Note that email prematurely wrapped the examples. rules need to be
all on one line in rsyslog.conf
On Fri, Feb 11, 2011 at 5:08 PM, Ben Trussell <
azlobo73@gmail.com> wrote:
> This is by far not the only solution, but its one that can be used to
> filter, combine, etc logs based on your needs.
>
> Switch to rsyslog if not already using it. The default configuration
> for Distros like RHEL, CentOS, Debian etc shouldn't be any different
> than sysklog etc when installed via a package maintained by the
> Distro, so its not that difficult to switch to (probably want to
> verify that for your env in a testing scenario first, of course, but
> it was painless and simple to do so in my case).
>
> Add your log entries in the apache conf file(s) like so:
>
> CustomLog can be specified once for a file, then again for this, but
> you might want to send all to rsyslog then use the rsyslog config to
> parse out or combine as needed based on its abilities (explained
> further below)
>
> CustomLog "|/usr/bin/logger -t httpd_vhost_tag -p local6.info" combined
>
> Error logs can not be specified twice, so they need to be handled
> mostly in the rsyslog config
>
> ErrorLog "|/usr/bin/logger -t httpd_vhost_tag_error -p local6.notice"
>
> in /etc/rsyslog.conf, you can put things like:
>
> local6.notice
> /var/log/httpd/http_combined_error_log
>
>
> or, a little more handy in this case
>
> :syslogtag, contains, "_error"
> /var/log/httpd/combined_error_log
> :syslogtag, startswith, "httpd_vhost_tag"
> /var/log/httpd/vhost_combined_log
> :syslogtag, isequal, "httpd_vhost_tag"
> /var/log/httpd/vhost_access_log
> :syslogtag, isequal, "httpd_vhost_tag_error"
> /var/log/httpd/vhost_error_log
>
> So far this is useful with regard to *combining*, or getting back to
> what you'd expect without rsyslog configuration-based logging, but for
> how to filter based on rsyslog, try this in the rsyslog.conf file
> (each are on per line)..
>
> So now for more useful stuff in this case..
>
> if ($syslogfacility-text == 'local6' and $syslogseverity-text ==
> 'notice') and ($syslogtag contains 'httpd_audit_') then
> /var/log/httpd/httpd_audit_log
>
> or
>
> if ($syslogfacility-text == 'local6' and $syslogseverity-text ==
> 'info') and ($msg contains 'w00tw00t') then
> /var/log/httpd/httpd_alert_log
>
> or
>
> if ($syslogfacility-text == 'local6' and $syslogseverity-text ==
> 'info') and not ($msg contains 'do_not_care_about_me.jpg') then
> /var/log/httpd/httpd_access_log
>
> or (even more useful in your case)
>
> if ($syslogtag == 'httpd_vhost_tag' and $syslogseverity-text ==
> 'info') and not ($msg regex '.jpg .*404 .*') then
> /var/log/httpd/httpd_access_log
>
> Now you have a real syntax for filtering etc from within your logging service.
>
>
> Add the mysql (or another database backend) functionality and then..
>
> *.*
> :ommysql:127.0.0.1,Syslog,username,password
>
>
> lets you query your logs in a SQL environment. loganalyzer is a nice
> option depending on your scale.
>
>
> And of course this still works fine:
>
> *.* @loghost.example.net
>
> Or practically any combination of the above to get the job done..
>
>
> More information: http://www.rsyslog.com/doc/rsyslog_conf_filter.html
>
>
> - Ben
> PS: Yeah I'm a fan of rsyslog - how'd you know ? =)
>
> On Wed, Feb 9, 2011 at 12:52 PM, Jason Holtzapple <ml@bitflip.net> wrote:
>> On 02/09/2011 12:20 PM, Tim Noeding wrote:
>>
>>> I have servers that I monitor and was hoping to cut the apache sections
>>> of the logwatch down a bit. These servers have had website changes which
>>> leave links that people have made to images come up as failed access
>>> attempts in logwatch. Most of these are a known issue. I do not want to
>>> add these to the regex ignore file for logwatch, as they may become a
>>> real issue in the future. The one consistent bit of information that
>>> defines the true problems from the false positives is the number of
>>> times the problem happens. Generally, if the failure happens more than
>>> 100 times, I want to know about it. The rest I don't want in the e-mail.
>>
>> Disclaimer: I don't use logwatch so I don't know if you can accomplish
>> what you want there or not. If I need to flag an event that involves a
>> certain number of errors in a certain amount of time I will usually use
>> the simple event correlator - http://simple-evcorr.sourceforge.net
>>
>> There's a bit of a learning curve but it's a useful tool.
