On 08/04/11 12:20, david@xxxxxxx wrote:
On Thu, 7 Apr 2011, Osmany Goderich wrote:
-----Mensaje original-----
De: david@xxxxxxx [mailto:david@xxxxxxx]
Enviado el: Tuesday, April 05, 2011 11:13 PM
Para: osmany@xxxxxxxxxxxxx
CC: squid-users@xxxxxxxxxxxxxxx
Asunto: Re: Fwd: squid 3.1 to export access_log to rsyslog
On Tue, 5 Apr 2011, osmany@xxxxxxxxxxxxx wrote:
I have this in my rsyslog.conf file:
$ModLoad immark.so # provides --MARK-- message capability
$ModLoad imuxsock.so # provides support for local system logging
$ModLoad imklog.so # kernel logging
$WorkDirectory /rsyslog/spool # where to place spool files
$ActionQueueFileName uniqName # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
squid.* @@10.25.1.20:2001
*.err;kern.warning;auth.notice;mail.crit /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err
/var/log/message
squid.*
/usr/local/squid/var/logs/access.log
I'm sure that the configuration on the rsyslog remote server is fine
because
it's receiving logs successfully from other servers (other services).
I know this is actually going out of subject because this is a squid
mailing
list, but I'm sure some of you have run to a similar problem so I
figured to
keep asking you. Can you please keep helping me to solve this?
Ok, the problem is that 'squid' is not something that syslog knows
about, so you can't say 'squid.*'
if you just log *.* I beleive that you will see that you are receiving
(and forwarding) the squid logs, but that may be more logs than you want
to do that with.
IIRC there are 14-16 'facilities' that syslog knows about
in the squid.conf
instead of saying
access_log syslog squid
say
access_log syslog:local2 squid
and then in rsyslog try
local2.*
as your filter and see how that works.
most examples use 'local0', but exactly because of that I try to avoid
using local0 and use one of the other ones.
David Lang
It's good to be aware of the defaults as well.
A facility is pretty much required. If unset the log details show up at
whatever default the OS has. Which can be the kernel-level priority on
some systems. Very annoying.
If unset the priority used in "info"
So this
access_log syslog:local2 squid
is the same as this:
access_log syslog:local2.info squid
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.6
