Forwarding log via syslog-ng

Question

I'm trying to forward my logs using syslog-ng to my central syslog server. But it is not working.

This is the lines I added in syslog-ng.conf

source s_access { file("/var/log/httpd/access_log" follow_freq(10) flags(no-parse)); };
destination logserver { udp("xxxxxx.amazonaws.com" port(514)); };
log { source(s_access); destination(logserver); };

but when I restart, I'm getting the following error.

[root@ip-10-244-143-226 ~]# /etc/init.d/syslog-ng restart
Stopping syslog-ng:                                        [  OK  ]
Starting syslog-ng: syntax error at 79
Parse error reading configuration file, exiting. (line 79)
                                                           [FAILED]

79th line is the line in which source s_access is defined.

What can be the issue?

somebody please help me with this :( The following line is the problem. source s_access { file("/var/log/httpd/access_log" follow_freq(10) flags(no-parse, validate-utf8)); };

But I'm not getting where what is wrong.

I have apache,tomcat and some custom applications and I need to send these logs to a remote central syslog server.

Answer 1

If you are trying to log Apache events to syslog-ng, you are missing a few things. There's a blog post from LogZilla here that explains the steps to do it. You should be able to adapt it for your needs. But for the sake of completeness, I will repost here in case that blog page ever gets removed:

This method is not limited to Apache, but will work for any Common Log Format log. Each line in a file stored in the Common Log Format has the following syntax:

host ident authuser date request status bytes

The first step is to add a new source to your syslog-ng configuration. In the /etc/syslog-ng/conf.d directory, we'll create a file and name it apache.conf.

cd /etc/syslog-ng/conf.d 
 vi apache.conf

Once the file is open in the editor, we'll first add the source.

source s_apache {
 file("/var/log/apache2/access.log");
 file("/var/log/apache2/error.log");
 };

You can also add the ssl-access.log if you have enabled that on your web server. In the same file, we'll need to add a destination.

log { source(s_apache);
 destination(d_tls);
 };

In this example, the destination is a TLS tunnel created in a previous tutorial. Save the file and quit, then restart syslog-ng.

service syslog-ng restart

You should now be receiving apache events on your Logzilla server, but they'll look a little off. That's because they haven't been formatted yet. To do that, we'll need to edit the apache configuration. This step will only work for Apache. For other Common Log Format sources, each will have it's own solution for formatting.

cd /etc/apache2
 vi apache2.conf

In that file, you'll find a line like this:

LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %v" combined

It will need a bit added to it (it will ignore the pre-set date).

LogFormat "Jan 12 12:12:12 %v apache[666]: %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %v" combined

Save the file and restart Apache, and your logs should look like this:

0 www user notice apache None 97.76.75.78 - - [07/Nov/2013:15:14:41 -0500] "GET /highslide/highslide.css HTTP/1.1" 304 209 
"http://www.yourserver.com/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; EIE10;ENUSMSN)" 
www.yourserver.com