Send Apache access logs to remote syslog in 1 line - Papertrail Blog

The revolution will be verbosely {,b}logged

Send Apache access logs to remote syslog in 1 line

Posted by Troy Davis on

Papertrail supports the remote syslog protocol, so it accepts Web server access logs from rsyslog, syslog-ng, the tiny remote_syslog log file to remote syslog daemon, and other senders.

In that “other senders” category, here’s an elegant hack to have Apache transmit access logs directly to a remote syslog server, using a one-line httpd.conf change.

To transmit with the hostname “www1” and the program name “apache”, add this line:

CustomLog '|nc -u 1111' '<134>%{%b %d %X}t www1 apache %h %l %u %t '%r'%>s %b '%{Referer}i' '%{User-agent}i''

This combines netcat, Apache’s CustomLog configuration directive, and Apache’s piped logs feature (which will even restart nc if it crashes). Apache outputs a syslog-framed message to a pipe and nc does the rest. The <134> is the syslog’s priority identifier for facility local0, severity info. That’s followed by the syslog timestamp, system name, and program name.

Everything after “apache” is format specifiers to generate the standard combined log format. The format can be customized. The CustomLog directive works globally and can be used in VirtualHost stanzas.

The reference example is:

CustomLog '|nc -u <destination hostname> <destination port>' '<134>%{%b %d %X}t <system hostname> <program name> %h %l %u %t '%r'%>s %b '%{Referer}i' '%{aUser-agent}i''

This would work for any daemons which can output to a pipe, don’t block on the output (or automatically restart the pipe program, as Apache does), and support a user-supplied template for message formatting. It’s also possible to CustomLog to pipe to the “logger” program (instead of netcat), like this:

CustomLog '|logger -t httpd -p'

.. and then use your existing syslog daemon to transmit those to Papertrail.