Working Apache and Rsyslog configuration

From rsyslog wiki

Jump to: navigation, search

[edit] Working Apache and Rsyslog configuration

Post by hkspvt on Tue Jul 08, 2008 9:46 pm

This is just a quick howto for anyone who might want to configure Apache to log to rsyslog. There are other ways to do it (set rsyslog to read in from a file), but this is my preferred method.

Background Apache maintains its own error and access logs. These are fine for some installations, but lack a lot as the complexity/criticality of an environment increases.

How to First step is to decide what facility you'll be logging to. I decided to log access to local6 and errors to local7 for a few reasons:
- I want to keep access and error logs separate
- I want to leave room for debugging Apache (ie, setting the loglevel in httpd.conf to debug) without mixing the two
- Apache's interaction with syslog isn't particularly well documented

Apache's error logs are very easy to point at syslog with the ErrorLog directive: ErrorLog syslog:local7

The access logs are a bit trickier. They don't have a built-in syslog function, but do accept pipes. A quick perl script based off of O'Reilly's article (http://www.oreillynet.com/pub/a/sysadmin/2006/10/12/httpd-syslog.html) and installed in /usr/local/sbin/apache_syslog does the trick: 

==Code: select all==


#!/usr/bin/perl
use Sys::Syslog qw (:DEFAULT setlogsock);


setlogsock('unix');


# open our log socket
openlog('httpd', 'pid', 'local6');


# log all our input
while (<STDIN>) {
       syslog('info', $_);
}


# close the log socket
closelog;

Now you can point your access logs at it with the CustomLog directive in httpd.conf (combined refers to the format - use common if you're unsure): CustomLog |/usr/local/sbin/apache_syslog combined


Now for rsyslog.conf. It's possible that other applications are logging under the local6 and local7 facilities, so we want to log based on both facility and program name. Moreover, having these logs included in multiple places would not be good, so we'll just dump them after we've pulled them out. 

==Code: Select all==
if $syslogfacility-text == 'local6' and $programname == 'httpd' then /var/log/httpd-access.log
if $syslogfacility-text == 'local6' and $programname == 'httpd' then ~
if $syslogfacility-text == 'local7' and $programname == 'httpd' then /var/log/httpd-error.log
if $syslogfacility-text == 'local7' and $programname == 'httpd' then ~

Restart rsyslog, then restart Apache, and that's it.

Hopefully that's a help to someone. -HKS

Retrieved from "http://wiki.rsyslog.com/index.php/Working_Apache_and_Rsyslog_configuration"


Personal tools
language