise in a mysql tabe
> 'logs'
>
> CREATE TABLE `syslogtopnet`.`log` (
> `seq` int(10) unsigned NOT NULL auto_increment,
> `host` varchar(60) NOT NULL,
> `facility` varchar(40) NOT NULL,
> `priority` varchar(40) NOT NULL,
> `level` varchar(40) NOT NULL,
> `date_log` date NOT NULL,
> `time_log` time NOT NULL,
> `program` varchar(40) NOT NULL,
> `message` text NOT NULL,
> PRIMARY KEY (`seq`),
> KEY `index_log` (`host`)
> ) ENGINE=InnoDB AUTO_INCREMENT=684 DEFAULT CHARSET=latin1;
>
>
> my problème is : i find for exemple priority ='Notice' and
> level='Notice' but in the message i find [warn]
>
>
> here is an exemple:
> INSERT INTO `syslogtopnet`.`log` VALUES
> (320,'192.168.9.195','user','notice','notice','2009-05-19','19:33:24','','[Tue May 19 19:33:24 2009] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]');
>
> i discovered that apache log level are different then syslog's
> so !!!!!
>
> 1 wired isnt it lease is there a solution to keep the same level in
> the original priority?
well, the apache log files are certainly not syslog messages, thus
syslog-ng assumes they have a priority/facility value of "user.notice".
in syslog-ng 3.0.2 the options default-facility() and default-level()
were added to change that. but still it can only use a predefined value.
>
> 2 beside in more than 20589 line in my table priority and level have
> the same values. is it normal that the level and priority are the same
> how can this be?
as I said, syslog-ng assumes user.notice for all messages that lack a
syslog header.
PS: please send your questions to the syslog-ng mailing list, I might
not be able to answer them all, and sometimes even not answer. So it is
better to send there.
--
Bazsi
More information about the syslog-ng
mailing list