[syslog-ng] Apache vhost logs

Gergely Nagy algernon at balabit.hu
Mon Jul 11 12:19:04 CEST 2011


Josu Lazkano <josu.lazkano at barcelonamedia.org> writes:

> I want to send all apache vhosts logs to a remote server.
>
> I read this guide: http://www.facebook.com/note.php?note_id=338493890632
>
> But, when I create the named pipes, I cannot restart Apache.

Any error messages?

I tried the guide locally, and it worked for me. With a few corrections
(like fixing the $MSGONLYn template to read $MSGONLY\n, where the \ got
lost in the facebook translation, I suppose).

> I try to send the logs files this way:
>
>         file("/var/log/apache2/access.log");
>         file("/var/log/apache2/error.log");
>
> But on the server-side there is any access.log and error.log files.

That's expected. The server does not know what files to put these logs
in, so it'll put the apache logs wherever it puts the rest of the
messages.

> I have lots of vhost on the client-side. How could I configure it?

One way is to use named pipes, as the guide suggests. Another way is to
still log to files on the web serves, but change the LogFormat to what
the guide says, and read from files. Though, error.log cannot be
configured, so that'll need a bit different treatment, see below.

For the access logs, you can use the LogFormat in the guide, and split
them on server side, as the guide says.

For error logs, you can't really do that, since it cannot be formatted
on apache side, as far as I remember, so it won't contain the virtual
host. So if using a single error.log, the best one can do is transfer it
as-is, using the no-parse source flag on the client's syslog-ng.

If you need per-host split error logs, well.. there's still a few
options left: either you add them one by one as sources, and make sure
there's a way the server can identify the source (eg, using no-parse,
and formatting the log into syslog format in the destination, where you
add the virtualhost - this way you'll have a source + destination + log
block for each and every virtualhost. With syslog-ng 3.3, this can be
made easier using block{}, but that's something I haven't played with
much, and syslog-ng 3.3 is in beta at the moment...).

Another way is to use an external program to find all the error.logs,
tail -f them, and format the lines appropriately, and send them to
syslog. This sounds pretty awkward, though.

-- 
|8]



More information about the syslog-ng mailing list