CentOS 5.x系のインストール・設定例です。
リモートログサーバーのIPアドレスは192.168.0.2とします。
apacheでlocal6にloggerを使ってsyslog出力し、rsyslogでログサーバーにログをTCP出力します。
インストール
リポジトリepelからrsyslog3.22をインストール、初期設定します。
yum install rsyslog --enablerepo=epel
vim /etc/sysconfig/rsyslog SYSLOGD_OPTIONS="-c3"
service syslog stop service rsyslog start chkconfig syslog off chkconfig rsyslog on
Webサーバー設定例
/etc/httpd/conf/httpd.conf
ログの出力のしかたをloggerを使うように変更します。
CustomLog "|/usr/bin/logger -p local6.info -t http-access" combined ErrorLog "|/usr/bin/logger -p local6.info -t http-error"
/etc/rsyslog.conf
local6へのメッセージは/var/log/messagesに出力しないようにします。
local6へのメッセージはログサーバーに送信します
# Use traditional timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Provides kernel logging support (previously done by rklogd) $ModLoad imklog # Provides support for local system logging (e.g. via logger command) $ModLoad imuxsock # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none;local6.none; /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # httpd logs local6.* @@192.168.0.2
ログサーバー設定例
local6への出力を/var/log/messagesに出力しないようにします。
apacheログは/var/log/rsyslog/httpd/以下に出力します
/etc/rsyslog.conf
# Use traditional timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Provides kernel logging support (previously done by rklogd) $ModLoad imklog # Provides support for local system logging (e.g. via logger command) $ModLoad imuxsock # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none;local6.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log $ModLoad imtcp $InputTCPServerRun 514 $template access_log, "%msg:2:$%\n" $template error_log, "%fromhost-ip%%msg%\n" $template access_log_file, "/var/log/rsyslog/httpd/%hostname%-%fromhost-ip%-access_log.%$NOW%" $template error_log_file, "/var/log/rsyslog/httpd/%hostname%-%fromhost-ip%-error_log.%$NOW%" if $syslogfacility-text == 'local6' and $syslogtag == 'http-access:' then -?access_log_file;access_log if $syslogfacility-text == 'local6' and $syslogtag == 'http-error:' then ?error_log_file;error_log
なお、ログファイルパスの前に「-」を付けると非同期、付けないと同期動作になります