[syslog-ng] Best way to pipe "application" logs to central syslog-ng server.

Gergely Nagy algernon at balabit.com
Mon May 7 13:26:21 UTC 2018


>>>>> "Delon" == Delon Lee Di Lun <lee.delon2005 at gmail.com> writes:

    Delon> An example of the "application" logs im referring to would be for instance
    Delon> Apache HTTPD logs, I want to separate the "application" logs, in this
    Delon> example, the apache logs, and the "OS" logs into different
    Delon> directories.

There are a few ways I can think of that'd make this work. The simplest
one is perhaps using a different port to send HTTPD logs than the one
used for OS logs. Then you can set up different log paths, no explicit
filtering required. The downside is that you'll have your syslog-ng
listen on two ports, may need to adjust firewall rules, and so on.

Another option would be to force the PROGRAM field of apache logs to
"apache" or "httpd", and filter based on that on the syslog-ng side. No
need to use regexps for this, and you don't need to open a separate
port, either. The downside is that you need the PROGRAM field to be
consistent: all apache logs should have it set to the same value, and no
OS logs should reuse that value.

A third option would be to add an SDATA field to the apache logs on the
rsyslog side, and filter based on that on the syslog-ng side. I am not
familiar with rsyslog all that much, and can't offer an example how to
do that. But it shouldn't be too hard, I imagine.


More information about the syslog-ng mailing list