remote syslogging

sir-lancealot · 01-20-2009, 10:10 AM

I have 5 webservers which I wish to log each of them remotely to one box. From my readings, http://www.oreillynet.com/pub/a/sysa...pd-syslog.html and others, and I guess something is just not clicking. 1st is I only wish to monitor the apache access (and error) logs. So I have one of the webservers /etc/syslog.conf entry added;
local3.* @remote server ip

on the server I restarted syslog with the -r remote option, ps aux shows;

root 2738 0.0 0.0 2092 724 ? Ss Jan19 0:16 syslogd -m 0 -r

So, what's next or what's wrong? I hit the website a bit, but the readings so far haven't shown how to test a bit more, or ensure things are right, etc.

Thanks for any help or tips on people already doing this.

Lr

whitemice · 01-20-2009, 10:55 AM

Quote:

Originally Posted by sir-lancealot

I have 5 webservers which I wish to log each of them remotely to one box. From my readings, http://www.oreillynet.com/pub/a/sysa...pd-syslog.html and others, and I guess something is just not clicking. 1st is I only wish to monitor the apache access (and error) logs. So I have one of the webservers /etc/syslog.conf entry added;
local3.* @remote server ip
on the server I restarted syslog with the -r remote option, ps aux shows;
root 2738 0.0 0.0 2092 724 ? Ss Jan19 0:16 syslogd -m 0 -r
So, what's next or what's wrong? I hit the website a bit, but the readings so far haven't shown how to test a bit more, or ensure things are right, etc.
Thanks for any help or tips on people already doing this.
Lr

Is Apache logging via syslog? By default I do not believe that it uses syslog but writes logs directly. If you send local3.* to a local file do entries appear? If so check that your remote syslog (netstat --listen --inet) is listening on the network interface AND that your firewall is down for the syslog port (UDP/514 or UDP/601).

acid_kewpie · 01-20-2009, 12:49 PM

Here's info on logging via syslog in httpd.confhttp://www.oreillynet.com/pub/a/sysa...pd-syslog.html

Looking at that though, I don't like their method of a perl wrapper, when you have logger available:

CustomLog "| /usr/bin/logger -p local.info" common

would do it with no scripting at all.

Also i'd really recommend checking out syslog-ng over syslogd, much nicer to configure and more powerful especially when you have networked logging requirements.

sir-lancealot · 01-20-2009, 12:52 PM

Thanks for the reply. I am unclear no how to 'send local3.* to a local file'. I am reading in parallel to try to understand it a bit more but the firewall and listen is fine (see below)

netstat --listen --inet | grep syslog
udp 0 0 *:syslog *:*

I am trying to figure out/understand it a bit more.

Thanks

sir-lancealot · 01-20-2009, 12:53 PM

Thanks for the URL, it's the same one I posted in the original post though.

acid_kewpie · 01-20-2009, 12:55 PM

omg, what a cretin. so sorry, read the first reply and went with it!

I edited my reply since then though, any more use?

also especially in a UDP world, tcpdump is so so useful to see if the udp packets are a) leaving the client and b) hitting the server.

sir-lancealot · 01-21-2009, 02:09 PM

lol, cretin... nah. The amount of posting you do, your allowed a little slack sometimes

So, I checked and edited my vhost so it now looks like this;

CustomLog logs/domain.com-access_log combined
CustomLog "| /usr/bin/logger -p local.info" common

I see no local.info file on either the local or remote server, so I looked in the general error_log and saw this;
piped log program ' /usr/bin/logger -p local.info' failed unexpectedly
logger: unknown facility name: local.

As for syslog-ng, I have used it in the past for direct postgres logging, but if you think this is a better route, I will do some reading and go that route ... tnx

hmmmmm....

acid_kewpie · 01-21-2009, 03:04 PM

OK, well the facility is only for your reference later on. you can change it to whatever you want, and even remove it for initial testing.