Hello to the list:
I have a remote host sending apache_{error,access}.log files to the
rsyslog-server, and that's all fine and good.
What I'm having trouble with is that the apache traffic is sending the
same traffic to /var/log/messages.
I suspect it's the /etc/rsyslog.d/watchfile.conf that I created, and
here are the contents:
$ModLoad imfile
# apache error.log
$InputFileName /var/log/apache2/error.log
$InputFileTag error:
$InputFileStateFile state_file_error_apache
$InputFileFacility local6
$InputRunFileMonitor
$InputFilePollInterval 10
# apache access.log
$InputFileName /var/log/apache2/access.log
$InputFileTag access:
$InputFileStateFile state_file_access_apache
$InputFileFacility local6
$InputRunFileMonitor
$InputFilePollInterval 10
if $programname == 'access' then @rsyslog-server:514
& ~
if $programname == 'errors' then @rsyslog-server:514
& ~
The rsyslogd version on this host (from stock CentOS 5.10 repo) is:
rsyslogd 3.22.1, compiled with:
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: Yes
FEATURE_NETZIP (message compression): Yes
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
Atomic operations supported: Yes
Runtime Instrumentation (slow code): No
I changed InputFileFacility to local6 after reading this
<http://kb.monitorware.com/rsyslog-message-duplicates-t12273.html?hilit=duplicates&sid=9666af8003d631d35d5603149b6d54fb#p24305>
- no change.
I added $InputFileFacility local6 to the watchfile after reviewing
http://kb.monitorware.com/rsyslog-message-duplicates-t12273.html?hilit=duplicates#p24303
but it's not known to me if I have to do that for each watched file?
The /etc/rsyslog.conf on this host seems sparse with:
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$ModLoad imklog
$ModLoad imuxsock
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
*.* @rsyslog-server::514
It is not clear to me if this is the|an issue.
I tried variations on
local6.=info /var/log/apache2/error.log
& ~
local6.=error /var/log/apache2/access.log
& ~
in the watchfile.conf but it didn't correct the problem.
I do see "{host} access" and "{host} error" in the /var/log/messages
so I suspect it's a trivial matter.
Examined references are
http://kb.monitorware.com/post24302....licates#p24302
<http://kb.monitorware.com/post24302.html?hilit=duplicates#p24302>
https://access.redhat.com/discussions/650853
and several dozen search-engine results.
Anything I try just seems to make it messier.
Can some one help this new rsyslog user out?
Thank you for your time.
--
John Jones
Cirrhus9.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
