[syslog-ng] Best way to pipe "application" logs to central syslog-ng server.

[Evan Rempel]

We write all of our apache logs to an application

ErrorLog "|/path/to/our/script site.fqdn.name error"

LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog "|/path/to/our/script site.fqdn.name access" common

This script just writes the log line to syslog via script specific syslog API with an application name of httpd
and a line prefix of

access: site.fqdn.name:
or
error: site.fqdn.name:

This allows the receiving end (central syslog server) to strip off the header and recreate files specific to each virtual host

access_site.fqdn.name_datestamp
error_site.fqdn.name_datestamp

And these destination files will have the EXACT content that apache would have logged to disk on the source server.

This permits us to feed web analytic tools in real time and provide them the exact source logs that these tools
support.

Works for us.

Evan.


On 05/07/2018 08:58 AM, Gergely Nagy wrote:
>>>>>> "Delon" == Delon Lee Di Lun <lee.delon2005 at gmail.com> writes:
>      Delon> In response to gergely, the 2nd option would require the changes to be made
>      Delon> on the "apache side" of things right? If so, its unlikely possible in my
>      Delon> use case.
>
> No, you can do that with rsyslog and syslog-ng too. Both allow you to
> tinker with the syslog headers.
>
> Ideally, changing the Apache-generated log format to conform to a syslog
> RFC would be ideal, but I understand that's not something most are
> willing - or able/allowed - to make. So the next best option is to
> fiddle with the syslog fields on the syslog side of things.
>