[syslog-ng] syslog-ng - Apache Logging
Matthew Hall
mhall at mhcomputing.net
Tue Jan 25 22:51:38 CET 2011
On Tue, Jan 25, 2011 at 12:55:06PM -0800, Steven Shepherd wrote:
> I have Apache logging working via a named pipe, however the log looks like:
>
> Jan 25 14:44:13 $HOSTNAME $VIRTUAL_HOST: 000.000.000.000 - -
> [25/Jan/2011:14:44:13 -0600] "GET /foo.html HTTP/1.0" 200 24040 "-" "Wget/1.10.2
> (Red Hat modified)"
>
> I want to strip the syslog timestamp and $HOSTNAME. However, if I use
> "template("$MSGONLY\n")", it strips the timestamp, hostname *and* the
> $virtual_host (obtained from including "%V" in LogFormat and using 'vcommon' on
> apache server).
>
> Any ideas on how to remove the syslog data but leave the vhost data in place?
>
> Cheers!
You probably want to look at MSGHDR.
The default syslog format is:
By default, syslog-ng sends messages using the following template: $ISODATE $HOST $MSGHDR$MSG\n. (The $MSGHDR$MSG part is written together because the $MSGHDR macro includes a trailing whitespace.)
-- http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guide-admin-en.html/index.html-single.html
Make sure to read over the definitions of the vars.
You can use rewrites and sets to put the value of these locked (unchangeable) vars into other vars, and then edit the value of the new vars with PCRE and such, to contain just the desired data.
Matthew.
More information about the syslog-ng
mailing list