Re: Centralized logging.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

It was thus said that the Great Ray Van Dolson once stated:
> On Thu, Apr 08, 2010 at 02:18:28PM -0700, Jason Nunnelley wrote:
> > I'm using syslog-ng. It does the job.
> > 
> > A nice little rsync script is nice, but you're still storing log files 
> > on the individual servers until you run some rsync and delete script. 
> > This can be risky if resources are limited or machines are ephemeral.
> > 
> > NFS has its own issues as well. You've got to ask yourself "What's my 
> > plan B" and write that into your logging config/scripts.
> 
> Thanks Jason.  We're using syslog-ng as well.
> 
> So how exactly are you implementing this?  Apache procs piping to a
> perl process which shunts things out to your syslog server?

  I just tested this, and if you are on a Unix-like system, see if you have
the logger program.  This is working for me:

<VirtualHost [fc00::1:3]:80>
        ServerName      lua.roswell.area51
        ServerAdmin     sean@xxxxxxxxxx
        DocumentRoot    /home/spc/web/lua/htdocs
        CustomLog       "|/usr/bin/logger" combined
        ErrorLog        syslog:daemon
        LogLevel        debug

	# ... 
</VirtualHost>

What gets logged is (and this is using a custom syslogd I wrote, so if the
format looks a bit odd to you, that's why):

/dev/log | logger | user   notice | Apr 08 20:55:18 | ::1 - - [08/Apr/2010:20:55:18 -0400] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
/dev/log | logger | user   notice | Apr 08 20:55:38 | ::1 - - [08/Apr/2010:20:55:38 -0400] "GET /quot.html HTTP/1.1" 404 207 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
/dev/log | logger | user   notice | Apr 08 20:55:43 | ::1 - - [08/Apr/2010:20:55:43 -0400] "GET /quote.html HTTP/1.1" 200 395 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
/dev/log | logger | user   notice | Apr 08 20:55:43 | ::1 - - [08/Apr/2010:20:55:43 -0400] "GET /quote.css HTTP/1.1" 200 177 "http://lua.roswell.area51/quote.html"; "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"

> Do you do any post/pre-processing for timestamp duplication?  We want
> to try and have the logs on the syslog server look exactly like they
> did on the origin server (ie no syslog timestamps, no syslog
> facility/priority stuff and no "hostname").

  I don't use syslog-ng, so I can't say for sure, but since the actual
Apache logline is logged, it looks like it would be easy to strip the syslog
specific stuff and use just the Apache generated data.

  -spc 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux