0

As nginx 1.7+ supports syslog, I tried to aggregate all nginx nodes logs onto a remote rsyslog server. I set the nginx.conf with 

error_log syslog:server=[REMOTE_HOST]:514,tag=nginx;
access_log syslog:server=[REMOTE_HOST]:514,tag=nginx;

And on remote rsyslog server, i set a config file with

local7.debug            /var/log/nginx/access.log; RemoteFormat
local7.debug            /var/log/nginx/error.log; RemoteFormat

But still cannot get log, how to aggregate all nginx access.log and error.log to separate files access.log and error.log on remote rsyslog server? Thank you in advance.

perigee
  • 9,438
  • 11
  • 31
  • 35

1 Answers1

1

I think you should use if condition. See the example in doc:

The if parameter (1.7.0) enables conditional logging. A request will not be logged if the condition evaluates to “0” or an empty string. In the following example, the requests with response codes 2xx and 3xx will not be logged:

map $status $loggable {
    ~^[23]  0;
    default 1;
}

access_log /path/to/access.log combined if=$loggable;

My idea: if the message is loggable (you can rewrite this map) the tag will nginx-access and if isn't loggable the tag will nginx-error. And now you can filter it with rsyslog via tag.

But if you want only seperate the access and error log you can use different tags:

access_log ... tag=nginx-access;
error_log ... tag=nginx-error;

Another solution: use severity!

uzsolt
  • 5,832
  • 2
  • 20
  • 32
  • thx for the reply, I will use `severity` instead, for the remote rsyslog server side, how can I configure to separate the received access.log and error.log? Thank you in advance. – perigee Jan 05 '16 at 20:47
  • See https://wiki.gentoo.org/wiki/Rsyslog#Severity so I think local7.debug (debug severity) and local7.info (info severity) will right. – uzsolt Jan 06 '16 at 07:51