[syslog-ng] missing IP information at the message part

Oğuz Yarımtepe oguzyarimtepe at gmail.com
Sun Jan 1 12:46:50 CET 2012 

I have syslog-ng and logzilla  2.9.9g installed on a Debian squeeze
machine. I can see the logs at the web interface. I configured
syslog-ng to collect apache error and access logs. The problem is that
i don't see IP information at the message part, on web interface.

For ex, one of the machine that is sending apache logs is "www"
machine. The syslog-ng configuration is as below:

# All messages send to a remote site
#
#log { source(s_src); destination(d_net); };
#manual edit
options { log_msg_size(8192); };
#######
# sources #
#######

source s_apache_access {
                # unix-stream("/var/log/httpd/apache_log.socket"
                # max-connections(512)
                # keep-alive(yes));
                file ("/var/log/apache2/access.log"
                     flags(no-parse));
};

source s_apache_error {
                # unix-stream("/var/log/httpd/apache_log.socket"
                # max-connections(512)
                # keep-alive(yes));
                file ("/var/log/apache2/error.log"
                     flags(no-parse));
};

################
# destinations #
################

destination d_custom_access {
                            file("/var/log/apache2/custom_access.log");
};

destination d_custom_error {
                            file("/var/log/apache2/custom_error.log");
};

destination d_apache_tls {
                             tcp("192.168.1.145"
                             port(6514)
                             tls(ca_dir("/etc/syslog-ng/etc/ca.d")
                             key_file("/etc/syslog-ng/etc/key.d/debian4key.pem")

cert_file("/etc/syslog-ng/etc/cert.d/debian4cert.pem")));
};

###########
# filters #
###########

filter f_apache_access {
                       message("GET|POST");
};
filter f_apache_error {
                       message("error");
};
log {
     source(s_apache_access);
#     filter(f_apache_access);
     destination(d_apache_tls);
};
log {
     source(s_apache_error);
#     filter(f_apache_access);
     destination(d_apache_tls);
};


and

# tail -n1 /var/log/apache2/access.log
78.185.240.170 - - [01/Jan/2012:13:35:06 +0200] "GET
/images/rand/randpic11.jpg HTTP/1.1" 200 45670
"http://www.comu.edu.tr/" "Mozilla/5.0 (Windows NT 5.1)
AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7"
www:/home/oguz#

For the www machine i don't see the 78.185.240.170 information at the
web ui, but the rest of the line starting with --

Thogh another machine, "reverse", is sending apache logs with and
additional field and i can see its log at the web ui without any
missing information.

The reverse has the same configuration except from the key information.

# tail -n1 /var/log/apache2/other_vhosts_access.log
www.beeseurope.eu:80 178.154.160.29 - - [01/Jan/2012:13:36:46 +0200]
"GET /mod/forum/discuss.php?d=55&parent=88 HTTP/1.1" 200 34557 "-"
"Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)"

At the web interface, I can see the IP information also at the message part.

My syslog-ng configuration at the server is as below:

options {
       long_hostnames(off);
       # doesn't actually help on Solaris, log(3) truncates at 1024 chars
       log_msg_size(8192);
       # buffer just a little for performance
       flush_lines(16384);
       # memory is cheap, buffer messages unable to write (like to loghost)
       log_fifo_size(16384);
       # Hosts we don't want syslog from
       #bad_hostname("^(ctld.|cmd|tmd|last)$");
       # The time to wait before a dead connection is reestablished (seconds)
       time_reopen(10);
       #Use DNS so that our good names are used, not hostnames
       use_dns(yes);
       dns_cache(yes);
       #Use the whole DNS name
       use_fqdn(yes);
       keep_hostname(yes);
       chain_hostnames(no);
       #Read permission for everyone
       perm(0644);
       # The default action of syslog-ng 1.6.0 is to log a STATS line
       # to the file every 10 minutes.  That's pretty ugly after a while.
       # Change it to every 12 hours so you get a nice daily update of
       # # how many messages syslog-ng missed (0).
       # stats(43200);
        log_msg_size(8192);
   };

source s_apache {
                             tcp(ip(0.0.0.0) port(6514)
                             tls(
key_file("/etc/syslog-ng/etc/key.d/debian1key.pem")

cert_file("/etc/syslog-ng/etc/cert.d/debian1cert.pem")
                             ca_dir("/etc/syslog-ng/etc/ca.d")));
};

filter f_apache_access {
                       message("GET|POST");
};
filter f_apache_error {
                       message("error");
};


# Create destination to LogZilla
destination d_logzilla {
   program("/opt/logzilla-2.9.9g/scripts/db_insert.pl"
   template("$HOST\t$FACILITY\t$PRIORITY\t$LEVEL\t$TAG\t$YEAR-$MONTH-$DAY\t$HOUR:$MIN:$SEC\t$PROGRAM\t$MSG\n")
   #template("$YEAR-$MONTH-$DAY
$HOUR:$MIN:$SEC\t$HOST\t$PRI\t$PROGRAM\t$MSGONLY\n")
   );
};
# test purposes
destination d_apache_test_access {
        file("/var/log/apache2/hosts/$HOST/$YEAR/$MONTH/$DAY/access.log"
        create_dirs(yes));
};

destination d_apache_test_error {
        file("/var/log/apache2/hosts/$HOST/$YEAR/$MONTH/$DAY/error.log"
        create_dirs(yes));
};

# Tell syslog-ng to log to our new destination
log {
   source(s_apache);
   destination(d_logzilla);
};

log {
   source(s_apache);
   filter(f_apache_error);
   destination(d_apache_test_error);
};

log {
   source(s_apache);
   filter(f_apache_access);
   destination(d_apache_test_access);
};

Any ides about how i can fix the missing IP information at the web ui
of logzilla?

More information about the syslog-ng mailing list