[syslog-ng] Best way to pipe "application" logs to central syslog-ng server.

Evan Rempel erempel at uvic.ca
Mon May 7 19:51:52 UTC 2018

We write all of our apache logs to an application

ErrorLog "|/path/to/our/script site.fqdn.name error"

LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog "|/path/to/our/script site.fqdn.name access" common

This script just writes the log line to syslog via script specific syslog API with an application name of httpd
and a line prefix of

access: site.fqdn.name:
error: site.fqdn.name:

This allows the receiving end (central syslog server) to strip off the header and recreate files specific to each virtual host


And these destination files will have the EXACT content that apache would have logged to disk on the source server.

This permits us to feed web analytic tools in real time and provide them the exact source logs that these tools

Works for us.


On 05/07/2018 08:58 AM, Gergely Nagy wrote:
>>>>>> "Delon" == Delon Lee Di Lun <lee.delon2005 at gmail.com> writes:
>      Delon> In response to gergely, the 2nd option would require the changes to be made
>      Delon> on the "apache side" of things right? If so, its unlikely possible in my
>      Delon> use case.
> No, you can do that with rsyslog and syslog-ng too. Both allow you to
> tinker with the syslog headers.
> Ideally, changing the Apache-generated log format to conform to a syslog
> RFC would be ideal, but I understand that's not something most are
> willing - or able/allowed - to make. So the next best option is to
> fiddle with the syslog fields on the syslog side of things.

More information about the syslog-ng mailing list