Re: [rsyslog] Custom .conf file sends http traffic to /var/log/{messages, syslog}

Mon, 29 Sep 2014 09:36:04 -0700 

Well, I was mistaken.
I still have messages from http in /var/log/syslog of this nature:
Sep 29 08:51:11 web error: [Mon Sep 29 08:51:05 2014] [error] [client 184.73.207.18] client denied by server configuration: /var/www/cirrhus9/wp-admin/admin-ajax.php Sep 29 08:51:11 web error: [Mon Sep 29 08:51:05 2014] [error] [client 69.46.36.8] client denied by server configuration: /var/www/cirrhus9/wp-admin/admin-ajax.php 


wp-login.php is restricted in apache_site.conf and I'm not convinced 
that has anything to do with anything rsyslog-related, but I could be wrong.
my /etc/rsyslog.d/10-watchfile.conf *was* named 
/etc/ryslog.d/watchfile.conf and this sent duplicates and triplicates to 
/var/log/syslog
up until I moved it to 10-watchfile.conf, they all but stopped except 
for those shown above.


Thank you for your valuable time.

John Jones
Cirrhus9.com

On 09/25/2014 06:24 PM, John Jones wrote:

All fixed on rsyslogd 7.6.5


There's something to be said about 'defaults' (with /slight/ 
modifications)


Thank you David and Ranier!
John Jones
Cirrhus9.com
On 09/25/2014 04:35 PM, David Lang wrote:

On Thu, 25 Sep 2014, John Jones wrote:


Hello to the list:


I have a remote host sending apache_{error,access}.log files to the 
rsyslog-server, and that's all fine and good.
What I'm having trouble with is that the apache traffic is sending 
the same traffic to /var/log/messages.



I suspect it's the /etc/rsyslog.d/watchfile.conf that I created, and 
here are the contents:

$ModLoad imfile
# apache error.log
$InputFileName /var/log/apache2/error.log
$InputFileTag error:
$InputFileStateFile state_file_error_apache
$InputFileFacility local6
$InputRunFileMonitor
$InputFilePollInterval 10

# apache access.log
$InputFileName /var/log/apache2/access.log
$InputFileTag access:
$InputFileStateFile state_file_access_apache
$InputFileFacility local6
$InputRunFileMonitor
$InputFilePollInterval 10

if $programname == 'access' then @rsyslog-server:514
& ~
if $programname == 'errors' then @rsyslog-server:514
& ~



on the ancient 3.x series, this is a very ineffient way of testing 
for this.



log a few messages with the format RSYSLOG_DebugFormat so that you 
can see what the various variables actually contain and it will 
probably solve your problem.



The rsyslogd version on this host (from stock CentOS 5.10 repo) is:
rsyslogd 3.22.1, compiled with:
   FEATURE_REGEXP:                Yes
   FEATURE_LARGEFILE:            Yes
   FEATURE_NETZIP (message compression):    Yes
   GSSAPI Kerberos 5 support:        Yes
   FEATURE_DEBUG (debug build, slow code):    No
   Atomic operations supported:        Yes
   Runtime Instrumentation (slow code):    No



I changed InputFileFacility to local6 after reading this 
<http://kb.monitorware.com/rsyslog-message-duplicates-t12273.html?hilit=duplicates&sid=9666af8003d631d35d5603149b6d54fb#p24305> 
- no change.

I added $InputFileFacility local6 to the watchfile after reviewing

http://kb.monitorware.com/rsyslog-message-duplicates-t12273.html?hilit=duplicates#p24303 


but it's not known to me if I have to do that for each watched file?


yes you would, and you probably want to five them different facilities.



The /etc/rsyslog.conf on this host seems sparse with:
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$ModLoad imklog
$ModLoad imuxsock
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg                                                 *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
*.* @rsyslog-server::514

It is not clear to me if this is the|an issue.

I tried variations on
local6.=info /var/log/apache2/error.log
& ~
local6.=error /var/log/apache2/access.log
& ~
in the watchfile.conf but it didn't correct the problem.



this won't work because you are not setting the severity (I don't 
remember what it defaults to, but =info and =error are probably wrong)


try local6.*

David Lang


I do see "{host} access" and "{host} error" in the /var/log/messages
so I suspect it's a trivial matter.

Examined references are

http://kb.monitorware.com/post24302....licates#p24302 
<http://kb.monitorware.com/post24302.html?hilit=duplicates#p24302>

https://access.redhat.com/discussions/650853
and several dozen search-engine results.

Anything I try just seems to make it messier.
Can some one help this new rsyslog user out?

Thank you for your time.



_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards

NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT 
POST if you DON'T LIKE THAT.




_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.






















					Reply via email to