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
.%0A>%20>%0A>%20>%20Add%20your%20log%20entries%20in%20the%20apache%20conf%20file(s)%20like%20so:%0A>%20>%0A>%20>%20CustomLog%20can%20be%20specified%20once%20for%20a%20file,%20then%20again%20for%20this,%20but%0A>%20>%20you%20might%20want%20to%20send%20all%20to%20rsyslog%20then%20use%20the%20rsyslog%20config%20to%0A>%20>%20parse%20out%20or%20combine%20as%20needed%20based%20on%20its%20abilities%20(explained%0A>%20>%20further%20below)%0A>%20>%0A>%20>%20%C2%A0%20CustomLog%20%22%7C/usr/bin/logger%20-t%20httpd_vhost_tag%20-p%20local6.info%22%20combined%0A>%20>%0A>%20>%20Error%20logs%20can%20not%20be%20specified%20twice,%20so%20they%20need%20to%20be%20handled%0A>%20>%20mostly%20in%20the%20rsyslog%20config%0A>%20>%0A>%20>%20%C2%A0%20ErrorLog%20%22%7C/usr/bin/logger%20-t%20httpd_vhost_tag_error%20-p%20local6.notice%22%0A>%20>%0A>%20>%20in%20/etc/rsyslog.conf,%20you%20can%20put%20things%20like:%0A>%20>%0A>%20>%20%C2%A0%20local6.notice%0A>%20>%20/var/log/httpd/http_combined_error_log%0A>%20>%0A>%20>%0A>%20>%20or,%20a%20little%20more%20handy%20in%20this%20case%0A>%20>%0A>%20>%20%C2%A0%20:syslogtag,%20contains,%20%22_error%22%0A>%20>%20/var/log/httpd/combined_error_log%0A>%20>%20%C2%A0%20:syslogtag,%20startswith,%20%22httpd_vhost_tag%22%0A>%20>%20/var/log/httpd/vhost_combined_log%0A>%20>%20%C2%A0%20:syslogtag,%20isequal,%20%22httpd_vhost_tag%22%0A>%20>%20/var/log/httpd/vhost_access_log%0A>%20>%20%C2%A0%20:syslogtag,%20isequal,%20%22httpd_vhost_tag_error%22%0A>%20>%20/var/log/httpd/vhost_error_log%0A>%20>%0A>%20>%20So%20far%20this%20is%20useful%20with%20regard%20to%20*combining*,%20or%20getting%20back%20to%0A>%20>%20what%20you'd%20expect%20without%20rsyslog%20configuration-based%20logging,%20but%20for%0A>%20>%20how%20to%20filter%20based%20on%20rsyslog,%20try%20this%20in%20the%20rsyslog.conf%20file%0A>%20>%20(each%20are%20on%20per%20line)..%0A>%20>%0A>%20>%20So%20now%20for%20more%20useful%20stuff%20in%20this%20case..%0A>%20>%0A>%20>%20%C2%A0if%20(%24syslogfacility-text%20==%20'local6'%20and%20%24syslogseverity-text%20==%0A>%20>%20'notice')%20and%20(%24syslogtag%20contains%20'httpd_audit_')%20then%0A>%20>%20/var/log/httpd/httpd_audit_log%0A>%20>%0A>%20>%20or%0A>%20>%0A>%20>%20%C2%A0if%20(%24syslogfacility-text%20==%20'local6'%20and%20%24syslogseverity-text%20==%0A>%20>%20'info')%20and%20(%24msg%20contains%20'w00tw00t')%20then%0A>%20>%20/var/log/httpd/httpd_alert_log%0A>%20>%0A>%20>%20or%0A>%20>%0A>%20>%20%C2%A0if%20(%24syslogfacility-text%20==%20'local6'%20and%20%24syslogseverity-text%20==%0A>%20>%20'info')%20and%20not%20(%24msg%20contains%20'do_not_care_about_me.jpg')%20then%0A>%20>%20/var/log/httpd/httpd_access_log%0A>%20>%0A>%20>%20or%20(even%20more%20useful%20in%20your%20case)%0A>%20>%0A>%20>%20%C2%A0if%20(%24syslogtag%20==%20'httpd_vhost_tag'%20and%20%24syslogseverity-text%20==%0A>%20>%20'info')%20and%20not%20(%24msg%20regex%20'.jpg%20.*404%20.*')%20then%0A>%20>%20/var/log/httpd/httpd_access_log%0A>%20>%0A>%20>%20Now%20you%20have%20a%20real%20syntax%20for%20filtering%20etc%20from%20within%20your%20logging%20service.%0A>%20>%0A>%20>%0A>%20>%20Add%20the%20mysql%20(or%20another%20database%20backend)%20functionality%20and%20then..