[syslog-ng] change from rsyslog to syslog-ng
Jakub Jankowski
shasta at toxcorp.com
Fri Jul 8 13:37:13 CEST 2011
On 2011-07-08, Josu Lazkano wrote:
> I want to send all vhosts logs to my syslog-ng server, but I don't know how to do with rsyslog.
> Is possible to do with syslog-ng?
> My Apache logs are configured this way:
> ErrorLog /var/www/domain1/log/error.log
> CustomLog /var/www/domain1/log/access.log common env=!dontlog
>
> On the same machine I have lots of vhost logs:
> /var/www/domain1/log/error.log
[...]
> /var/www/domain3/log/access.log
First of all - I'm not familiar with rsyslog, so I'll focus on syslog-ng
side; sorry about that.
Globbing in file() source driver is - as far as I recall - only available
in syslog-ng PE. If you'd like syslog-ng OSE to follow all your logfiles,
you'd have to specify every path to every log file. This is hard to
manage.
You have another possibility, though: you can include vhost name in your
CustomLog format, and put all accesslogs into one file (which you can then
easily follow with syslog-ng, or even use a pipe() instead), so it looks
like this:
domain1.com i.p.add.ress - - [10/Jun/....
domain2.com ano.ther.i.p - - [10/Jun/....
Send this to your central syslog-ng server, and there you can split the
vhost name and the rest of the line (ie. using csv parser). Then use the
first field (vhost name) as a macro in the filename template of your
file() destination.
This approach has been demonstrated on many blog notes (can't recall exact
URLs at the moment, so apologies to those whose I should mention here).
It has one drawback, however. In Apache HTTPd, you cannot use custom log
formats for anything else than access log. This applies to all 1.3, 2.0
and 2.x branches and is a major PITA, because it forces you either to use
different ErrorLog for every vhost (which in turn makes apache use a lot
of file descriptors), or use single destination (file, or syslog - yes,
apache can log errorlog directly to syslog) for all vhosts, but this has
the drawback of not knowing which log message corresponds to which vhost.
What I did to workaround this problem - I've patched apache sources to
include ServerName (a.k.a. vhost) in every errorlog message in a
hardcoded, non-runtime-configurable format, and then applied the same
logic as I use for accesslogs.
If anyone has another solution or sees flaws in mine - I'd be more than
happy to hear their thoughts on that.
HTH
--
Jakub Jankowski|shasta at toxcorp.com|http://toxcorp.com/
GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D
More information about the syslog-ng
mailing list