I have a very annoying situation concerning apache access/error logs on a remote log server.
Webserver:
Stock apache logging with:
ErrorLog "|/usr/bin/logger -p local7.err -t www.sitename.com"
CustomLog "|/usr/bin/logger -p local7.info -t www.sitename.com" "combined"
rsyslog is configured as follows:
local7.info @log.remote.lan
local7.err @log.remote.lan
So far so good. All logs end up at the remote log server. On that server I have syslog-ng configured as follows:
options {
long_hostnames(off);
flush_lines(0);
use_dns(no);
use_fqdn(no);
owner("root");
group("adm");
perm(0644);
dir_perm(0755);
stats_freq(0);
bad_hostname("^gconfd$");
create_dirs(yes);
keep_hostname (yes);
};
destination hosts_acc {
file("/var/log/remote/${newmsghdr}/$R_YEAR/$R_MONTH/$R_DAY/access.log");
};
destination hosts_err {
file("/var/log/remote/${newmsghdr}/$R_YEAR/$R_MONTH/$R_DAY/error.log");
};
filter f_access {
message("GET|POST|OPTIONS|HEAD");
};
filter f_error {
message('\[error\]');
};
log {
source(s_lan);
rewrite(r_msghdr);
filter(f_access);
destination(hosts_acc);
flags("final");};
log {
source(s_lan);
rewrite(r_msghdr);
filter(f_error);
destination(hosts_err);
flags("final");
};
Both logs work fine. But… the error log is inserted twice in the logfile. When I set the webserver to log to a local file the error appears only once in that file. Any clues?
You’re sending the log lines twice, because of these lines in rsyslogd.conf:
local7.info @log.remote.lan
local7.err @log.remote.lan
When you specify info, that means that info and all higher priorities will be sent, not only info. Since err has a higher priority than info, you can remove the second line, so the log will only be sent once.
Check more discussion of this question.