syslog not properly tagged

Vladimir Homutov vl at nginx.com
Tue Nov 10 09:23:33 UTC 2015


On Tue, Nov 10, 2015 at 11:08:44AM +0200, Avraham Serour wrote:
> Hi,
>
> I have an ubuntu machine and installed nginx stable using the ppa (1.9.3)
>
> In my conf I'm sending the logs to syslog:
>
> access_log syslog:server=unix:/dev/log,tag=lenginx_access le_json;
> error_log syslog:server=unix:/dev/log,tag=nginx,severity=error;
>
> then I'm using rsyslog to ship my logs to my logstash server.
>
> My problem is that it seems nginx does't properly tag the messages, I
> should be able to filter nginx messages in my rsyslog conf using:
>
> if $programname == 'nginx' then {
>
> but it seems $programname is my hostname, the tag is added to the message
> body

This happens because nginx uses remote syslog message format, which
includes hostname. To use it with local syslog daemon you have two
options:

a) tell your syslog daemon that there is a hostname in a message coming
from nginx

b) tell nginx to not send hostname, using the 'nohostname' option, added
recently in 1.9.7 (http://nginx.org/en/docs/syslog.html)

>
> This creates two problems: now I need to workaround to filter nginx
> messages and my message body format is messed up, my beautifully json
> format is now not a valid json and I need to further manipulate it.
>
> I was able to work around this for the access logs, my filter is now:
> if $msg contains 'lenginx_access' then {
> and I am using the substring to remove the prefix
>
> But I wasn't able to accomplish this for the error logs, it seems I can't
> use a custom format for the error logs
>
> So any way of custom formatting my error logs to output json?
> How can I tell nginx to properly tag the messages?
>
> btw, upon registering to this mailing list I got a confirmation email with
> my password, really??
>
> Avraham



More information about the nginx mailing list