Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Error Log to Syslog Server and local error.log |
|
| Author |
|
magnific0
Joined: 27 Jan 2011
Posts: 2
|
 Posted: Thu 27 Jan '11 15:36 Post subject: Error Log to Syslog Server and local error.log |
 |
|
Hi,
I am upping the security on my server a bit, so after installing mod_security I thought it would be useful to receive error messages (level error and above) in my Syslog server.
This proved to be quite tricky for Apache on Windows (running XAMPP), but I finally got it right, so I thought I would share this.
This method will send messages in compliance to RFC3164 to a local/remote Syslog server on port 514 (UDP).
1. Downloads
Get the following command line tools:
-klog.exe (http://www.tucows.com/preview/507460)
-qgrep.exe (part of Windows Resource Kit, available as single download: http://www.seascapesailing.com/tools/_resource%20kit%20tools/Windows%20Resource%20Kits/Tools/)
-wtee.exe (http://code.google.com/p/wintee/)
2. Install:
Install Kiwi Logger, goto the program folder, copy klog.exe to a safe location, uninstall Kiwi Logger.
Copy all three executables to your Windows\System32 folder.
3. Configure:
Edit your httpd.conf file find the ErrorLog line and replace with:
If you are running Apache from console:
| Code: | | ErrorLog "| wtee -a ../logs/error.log | qgrep -v warn | qgrep -v notice | klog -u 514 -h 127.0.0.1 -s -p 185 -i" |
If you are running Apache as a service:
| Code: | | ErrorLog "| wtee -a logs/error.log | klog -u 514 -h 127.0.0.1 -s -p 185 -i" |
Note: Unfortunately when running Apache as a service qgrep holds all message untill the service is shutdown. It will then deliver all the messages. This is simply not acceptable and so notice messages must be tolerated when running as a service. Hopefully somebody can shed a light on why qgrep is doing this.
4. Explanation:
This is all achieved with the use of piping |.
The wtee command dumps everything in a file (error.log) and passes it through.
The wtee -a parameter tells it to append the file instead off overwriting it.
qgrep -v command tells it to drop every line containing "warn" and "notice". Thus sending errorlevel error and up to syslog.
klog is a utility that generates a Syslog message, where:
-u tells it the port
-h defines the host
-s tells it to do this all silently
-p gives the message a priority (see below)
-i is the option for sending a piped stream instead of a single message
5. klog priorities
For those of you who are experienced with syslog know that you can set a facility and level, to classify the source and urgency of a message. klog does this with use of a priority, calculated as such:
Example: Facility:local7 + Level:alert, gives: 23*8+1=185
| Code: | Priority=Facility*8+Level
Facility name Alt Name Number
Kernel Kern 0
User 1
Mail 2
Daemon 3
Auth 4
Syslog 5
Lpr 6
News 7
UUCP 8
Cron 9
System0 Security 10
System1 FTP 11
System2 NTP 12
System3 Logaudit 13
System4 Logalert 14
System5 Clock 15
Local0 16
Local1 17
Local2 18
Local3 19
Local4 20
Local5 21
Local6 22
Local7 23
Level name Alt name Number
Emergency Emerg 0
Alert 1
Critical Crit 2
Error Err 3
Warning Warn 4
Notice 5
Information Info 6
Debug 7
|
I hope you found it helpful, any questions/remarks are welcome.
Cheers!
Thoughts:
- I tried Windows using find /v command. but it cannot be used, because it demands the string to be between "quotes". |
|
| Back to top |
|
EldrickTobin
Joined: 10 Oct 2011
Posts: 1
Location: Houston, TX, USA
|
| Posted: Mon 10 Oct '11 21:00 Post subject: |
|
|
I too tried qgrep, and after fighting it a bit and looking online I found the issue is with its internal buffer.
However Grep for Win32 (http://gnuwin32.sourceforge.net/packages/grep.htm) is a "much better" implementation, and allows the --line-buffered option killing the buffering issue.
I'm currently firing this all over the place:
CustomLog "|grep --line-buffered -v http://-- |wtee.exe -a logs/access.log" v-hostcombined env=!nolog
(wtee is 'legacy' from fighting qgrep and perl grep, but it isn't breaking anything so I left it in. Lovely find btw.) |
|
| Back to top |
|
minibayit
Joined: 01 Apr 2012
Posts: 2
|
| Posted: Sun 01 Apr '12 9:01 Post subject: |
|
|
Thank you for the info on setting up Syslog with Apache on Windows.
Always wanted to find a way to monitor mod_security logs!
The issues I had when setting it up where specific to my server, (ie Apache has no permissions to access the System32 folder)
Thanks again. |
|
| Back to top |
|
|
|
|
|
|
