[logs] naming multiple output files with syslog-ng

Christian Folini christian.folini at post.ch
Mon Dec 17 06:20:53 PST 2007 

Hello everyone,

I am new to this list, after having visited the loganalysis website
many times in the last few weeks. I am working on a fairly big
logfile centralisation project. We are evaluating syslog-ng and I
am trying to configure it to meet our present standards. It basically
works, but I have not yet found an elegant solution to get the files
to the right destination. So I thought maybe you guys have a hint or two
for me.

We have a central loghost, but so far the centralisation is not
concurrent. The logfiles I am talking about are apache error
logs for a start (and then ModSecurity audit logs, guardian logs,
apache access logs, cgi-logs, you name it.)

Now there are n hosts with p apache servers serving p virtual domains.
Most apaches serve http and https. We are used to keeping seperate
error logfiles for apache-server, virtualhost-port80 and
virtualhost-port 443.

On the central host, they reside in a hierarchy as follows:
.../apache/<virtualhost>/<physicalhost>/port<port>-error.log

->

...
.../apache/www.example.com/h00341/port80-error.log
.../apache/www.example.com/h00341/port443-error.log
.../apache/www.example.com/h00445/port80-error.log
.../apache/www.example.com/h00445/port443-error.log
...


I managed to get quite close by configuring ErrorLog
in apache as follows:
ErrorLog "| /usr/bin/logger -t www.example.com_port80 -u /tmp/logger.socket" 
ErrorLog "| /usr/bin/logger -t www.example.com_port443 -u /tmp/logger.socket" 

And then configure syslog-ng along the lines of
destination df_file { file(".../$PROGRAM/$HOST/apache-error.log"); };

This brings me files along the lines of:
.../apache/www.example.com_port80/h00341/apache-error.log
.../apache/www.example.com_port443/h00341/apache-error.log

That's close, but not quite.

I could use a program(regex) filter, but this is performance relevant
and highly unwelcome, and it would still not help me to get rid of the
"_port<portnum>" in the program variable.

I found one or two alternatives, but they are equally inelegant and
I would rather not use them.

To sum it up: I do have a working solution, but it's not good
looking.

Any thoughts?

regs,

Christian Folini

More information about the LogAnalysis mailing list