%0A>%20>%0A>%20>%20%C2%A0%20*.*%0A>%20>%20:ommysql:127.0.0.1,Syslog,username,password%0A>%20>%0A>%20>%0A>%20>%20lets%20you%20query%20your%20logs%20in%20a%20SQL%20environment.%20%C2%A0loganalyzer%20is%20a%20nice%0A>%20>%20option%20depending%20on%20your%20scale.%0A>%20>%0A>%20>%0A>%20>%20And%20of%20course%20this%20still%20works%20fine:%0A>%20>%0A>%20>%20*.*%20%C2%A0%20%C2%A0%20%C2%A0%20%C2%A0%20%C2%A0%20%C2%A0%20%C2%A0%20%C2%A0%20%C2%A0%20%C2%A0@loghost.example.net%0A>%20>%0A>%20>%20Or%20practically%20any%20combination%20of%20the%20above%20to%20get%20the%20job%20done..%0A>%20>%0A>%20>%0A>%20>%20More%20information:%20http://www.rsyslog.com/doc/rsyslog_conf_filter.html%0A>%20>%0A>%20>%0A>%20>%20-%20Ben%0A>%20>%20PS:%20Yeah%20I'm%20a%20fan%20of%20rsyslog%20-%20how'd%20you%20know%20?%20=)%0A>%20>%0A>%20>%20On%20Wed,%20Feb%209,%202011%20at%2012:52%20PM,%20Jason%20Holtzapple%20<ml@bitflip.net>%20wrote:%0A>%20>>%20On%2002/09/2011%2012:20%20PM,%20Tim%20Noeding%20wrote:%0A>%20>>%0A>%20>>>%20I%20have%20servers%20that%20I%20monitor%20and%20was%20hoping%20to%20cut%20the%20apache%20sections%0A>%20>>>%20of%20the%20logwatch%20down%20a%20bit.%20These%20servers%20have%20had%20website%20changes%20which%0A>%20>>>%20leave%20links%20that%20people%20have%20made%20to%20images%20come%20up%20as%20failed%20access%0A>%20>>>%20attempts%20in%20logwatch.%20Most%20of%20these%20are%20a%20known%20issue.%20I%20do%20not%20want%20to%0A>%20>>>%20add%20these%20to%20the%20regex%20ignore%20file%20for%20logwatch,%20as%20they%20may%20become%20a%0A>%20>>>%20real%20issue%20in%20the%20future.%20The%20one%20consistent%20bit%20of%20information%20that%0A>%20>>>%20defines%20the%20true%20problems%20from%20the%20false%20positives%20is%20the%20number%20of%0A>%20>>>%20times%20the%20problem%20happens.%20Generally,%20if%20the%20failure%20happens%20more%20than%0A>%20>>>%20100%20times,%20I%20want%20to%20know%20about%20it.%20The%20rest%20I%20don't%20want%20in%20the%20e-mail.%0A>%20>>%0A>%20>>%20Disclaimer:%20I%20don't%20use%20logwatch%20so%20I%20don't%20know%20if%20you%20can%20accomplish%0A>%20>>%20what%20you%20want%20there%20or%20not.%20If%20I%20need%20to%20flag%20an%20event%20that%20involves%20a%0A>%20>>%20certain%20number%20of%20errors%20in%20a%20certain%20amount%20of%20time%20I%20will%20usually%20use%0A>%20>>%20the%20simple%20event%20correlator%20-%20http://simple-evcorr.sourceforge.net%0A>%20>>%0A>%20>>%20There's%20a%20bit%20of%20a%20learning%20curve%20but%20it's%20a%20useful%20tool.%0A>%20>>%0A>%20>>%0A>%20>>%20---------------------------------------------------%0A>%20>>%20PLUG-discuss%20mailing%20list%20-%20PLUG-discuss@lists.plug.phoenix.az.us%0A>%20>>%20To%20subscribe,%20unsubscribe,%20or%20to%20change%20your%20mail%20settings:%0A>%20>>%20http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss%0A>%20>>%0A>%20>%0A>%20---------------------------------------------------%0A>%20PLUG-discuss%20mailing%20list%20-%20PLUG-discuss@lists.plug.phoenix.az.us%0A>%20To%20subscribe,%20unsubscribe,%20or%20to%20change%20your%20mail%20settings:%0A>%20http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss%0A>%20%0A>%20 "Reply to this message")
(text/plain)