Currently, I have this kind of setup.
[node0]
rsyslog.conf:
$template MsgFormat,"%msg%\n"
$template ApacheRemoteCustom,"/var/log/httpd/web_farm1/%msg:F,32:2%.log"
if $syslogfacility-text == 'local6' and $programname == 'rhcs-node1' then
-?ApacheRemoteCustom;MsgFormat
[web_farm1]
httpd.conf:
LogLevel warn
ErrorLog "|/bin/logger -p local5.err"
LogFormat "%v %h %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
vcombined
CustomLog "|/bin/logger -p local6.info -t rhcs-node1" vcombined"
It works for getting vhost access logs. However, it doesn't work for error
logs because apache ErrorLog is not possible to customize the error log by
adding or removing
information<http://httpd.apache.org/docs/2.0/logs.html#errorlog>
.
Regards,
James
On Fri, May 21, 2010 at 1:37 PM, <[email protected]> wrote:
> On Fri, 21 May 2010, James Corteciano wrote:
>
> > Hi All,
> >
> > My goal is to centralized all system/apps logs from different web farm
> > servers. I have the following setups:
> >
> > node0 - Centralized rsyslog server
> > web_farm1 - web farm 1 server running RHEL, rsyslog, and httpd with
> > different vhost.
> > web_farm2 - web farm 2 server running RHEL, rsyslog, and httpd with
> > different vhost.
> >
> > 1) How can I configure rsyslog from node0 to capture all vhost logs from
> > web_farm servers and all logs will be directly placed like:
> >
> > /var/log/syslog/web_farm1/<vhost>-error.log
> > /var/log/syslog/web_farm1/<vhost>-access.log
> >
> > 2) How to configure the httpd service in web_farm servers to push all
> logs
> > to node0 syslog server? I saw from internet like the following.
> >
> > httpd.conf:
> > ErrorLog "|/bin/logger -p local5.err"
> > CustomLog "|/bin/logger -p local6.info"
> >
> > rsyslog.conf:
> > *.* @node0
>
> when logging from apache you can have log commands inside each vhost, or
> if you don't the logs will be handled by the main server.
>
> what I do is to have the access logs handled by the main server and create
> a custom format that includes the vhost as part of the format (I also
> reorder things so that data I really care about is near the beginning of
> the log and data that can be long is later in the message, so if it
> becomes extremely long and overflows the max log length I don't loose data
> I consider critical)
>
> then I run it through a perl script that reformats the message to put the
> vhost name in the server field and sends it out via UDP to my syslog
> server.
>
> I don't have access to that file at the moment (it's at work), I'll try to
> get a copy tomorrow and post it.
>
> David Lang
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
