[rsyslog] Apache logs to rsyslog, transmit over network and create a local file

Ben Bradley bbradleyuk at gmail.com
Mon Jan 7 18:35:51 CET 2013


Hi everyone

I'm still getting my head around the configuration of rsyslog and Apache and I need some help. I think I'm getting a bit confused by the different config syntaxes that are referred to around the documentation.

On my webservers I'd like to keep a local copy of the Apache logs and send them over the network to a centralised server.
I've been testing this using the imfile plugin and manually setting up each Apache log file that I want to watch. It works but it's not ideal.

On the advice of helpful people here and in IRC, I've got test Apache vhosts now logging to the logger binary like so...
CustomLog "|/usr/bin/logger -p local0.info -t apache-access[vhost.domain.com]" combined
Rsyslog receiving those from logger and sending this over the network to logstash, so far so good.

But I'm trying to get rsyslog to also write a local copy of the logs for each vhost before they are sent over the network. In the same way that Apache normally does logging.

I've followed Axel's response to a thread I started a few weeks ago...
http://permalink.gmane.org/gmane.comp.sysutils.rsyslog/8066
I really like the concept of Apache overriding the pid with the vhost, then rsyslog can write a log file using that procid (vhost). It's a really elegant solution.

But I'm having some trouble implementing this in rsyslog v7.2.4-1 (CentOS) from the repo.

Here's my full rsyslog.conf. I'm not using rsyslog.d/*.conf files yet but will do once I've got this working.
http://pastebin.com/MP0XtZrG

Lines 37-44 are what I'm having trouble with.
I believe this should write my logs to a vhost-specific log file but it doesn't seem to be working.


Do I need to re-arrange the order of my config?

Should I actually be using the new-style syntax?

Is there an example anywhere of the default config file fully translated to the new-style syntax?

If rsyslog fails for any reason then I won't have any Apache logs. Should that be a concern?


Cheers, Ben



More information about the rsyslog mailing list