[syslog-ng] Apache vhost logs

Mon Jul 11 13:15:57 CEST 2011

Thanks, I just watch that apache logs goes to "user" log file. This is the tree:

$ tree -h host1
.
âââ [4.0K]  2011-07
    âââ [ 19K]  auth
    âââ [346K]  authpriv
    âââ [297K]  cron
    âââ [ 12K]  daemon
    âââ [2.1K]  kern
    âââ [7.9K]  syslog
    âââ [775K]  user

$ cat user
Jul 11 13:10:10 host1/host1 IP - - [11/Jul/2011:13:10:09 +0200] "GET /favicon.ico HTTP/1.1" 404 503 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.112 Safari/534.30"
...

This looks great, but I want to get all vhost on different files, something like this:

domain1 - > apache_access_domain1.log
domain2 - > apache_access_domain2.log
domain3 - > apache_access_domain3.log
...

Is this possible? I must configure on the client or server side?

Thanks for all your help.

Best regards.

-----Mensaje original-----
De: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] En nombre de Gergely Nagy
Enviado el: lunes, 11 de julio de 2011 12:19
Para: Syslog-ng users' and developers' mailing list
Asunto: Re: [syslog-ng] Apache vhost logs

Josu Lazkano <josu.lazkano at barcelonamedia.org> writes:

> I want to send all apache vhosts logs to a remote server.
>
> I read this guide: http://www.facebook.com/note.php?note_id=338493890632
>
> But, when I create the named pipes, I cannot restart Apache.

Any error messages?

I tried the guide locally, and it worked for me. With a few corrections
(like fixing the $MSGONLYn template to read $MSGONLY\n, where the \ got
lost in the facebook translation, I suppose).

> I try to send the logs files this way:
>
>         file("/var/log/apache2/access.log");
>         file("/var/log/apache2/error.log");
>
> But on the server-side there is any access.log and error.log files.

That's expected. The server does not know what files to put these logs
in, so it'll put the apache logs wherever it puts the rest of the
messages.

> I have lots of vhost on the client-side. How could I configure it?

One way is to use named pipes, as the guide suggests. Another way is to
still log to files on the web serves, but change the LogFormat to what
the guide says, and read from files. Though, error.log cannot be
configured, so that'll need a bit different treatment, see below.

For the access logs, you can use the LogFormat in the guide, and split
them on server side, as the guide says.

For error logs, you can't really do that, since it cannot be formatted
on apache side, as far as I remember, so it won't contain the virtual
host. So if using a single error.log, the best one can do is transfer it
as-is, using the no-parse source flag on the client's syslog-ng.

If you need per-host split error logs, well.. there's still a few
options left: either you add them one by one as sources, and make sure
there's a way the server can identify the source (eg, using no-parse,
and formatting the log into syslog format in the destination, where you
add the virtualhost - this way you'll have a source + destination + log
block for each and every virtualhost. With syslog-ng 3.3, this can be
made easier using block{}, but that's something I haven't played with
much, and syslog-ng 3.3 is in beta at the moment...).

Another way is to use an external program to find all the error.logs,
tail -f them, and format the lines appropriately, and send them to
syslog. This sounds pretty awkward, though.

-- 
|8]

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq