[rsyslog] rsyslog with apache and per vhost log

Rainer Gerhards rgerhards at hq.adiscon.com
Thu Mar 20 16:09:24 CET 2008


Should work with fields (much faster). I can't try it out due to relp
work, but try:

%msg:F,32:2%  [32 is USASCII SP, the delimiter here]

But maybe %msg:F,32:1% - you need to experiment a bit. In any case, that
should work...

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Maurizio Rottin
> Sent: Thursday, March 20, 2008 3:59 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] rsyslog with apache and per vhost log
> 
> yes! but actually there is a space at the beginning and hostname can
> contain the dash -, numbers, and letters.
> 
> 2008/3/20, Rainer Gerhards <rgerhards at hq.adiscon.com>:
> > Let me try to avoid the regexp (its expensive and I can not debug it
> now
> >  ;)): so you search for the string that is at the start of the msg
> and
> >  delimited by the first space?
> >
> >
> >
> >  Rainer
> >  > -----Original Message-----
> >  > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >  > bounces at lists.adiscon.com] On Behalf Of Maurizio Rottin
> >
> > > Sent: Thursday, March 20, 2008 3:47 PM
> >  > To: rsyslog-users
> >  > Subject: Re: [rsyslog] rsyslog with apache and per vhost log
> >  >
> >
> > > 2008/3/20, Rainer Gerhards <rgerhards at hq.adiscon.com>:
> >  > > Can you send me a handful of the logline to play with? Probably
> not
> >  > this
> >  > >  week, but next...
> >  > >
> >  >
> >  >  www.mysite.com 192.168.242.2 [20/Mar/2008:15:41:10 +0100] "GET
> >  > /images/wm001.jpg HTTP/1.1" 304 -
> "http://www.mysite.com/webmail.htm"
> >  > "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13)
> Gecko/20060607"
> >  >
> >  > i'm trying to use the regexp but with no success in this way:
> >  > $template MsgFormat,"%msg%\n"
> >  > $template ApacheRemoteCustom,"/var/log/apachelog/%msg:R:^\
> >  > [a-z,\.]*--end%_az.log"
> >  > local6.info -?ApacheRemoteCustom;MsgFormat
> >  >
> >  > from the documentation: "the property replacer will return the
> part of
> >  > the property text that matches the regular expression" which
> should be
> >  > " www.mysite.com"
> >  > but i get a file named _az.log
> >  >
> >  > --
> >  > mr
> >
> > > _______________________________________________
> >  > rsyslog mailing list
> >  > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >  _______________________________________________
> >  rsyslog mailing list
> >  http://lists.adiscon.net/mailman/listinfo/rsyslog
> >
> 
> 
> --
> mr
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog



More information about the rsyslog mailing list