On Thu, 10 Dec 2009, [email protected] wrote: > Greetings List, > > I have configured Apache to log remotely to an rsyslog machine and > while it works perfectly, I am having a strange issue that I am not > sure how to get around. The problem is that the access log from the > Apache machine are creating log entries in the > /var/log/%HOSTNAME%/messages file in addition to the domain logs. > > The web server is running a custom built GRSec kernel and while I am > pretty sure I _see_ what the problem is, I am not sure of the best way > to correct it. > > On the web server, the log directives are set as below: > > ErrorLog "|/usr/bin/logger -p local7.err -t error_domain.com" > CustomLog "|/usr/bin/logger -p local6.info -t domain.com " "combined" > > Rsyslog.conf on the web server contains the below: > > local6.info @@127.0.0.1:61514 > local7.err @@127.0.0.1:61514
here you are saying to send the logs of this type to the local server port 61514 > *.* @@127.0.0.1:61514 here you are saying to send everything to the local server port 61514, this includes sending an additional copy of the logs that you sent in the lines above. you don't need the first two lines, they are causing duplicate entries. > (using stunnel for the connection) > > Below is the server's rsyslog.conf > > $AllowedSender UDP, 127.0.0.1, 10.32.1.81/29 > $AllowedSender TCP, 127.0.0.1, 10.32.1.81/29 > # The authpriv file has restricted access. > $template DynAuth, "/var/log/%HOSTNAME%/secure.log" > > # Log anything (except mail and cron) of level info or higher. > $template DynMSG, "/var/log/%HOSTNAME%/messages" > > # Log all the mail messages in one place. > $template Dynmail, "/var/log/%HOSTNAME%/maillog" > > # Log cron stuff > $template Dyncron,"/var/log/%HOSTNAME%/cron" > > # Save news errors of level crit and higher in a special file. > $template Dynspool, "/var/log/%HOSTNAME%/spooler" > > # Save boot messages also to boot.log > $template Dynboot, "/var/log/%HOSTNAME%/boot.log" > $template ApacheRemoteCustom, "/var/log/%HOSTNAME%/Apache/access.log" > local6.info -?ApacheRemoteCustom here you say send local6.ifo to apacheremotecustom > $template ApacheRemoteErr, "/var/log/%HOSTNAME%/Apache/error.log" > local7.err -?ApacheRemoteErr > authpriv.* ?DynAuth > *.info,mail.none,authpriv.none,cron.none ?DynMSG but here you say send *.info to DynMSG if you don't want to have the logs processed more than once, you need to tell rsyslog to drop them after they have been processed so you would do local6.info -?ApacheRemoteCustom local6.info ~ *.info,mail.none,authpriv.none,cron.none ?DynMSG the ~ tells rsyslog to stop processing logs like this. I believe that you can shorten this to local6.info -?ApacheRemoteCustom ~ *.info,mail.none,authpriv.none,cron.none ?DynMSG because rsyslog will continue to use the prior filter rules until it sees new ones (I know you can do this with more complex filters, I haven't done it with the simple syslog-style filters) David Lang > #mail.none,authpriv.none,cron.none ?DynMSG > > mail.* -?Dynmail > cron.* ?Dyncron > news.crit ?Dynspool > > > Now, as noted, the logging works perfectly fine, but the page accesses > are creating 2 entries. One is in the messages file, one is in the > intended log file. > > Based on the configuration file, this looks to be due to the line: > *.info,mail.none,authpriv.none,cron.none ?DynMSG > > But the problem is that if I comment that line out or remove *.info, I > no longer get the GRSec messages which I very much need for debugging > purposes. > > Any advice on this would be a great deal of assistance as rsyslog is > completely new to me. Thank you! > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
