[syslog-ng] Remote server not keeping message intact
Gareth Allen
gallen at openworld.co.za
Thu Nov 12 09:34:11 CET 2015
Hi all
I'm sending Apache logs to a remote syslog-ng server, but the remote
server isn't keeping the message intact.
Source:
My Apache log format:
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\"" combined
What the log looks like:
172.27.15.149 - - [12/Nov/2015:08:30:59 +0000] "GET / HTTP/1.1" 200
3594 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
My syslog-ng configuration:
source s_apache {
file("/var/log/apache2/access.log" follow_freq(1) flags(no-parse));
};
destination d_apache_tcp {
tcp("x.x.x.x" port(514));
};
log { source(s_apache); destination(d_apache_tcp); };
Log server:
source s_net {
udp(port(514));
tcp(port(514));
};
template apache {
template("${MESSAGE}\n");
template-escape(no);
};
destination apache {
file("/var/log/apachetest" template(apache));
};
What I see in /var/log/apachetest:
- - [12/Nov/2015:08:30:59 +0000] "GET / HTTP/1.1" 200 3594 "-"
"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/46.0.2490.71 Safari/537.36"
As you can see the IP at the beginning of the log entry is being
removed. I've tried using $MSG and $MSGONLY.
Any ideas would be greatly appreciated.
Gareth
More information about the syslog-ng
mailing list