[syslog-ng] Best way to pipe "application" logs to central syslog-ng server.

Gergely Nagy algernon at balabit.com
Wed May 9 10:49:38 UTC 2018


>>>>> "Delon" == Delon Lee Di Lun <lee.delon2005 at gmail.com> writes:

    Delon> Possible to wipe up a sample config?
    Delon> Might clear things up?

This is a slightly different solution, but should work nevertheless:

Client:

@version: 3.15

source s_apache_logs {
 wildcard-file(
   base-dir("/var/log/apache")
   filename-pattern("www.*")
   flags(no-parse)
 );
};

destination d_central {
  network("1.2.3.4" template("$(basename ${FILE_NAME}),${MSG}\n"));
};

log { source(s_apache_logs); destination(d_central); };

Server:

@version: 3.15

source s_net {
  network("1.2.3.4" flags(no-parse));
};

parser p_apache {
  csv-parser(
    columns("apache.FILE_NAME", "apache.MESSAGE");
    flags(greedy);
  );
};

destination d_central_apache {
  file("/var/log/apache/${apache.FILE_NAME}"
       template("${apache.MESSAGE}\n"));
};

log { source(s_net); parser(p_apache); destination(d_central_apache); };

------------ * --------------

The idea here is that on the client, we read the apache logs as-is, and
forward them with the filename prepended. On the server side, we split
the message into filename and message, and use the first part to
determine which file to save the message to. Then we write the rest of
the line to that file.

This way you'll end up with the same contents on both sides, in files
that have the same name (but perhaps different path, that part is up to
you).

Hope this helps.

-- 
|8]


More information about the syslog-ng mailing list