2

We have IBM HTTP Servers (Based on Apache 2.0) and want to send the access logs to syslog. (in addition to error logs which does work)

The config we are using is as follows:

ErrorLog "|/HTTPServer/bin/rotatelogs /archive/http/error_log.%Y%m%d 86400 | /usr/bin/logger -t httpd -plocal6.err"
LogLevel warn
LogFormat "%h %{True-Client-IP}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D \"%{Host}i\" %v" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog "|exec /usr/bin/logger -t ptseelm-ax3004 -i -p local6.notice" combined

But the logs entries don't even appear in the local syslog.out

here is what the processes look like:

ps -ef | grep httpd
apache  6226000  8388618   0 09:04:01      -  0:00 /HTTPServer/bin/httpd -d /HTTPServer -k start
apache  6750220  8388618   0 09:04:01      -  0:00 /HTTPServer/bin/httpd -d /HTTPServer -k start
apache  7602390  8388618   0 09:04:01      -  0:00 /HTTPServer/bin/httpd -d /HTTPServer -k start
root  8388618        1   0 09:04:01      -  0:00 /HTTPServer/bin/httpd -d /HTTPServer -k start
root  9044038  8388618   0 09:04:01      -  0:00 /usr/bin/logger -t httpd -plocal6.err

So there is no logger attached to the child processes... is that the problem? Can someone help me out? :)

We have the following in syslog.conf:

local6.*        @somerealipaddress
Seer
  • 141
  • 2
  • 4
  • Have you tried removing the "exec" from CustomLog to match your errorlog version? Also, is local6.notice being ignored? If you set it to local6.err does it magically start working? – Regan Nov 01 '13 at 09:17
  • We had it without exec first, and tried it with now. We have the following in syslog.conf – Seer Nov 01 '13 at 09:24
  • local6.* @xyz.xyz.xyz.xyz <<<<<< real ip of course – Seer Nov 01 '13 at 09:24
  • @Seer, it would be better if you could add the syslog config to the question instead of in a comment, it will make it easier for others to read and help you. – Jenny D Nov 01 '13 at 09:25
  • @Regan, the point of having "exec" is to avoid having a dangling shell around, so it's usually a good idea. – Jenny D Nov 01 '13 at 09:25

1 Answers1

3

I would suggest to instead of piping directly to logger, you would be better off writing to a file and then having a separate process read that file and send it off to syslog.

Many syslog programs, e.g. rsyslog and syslog-ng, can read from a file as well as from /dev/log. Another options is to simply use tail -F and pipe to logger.

Jenny D
  • 27,358
  • 21
  • 74
  • 110
  • Hmm. We will actually still have a local log too, we are mostly just testing getting into syslog at the moment. From a configuration perspective though, when we are talking about maybe 30-100 HTTP servers, it seemed like it would be nice to have it within the HTTP conf template – Seer Nov 01 '13 at 09:33
  • It would, but there's small risk of reduced performance and/or losing log entries. And, in a perfect world, your syslog config should also come from a template and be handled by e.g. puppet... Another issue though is that if you separate the logging from httpd.conf that means you don't have to restart httpd if/when you need to change syslog parameters. – Jenny D Nov 01 '13 at 09:49
  • So you are talking about a script run as a background task? How would you handle log rotation? todays file is called access_log.20131101 for example and yesterdays access_log.20131031 .... bear in mind we are supposed to avoid cronjobs etc – Seer Nov 01 '13 at 10:01
  • At my old work, we used syslog-ng. It is very robust with a lot of features. Take a look at http://www.syslog.org/logged/reading-logs-from-a-file-in-syslog-ng/ for a basic example. syslog-ng will simply read from 'access_log' and then in your logrotate you'll need to send syslog-ng a -HUP signal after rotation so it will follow the new 'access_log' inode. – Regan Nov 01 '13 at 14:50
  • 1
    @Seer As long as log rotation is done by copying the contents to a new file before truncating, there won't be a problem reading from the log file. If, instead, it's done by moving the file and creating a new one with the original name, tail -F will still work (i.e. gnu tail, which will notice the filehandle changing) but other methods may require a HUP or restart. – Jenny D Nov 04 '13 at 08:03