Greetings List, I have configured Apache to log remotely to an rsyslog machine and while it works perfectly, I am having a strange issue that I am not sure how to get around. The problem is that the access log from the Apache machine are creating log entries in the /var/log/%HOSTNAME%/messages file in addition to the domain logs.
The web server is running a custom built GRSec kernel and while I am pretty sure I _see_ what the problem is, I am not sure of the best way to correct it. On the web server, the log directives are set as below: ErrorLog "|/usr/bin/logger -p local7.err -t error_domain.com" CustomLog "|/usr/bin/logger -p local6.info -t domain.com " "combined" Rsyslog.conf on the web server contains the below: local6.info @@127.0.0.1:61514 local7.err @@127.0.0.1:61514 *.* @@127.0.0.1:61514 (using stunnel for the connection) Below is the server's rsyslog.conf $AllowedSender UDP, 127.0.0.1, 10.32.1.81/29 $AllowedSender TCP, 127.0.0.1, 10.32.1.81/29 # The authpriv file has restricted access. $template DynAuth, "/var/log/%HOSTNAME%/secure.log" # Log anything (except mail and cron) of level info or higher. $template DynMSG, "/var/log/%HOSTNAME%/messages" # Log all the mail messages in one place. $template Dynmail, "/var/log/%HOSTNAME%/maillog" # Log cron stuff $template Dyncron,"/var/log/%HOSTNAME%/cron" # Save news errors of level crit and higher in a special file. $template Dynspool, "/var/log/%HOSTNAME%/spooler" # Save boot messages also to boot.log $template Dynboot, "/var/log/%HOSTNAME%/boot.log" $template ApacheRemoteCustom, "/var/log/%HOSTNAME%/Apache/access.log" local6.info -?ApacheRemoteCustom $template ApacheRemoteErr, "/var/log/%HOSTNAME%/Apache/error.log" local7.err -?ApacheRemoteErr authpriv.* ?DynAuth *.info,mail.none,authpriv.none,cron.none ?DynMSG #mail.none,authpriv.none,cron.none ?DynMSG mail.* -?Dynmail cron.* ?Dyncron news.crit ?Dynspool Now, as noted, the logging works perfectly fine, but the page accesses are creating 2 entries. One is in the messages file, one is in the intended log file. Based on the configuration file, this looks to be due to the line: *.info,mail.none,authpriv.none,cron.none ?DynMSG But the problem is that if I comment that line out or remove *.info, I no longer get the GRSec messages which I very much need for debugging purposes. Any advice on this would be a great deal of assistance as rsyslog is completely new to me. Thank you! _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
