Logging to syslog
Vladimir Homutov
vl at nginx.com
Thu Feb 19 10:40:01 UTC 2015
On Thu, Feb 19, 2015 at 04:49:28AM -0500, scaarup wrote:
> Hi all.
> I am logging to syslog with the following configuration:
> log_format custom '$remote_addr $remote_user '
> '"$request" $status $body_bytes_sent '
> '"$http_referer" "$http_user_agent" UPSTREAM:
> $upstream_addr SSL: $ssl_protocol $ssl_cipher $ssl_session_reused TIME:
> $request_time';
> access_log syslog:server=localhost,facility=local2 custom;
> error_log syslog:server=localhost,facility=local1 info;
> Access.log entries looks like this:
> Feb 19 10:39:50 localhost nginx: 192.168.11.18 - "GET /%%% HTTP/1.1" 400 166
> "-" "-" UPSTREAM: - SSL: TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 r TIME: 0.008
> And error.log entries looks like this:
> Feb 19 10:39:19 localhost nginx: 2015/02/19 10:39:19 [info] 53270#0: *1032
> client sent invalid request while reading client request line, client:
> 192.168.11.18, server: payment.architrade.com, request: "GET /%%% HTTP/1.1"
>
> As you can see, the error log has two timestamps. How do I get rid of the
> one? My rsyslog-conf is handling local1 and local2 the same way, so I am
> thinking, since error_log directive has no log_format, nginx sends over a
> timestamp by default.
>
nginx send to remote server exactly same message as it would write to
the disk and adds syslog header to it. If you care about duplication of
timestamps, you can configure your syslog server to process incoming
messages intelligently and ignore some fields for specific clients.
http://www.rsyslog.com/doc/syslog_parsing.html
More information about the nginx
mailing list