[rsyslog] Apache logs to rsyslog, transmit over network and create a local file

Ben Bradley bbradleyuk at gmail.com
Tue Jan 8 17:15:11 CET 2013


I don't think Apache supports multiple ErrorLog directives. At least it doesn't work for me.
Access log works though with multiple CustomLog directives.

Does this place any additional per-request load on Apache that is better performed by rsyslog though?
Or is it negligable?

It seems the general advice seems to be to have Apache go to syslog and then let the syslog daemon send the log messages to multiple locations.

Another way I've seen it done is have Apache log to a Perl script, which in turn sends it to a file and also syslog. But that seems a bit flaky to me.

Is there any way to do this within rsyslog?

Cheers


On Tue, 8 Jan 2013 13:24:48 +0100
ar at xlrs.de wrote:

> Hi Ben,
> 
> You can define multiple access/error log files in your vhost configuration. 
> 
> Just write a second (local path) destination as you would do usually.
> 
> Von meinem Android-Gerät gesendet.
> 
> 
> 
> -----Original Message-----
> From: Ben Bradley <bbradleyuk at gmail.com>
> To: rsyslog at lists.adiscon.com
> Sent: Mo., 07 Jan 2013 18:36
> Subject: [rsyslog] Apache logs to rsyslog, transmit over network and create a local file
> 
> Hi everyone
> 
> I'm still getting my head around the configuration of rsyslog and Apache and I need some help. I think I'm getting a bit confused by the different config syntaxes that are referred to around the documentation.
> 
> On my webservers I'd like to keep a local copy of the Apache logs and send them over the network to a centralised server.
> I've been testing this using the imfile plugin and manually setting up each Apache log file that I want to watch. It works but it's not ideal.
> 
> On the advice of helpful people here and in IRC, I've got test Apache vhosts now logging to the logger binary like so...
> CustomLog "|/usr/bin/logger -p local0.info -t apache-access[vhost.domain.com]" combined
> Rsyslog receiving those from logger and sending this over the network to logstash, so far so good.
> 
> But I'm trying to get rsyslog to also write a local copy of the logs for each vhost before they are sent over the network. In the same way that Apache normally does logging.
> 
> I've followed Axel's response to a thread I started a few weeks ago...
> http://permalink.gmane.org/gmane.comp.sysutils.rsyslog/8066
> I really like the concept of Apache overriding the pid with the vhost, then rsyslog can write a log file using that procid (vhost). It's a really elegant solution.
> 
> But I'm having some trouble implementing this in rsyslog v7.2.4-1 (CentOS) from the repo.
> 
> Here's my full rsyslog.conf. I'm not using rsyslog.d/*.conf files yet but will do once I've got this working.
> http://pastebin.com/MP0XtZrG
> 
> Lines 37-44 are what I'm having trouble with.
> I believe this should write my logs to a vhost-specific log file but it doesn't seem to be working.
> 
> 
> Do I need to re-arrange the order of my config?
> 
> Should I actually be using the new-style syntax?
> 
> Is there an example anywhere of the default config file fully translated to the new-style syntax?
> 
> If rsyslog fails for any reason then I won't have any Apache logs. Should that be a concern?
> 
> 
> Cheers, Ben
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.



More information about the rsyslog mailing list