syslog not properly tagged

Francis Daly francis at daoine.org
Wed Nov 11 13:41:01 UTC 2015


On Wed, Nov 11, 2015 at 12:15:25PM +0200, Avraham Serour wrote:
> well the problem is not only with formatting, formatting is just and
> inconvenience that I managed to work around already, my main problem is to
> catch nginx logs only.

If nginx is the only thing that writes to this syslog service using the
remote syslog format, then nginx is the only thing that will have your
hostname in that part of the line, no? That should be straightforward
to extract.

> my rsyslog config will parse every syslog message, everyone that writes to
> syslog will send messages, I only need the ones coming from nginx, actually
> I even need to tell apart the error from access since they have diferent
> formatting

Can you tell rsyslog that if $programname == your hostname, this line is
in remote format and should be re-parsed on that basis? Then you might
find nginx and the tags where you expect them to be.

> >>> > access_log syslog:server=unix:/dev/log,tag=lenginx_access le_json;
> >>> > error_log syslog:server=unix:/dev/log,tag=nginx,severity=error;
> >>> >
> >>> > then I'm using rsyslog to ship my logs to my logstash server.

Given that the nginx you use only uses remote-syslog format, is it
worth you avoiding rsyslog and letting nginx write to the logstash
server directly?

(There may be good reasons why not to do that.)

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org



More information about the nginx mailing list