[rsyslog] Duplicate log entries with Apache+rsyslog
tronyx at tronyx.networkgimps.com
tronyx at tronyx.networkgimps.com
Thu Dec 10 15:02:58 CET 2009
Greetings List,
I have configured Apache to log remotely to an rsyslog machine and
while it works perfectly, I am having a strange issue that I am not
sure how to get around. The problem is that the access log from the
Apache machine are creating log entries in the
/var/log/%HOSTNAME%/messages file in addition to the domain logs.
The web server is running a custom built GRSec kernel and while I am
pretty sure I _see_ what the problem is, I am not sure of the best way
to correct it.
On the web server, the log directives are set as below:
ErrorLog "|/usr/bin/logger -p local7.err -t error_domain.com"
CustomLog "|/usr/bin/logger -p local6.info -t domain.com " "combined"
Rsyslog.conf on the web server contains the below:
local6.info @@127.0.0.1:61514
local7.err @@127.0.0.1:61514
*.* @@127.0.0.1:61514
(using stunnel for the connection)
Below is the server's rsyslog.conf
$AllowedSender UDP, 127.0.0.1, 10.32.1.81/29
$AllowedSender TCP, 127.0.0.1, 10.32.1.81/29
# The authpriv file has restricted access.
$template DynAuth, "/var/log/%HOSTNAME%/secure.log"
# Log anything (except mail and cron) of level info or higher.
$template DynMSG, "/var/log/%HOSTNAME%/messages"
# Log all the mail messages in one place.
$template Dynmail, "/var/log/%HOSTNAME%/maillog"
# Log cron stuff
$template Dyncron,"/var/log/%HOSTNAME%/cron"
# Save news errors of level crit and higher in a special file.
$template Dynspool, "/var/log/%HOSTNAME%/spooler"
# Save boot messages also to boot.log
$template Dynboot, "/var/log/%HOSTNAME%/boot.log"
$template ApacheRemoteCustom, "/var/log/%HOSTNAME%/Apache/access.log"
local6.info -?ApacheRemoteCustom
$template ApacheRemoteErr, "/var/log/%HOSTNAME%/Apache/error.log"
local7.err -?ApacheRemoteErr
authpriv.* ?DynAuth
*.info,mail.none,authpriv.none,cron.none ?DynMSG
#mail.none,authpriv.none,cron.none ?DynMSG
mail.* -?Dynmail
cron.* ?Dyncron
news.crit ?Dynspool
Now, as noted, the logging works perfectly fine, but the page accesses
are creating 2 entries. One is in the messages file, one is in the
intended log file.
Based on the configuration file, this looks to be due to the line:
*.info,mail.none,authpriv.none,cron.none ?DynMSG
But the problem is that if I comment that line out or remove *.info, I
no longer get the GRSec messages which I very much need for debugging
purposes.
Any advice on this would be a great deal of assistance as rsyslog is
completely new to me. Thank you!
More information about the rsyslog
mailing list