Last active
August 29, 2015 14:14
-
-
Save marshyon/583f75d35e45a6075ed1 to your computer and use it in GitHub Desktop.
centralised logging using rsyslog and apache
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| in apache2.conf, replace current ErrorLog line with : | |
| ErrorLog "| /usr/bin/logger -t httpderr -i -p local4.error" | |
| then in each virtual add logging : | |
| CustomLog "||/usr/bin/logger -t apache -i -p local5.notice" combined |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| typically at the end of the file, add the following : | |
| # Provides TCP forwarding. | |
| *.* @@192.168.11.101:514 | |
| where 192.168.11.101 is the IP address of the central logging server and 514 the TCP port | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This will save the log file is a separate directory for each client's IP | |
| $template FILENAME,"/var/log/%fromhost-ip%/syslog.log" | |
| $template HTTPD,"/var/log/%fromhost-ip%/httpd.log" | |
| $template HTTPDERR,"/var/log/%fromhost-ip%/httpderr.log" | |
| $template KERNEL,"/var/log/%fromhost-ip%/kernel.log" | |
| #Create a separate log rule for the specific application | |
| if $programname == 'kernel' then ?KERNEL | |
| &~ | |
| if $programname == 'apache' then ?HTTPD | |
| &~ | |
| if $programname == 'httpderr' then ?HTTPDERR | |
| &~ | |
| #Dump all remaining messages that do not match the filters created into one file | |
| *.* ?FILENAME |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| run ssh reverse tunnel from logging server to target logging client server : | |
| ssh -R 10514:localhost:10516 user@192.168.11.1 # apache server ( see below ) | |
| configure rsyslog to listen on multipled ports - a port for each remotely connected server by the above method : | |
| # process remote messages | |
| $template HTTPD,"/var/log/apache_server_10516/apache.log" | |
| # define rulesets | |
| $RuleSet remote10514 | |
| *.* /var/log/remote_server_10514 | |
| $RuleSet remote10515 | |
| *.* /var/log/remote_server_10515 | |
| $RuleSet remote10516 | |
| if $programname == 'apache' then ?HTTPD | |
| & ~ | |
| *.* /var/log/apache_server_10516/syslog.log | |
| # define listeners bound to the relevant ruleset | |
| $InputTCPServerBindRuleset remote10514 | |
| $InputTCPServerRun 10514 | |
| $InputTCPServerBindRuleset remote10515 | |
| $InputTCPServerRun 10515 | |
| $InputTCPServerBindRuleset remote10516 | |
| $InputTCPServerRun 10516 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment