[logs] naming multiple output files with syslog-ng Dec 17 2007 02:20PM
Christian Folini (christian folini post ch)
Hello everyone,

I am new to this list, after having visited the loganalysis website
many times in the last few weeks. I am working on a fairly big
logfile centralisation project. We are evaluating syslog-ng and I
am trying to configure it to meet our present standards. It basically
works, but I have not yet found an elegant solution to get the files
to the right destination. So I thought maybe you guys have a hint or two
for me.

We have a central loghost, but so far the centralisation is not
concurrent. The logfiles I am talking about are apache error
logs for a start (and then ModSecurity audit logs, guardian logs,
apache access logs, cgi-logs, you name it.)

Now there are n hosts with p apache servers serving p virtual domains.
Most apaches serve http and https. We are used to keeping seperate
error logfiles for apache-server, virtualhost-port80 and
virtualhost-port 443.

On the central host, they reside in a hierarchy as follows:



I managed to get quite close by configuring ErrorLog
in apache as follows:
ErrorLog "| /usr/bin/logger -t www.example.com_port80 -u /tmp/logger.socket"
ErrorLog "| /usr/bin/logger -t www.example.com_port443 -u /tmp/logger.socket"

And then configure syslog-ng along the lines of
destination df_file { file(".../$PROGRAM/$HOST/apache-error.log"); };

This brings me files along the lines of:

That's close, but not quite.

I could use a program(regex) filter, but this is performance relevant
and highly unwelcome, and it would still not help me to get rid of the
"_port<portnum>" in the program variable.

I found one or two alternatives, but they are equally inelegant and
I would rather not use them.

To sum it up: I do have a working solution, but it's not good

Any thoughts?


Christian Folini

LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus