For anyone wanting to duplicate this set up (it seems smart to me though it does have its issues):
Unix Apache:
LogFormat "%h %u \"%r\" %>s %b %T \"%{Referer}i\" \"%{User-agent}i\"" remote
CustomLog "|/usr/bin/logger -p local7.info -t apache " remote
and setup local7 to forward to your central syslog server. I tried using syslog module but wasn't pleased, this pipe is better though I'm sure slightly more "expensive".
Windows Apache:
Needs Kiwi Logger product with CLI:
then in httpd.conf add these two lines:
LogFormat ""%h %u \"%r\" %>s %b %T \"%{Referer}i\" \"%{User-agent}i\"" remote
CustomLog '|c:/Progra~1/KLOG/KLOGCO~1/klog/klog.exe -h syslogsvr -F local7 -r winapache -l 7 -i' remote
For Windows IIS:
1. install Snare system-event log to syslog service & configure as you like it
2. install Snare IIS syslog service & configure for your syslogsvr local7
set logging to W3CV, log daily, I like these stats:
client IP
username
method
URI stem
URI query
Protocol status
Bytes sent
Time Taken
user agent
refererer
Then on the syslog server I am running syslog-ng. This is its web (local7) configuration:
destination r_apache { file ("/weblogs/apache/$YEAR/$MONTH/combined.$YEAR$MONTH.log" template("$FULLDATE $HOST $MSG\n") template-escape(yes) ); };
log { source (s_local); filter (f_local7); destination (r_apache); };
log { source (s_udp); filter (f_local7); destination (r_apache); };
log { source (net); filter (f_local7); destination (r_apache); };
log { source (net); filter (f_local7); destination (r_apache); };
And finally my analog configuration:
DEBUG ON
WARNINGS ON
CASE INSENSITIVE
REQUEST ON
DIRFLOOR 100r
DIRSORTBY REQUESTS
MONTHLY ON
DIRECTORY ON
HOST ON
DOMAIN ON
HOSTEXCLUDE 10.10.3.
FAILURE ON
REFERER ON
ALLGRAPH P
BARSTYLE E
SUBDIRFLOOR 100r
SUBDIRSORTBY REQUESTS
FILEALIAS /nwo/* /$1
HOSTNAME web1
HOSTURL http://testweb.localtest.test
LANGUAGE US-ENGLISH
# ignore IISWebLog comments
LOGFORMAT (%Y %M %d %h:%n:%j %j IISWebLog\t%j\t#%j)
# Cisco junk..
LOGFORMAT (%Y %M %W%d %h:%n:%j cisco_%j)
# unix Apache
LOGFORMAT (%Y %M %W%d %h:%n:%j] %S %u \\"%j %r %j\\" %c %b %T \\"%f\\" \\"%B\\")
# Windows Apache
LOGFORMAT (%Y %M %W%d %h:%n:%j %j %j %S %u \\"%j %r %j\\" %c %b %T \\"%f\\" \\"%B\\")
# IIS
LOGFORMAT (%Y %M %W%d %h:%n:%j %j-%j-%j %j:%j:%j %j %r %q %j %S %A %f %c %b %T)
LOGFILE /weblogs/apache/%Y/%M/combined.%Y%M.log
IMAGEDIR /systems/webreports/images/
OUTFILE /web/www/systems/webreports/%Y/%M/index.html
It's not perfect. I don't like how the quotes show up with escapes in the logs when I changed the syslog-ng configuration to a special template to add the year instead of the default template. I might change it to brackets or something.
Also, every once in a while there is a really long URL+Query string that runs the limit of the syslog-ng (or syslog?) message window and it marked as a corrupt line. 17 so far this month. That bugs me most of all.
On 9/10/06, Aengus <[EMAIL PROTECTED]> wrote:
On Friday, September 08, 2006 11:24 AM [EDT],
kjc <[EMAIL PROTECTED]> wrote:
>> APACHEDEFAULTLOGFORMAT (%M %d %Y %h:%n:%j] %S %u \"%r\" %c %b %T
>> \"%f\" \"%B\")
Why are using the APACHELOGFORMAT command when you're not using Apaches
logformat syntax? That's the only reason APACHELOGFORMAT exists - to save
people having to translate the syntax from their Apache conf files to their
analog.cfg files.
LOGFORMAT (%M %d %Y %h:%n:%j] %S %u "%j %r %j" %c %b %T "%f" "%B")
will parse your logfile properly.
Aengus
+------------------------------------------------------------------------
| TO UNSUBSCRIBE from this list:
| http://lists.meer.net/mailman/listinfo/analog-help
|
| Analog Documentation: http://analog.cx/docs/Readme.html
| List archives: http://www.analog.cx/docs/mailing.html#listarchives
| Usenet version: news://news.gmane.org/gmane.comp.web.analog.general
+------------------------------------------------------------------------
+------------------------------------------------------------------------ | TO UNSUBSCRIBE from this list: | http://lists.meer.net/mailman/listinfo/analog-help | | Analog Documentation: http://analog.cx/docs/Readme.html | List archives: http://www.analog.cx/docs/mailing.html#listarchives | Usenet version: news://news.gmane.org/gmane.comp.web.analog.general +------------------------------------------------------------------------
