At this point, you may wonder why syslogd was proposed to perform remote logging, when the syslog() call offers no way to specify a remote server.
The reason is simple: a program (Apache, for instance) always uses the normal Unix domain socket (/dev/log) to log its messages. The syslogd daemon can be configured so that it doesn’t store the received log messages on a local file, but sends them to another syslogd daemon running on the Internet and (obviously) listening to the 514 UDP port. Adding a line in the syslog.conf file can do this:
This forwards all the requests marked with the local0 facility and the info log level to the remote_log_server.your_net.com host. You can see an example of this approach in Figure 3-2. Please note that here, as an example, the syslog daemon A doesn’t write any log files.
The easiest way to test if your logging facility is working well is to use the logger utility (or the equivalent on your system). Suppose that you have an entry like this in the syslogd.conf file:
# Our testing bed
After modifying the file /etc/syslogd.conf file, remember to send a HUP signal to syslogd:
[root@local_machine root]# killall -HUP syslogd
Now, log a message using the logger utility, like this:
[root@local_machine root]# logger -p local0.crit "Hello readers..."
The /var/log/apache_book file will read like this:
[root@local_machine root]# cat /var/log/apache_book
Now, modify your syslog.conf in your local machine so that it contains:
Also modify the syslog.conf in the host remote_machine so that it contains:
You need to run syslogd with the -r option on the remote machine. Running this command on the local machine:[root@local_machine root]# logger -p local0.crit “Hello readers...”
will result in this message on the remote machine:
[root@remote_machine root]# cat /var/log/apache_book
It worked! All the logger command does is call syslogd(); it doesn’t know what is going to happen to the message. It could be written to a log file, it could be sent to a remote server, or it could even be completely ignored. This is the beauty and the power of the syslogd daemon.Apache Logging Using syslogd
In this section, I will explain how to configure Apache so that it logs its error log and access log using syslogd.
Logging error_log through syslogd
From Apache 1.3, all you have to do is write syslog where the file name would be written in the httpd.conf file, like this:
The log levels (listed in Table 3-1) are identical to the ones used by Apache in its error log.
The syslog facility ID used by Apache by default is local7. Therefore, you need to add a line in the syslog.conf file like this:
You can set the facility in the httpd.conf file, writing this instead:
In this book, I will assume that your Apache uses the facility local7. You should tell syslogd that its configuration file has changed:
[root@localhost root]# killall -HUP syslogd
Restart your Apache daemon:
[root@localhost root]# /usr/local/apache2/bin/apachectl restart
If everything went well, you should see Apache’s log messages in /var/log/apache_error_log:
[root@localhost root]# tail -f /var/log/apache_error_log
It worked; Apache is now logging its errors through the syslogd daemon. Of course, if you want a remote host to actually store the messages, you have to change the file syslogd.conf to:
You also need to restart your syslog daemon.
The server @remote_log_server should preferably be on your own network, and should be configured to store messages from facility local7 on a local file. Of course, the fact that a remote logging server would be receiving the log entries would be totally transparent to Apache. Remember that the syslogd daemon on the server remote_log_server must be started with the -r option.
Logging access_log through syslog
Configuring Apache’s access_log through syslog is less straightforward than doing the same operation with error_log. There is no syslog option for the access_log directive. The reason behind this is that sending access log information to the syslog daemon isn’t something that many users would do, because syslogd is quite slow. If you get 10 requests a second, you might miss something important. Furthermore, it can be configured easily, even if Apache doesn’t support it directly. To do this, you can use a logging program that, instead of writing on a file, sends information to the syslog daemon.
First of all, add the following line to your /etc/syslog.conf file:
Apache’s httpd.conf file should look like this:
CustomLog "|/usr/bin/logger -p local1.info" common
If your system doesn’t have a logger program, you should be able to find its equivalent quite easily.
Now, restart Apache and to make syslog aware of the configuration changes:
[root@localhost root]# killall -HUP syslogd
Connect to your web server:
[root@localhost root]# telnet localhost 80
HTTP/1.1 200 OK
The new apache_access_log file should have a log entry like this:
[root@localhost root]# cat /var/log/apache_access_log
This log means that Apache is now logging its access log through syslog. Of course, you can easily change syslog’s configuration so that the access logs are redirected to a different machine, like this:
It is best to log all the access log messages with an info log level, so they are all of equal importance (unlike the log entries in Apache’s error log).
blog comments powered by Disqus