Then, unless you have something throwing logs away before that (some line
matching the logs with a destination of ~), the logs will be forwarded.
David Lang
On Thu, 4 Apr 2013, Josh Bitto wrote:
Date: Thu, 4 Apr 2013 14:44:23 -0700
From: Josh Bitto <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] httpd logs
Here is my config...
I do have the *.* @destination already.
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of David Lang
Sent: Thursday, April 04, 2013 2:39 PM
To: rsyslog-users
Subject: Re: [rsyslog] httpd logs
you need to add a line to forward the logs.
Without seeing the rest of your configuration, we can't say if it's going to be
forwarded by an existing configuration.
My personal belief is that logs are small enough bandwidth wise, and rsyslog is
fast enough that I tjust do
*.* @destination
(for UDP forwarding), adjust for other forwarding methods if needed)
and then throw away logs I don't care about later. I find that too many times
logs that nobody thinks are important end up being critical to figuring out
some problem. So it's just easier to send and archive everything.
David Lang
On Thu, 4 Apr 2013, Josh Bitto wrote:
Date: Thu, 4 Apr 2013 14:02:33 -0700
From: Josh Bitto <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] httpd logs
Well ok so I followed the doc that explains how to setup httpd access and error logs to
be configured to use rsyslog. I think it "mostly" works. I have a file that is
created that is in /var/log/httpd-access.log which is on my remote machine.
How do I get that to be forwarded to my central syslog server?
Plus I think I did something wrong on rsyslog.conf about the errors. When I
followed the instructions (even used the example given) nothing happens.
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Josh Bitto
Sent: Thursday, April 04, 2013 12:12 PM
To: rsyslog-users ([email protected])
Subject: [rsyslog] httpd logs
When setting rsyslog to obtain httpd logs I did the following:
In httpd.conf
ErrorLog syslog:local7
In rsyslog.conf
Would I add the rule like this?
Local1.err /var/log/apache.err
Or for the file use any file name? And will this file be forwarded to my
central syslog server.
Joshua Bitto
Information Technologist
KCC
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger
command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not
required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# Save httpd errorlogs
local1.crit /var/log/apache.crit
if $syslogfacility-text == 'local6' and $programname == 'httpd' then
/var/log/httpd-access.log
if $syslogfacility-text == 'local6' and $programname == 'httpd' then ~
if $syslogfacility-text == 'local7' and $programname == 'httpd' then
/var/log/httpd-error.log
if $syslogfacility-text == 'local7' and $programname == 'httpd' then ~
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
*.* @destination IP addy:514
#*.* @syslog.onlineschool.ca
# ### end of the forwarding rule ###
# this will send to udp port 514 (use @@ to use tcp )
# Added for eventlog analyzer to work
#*.* @syslog
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
