> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Ben Bradley > Sent: Monday, January 28, 2013 1:39 PM > To: [email protected] > Subject: Re: [rsyslog] Use part of incoming syslog message in an output file > name? > > On Mon, 28 Jan 2013 11:33:11 +0000 > Rainer Gerhards <[email protected]> wrote: > > > $template ApacheAccessLogFile, "/var/log/httpd/%msg:R,ERE,1,BLANK:([a- > z0-9\-\.]+) [0-9]+$--end%_access.log" > > > > Amazing! Thanks so much! > > --- start of long story --- > I have Apache logging to /bin/logger and then have rsyslog generate the per- > vhost log files and then send the log over the network. > I was passing the vhost to rsyslog as part of the syslog tag, the bit that > usually > contains the pid. > The problem I've just encountered is that there's a maximum length for the > syslog tag of 32 characters so for many vhosts the full vhost wasn't being > transmitted through /bin/logger, before rsyslog is even involved. > > So with this I am planning to have rsyslog write the physical log files using > content from the Apache error log message rather than the syslog tag. > > The problem I've now got is Apache error log files. Until we start using > Apache 2.3.9+ we can't specify the error log format to include the vhost so > for error logs I am still restricted to sending the vhost through the syslog > tag. > --- end of long story --- > > Actually I've just seen an article that would actually get around my > problem... > http://www.rsyslog.com/sende-messages-with-tags-larger-than-32- > characters/ > > How do I integrate this from that article... > template (name="LongTagForwardFormat" type="string" > string="<%PRI%>%TIMESTAMP:::date-rfc3339% > %HOSTNAME%%syslogtag%%msg:::sp-if-no-1st-sp%%msg%") That's just new style format. You need to have v7 to use that. > > With this in my current rsyslog.conf... > $template ApacheAccessLogFile, "/var/log/httpd/%procid%_access.log" > $template ApacheAccessLogFormat, "%msg:2:$:drop-last-lf%\r\n" > > if $app-name == 'apache-access' and $syslogfacility-text == 'local0' and > $syslogseverity-text == 'info' then - > ?ApacheAccessLogFile;ApacheAccessLogFormat >
Just use it as usual: ?ApacheAccessLogFile;LongTagForwardFormat > Then that will hopefully give me enough of an understanding to be able to > figure these out myself. > > Cheers, Ben > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond > our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
