logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Error Log to Syslog Server and local error.log

 
Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips



View previous topic :: View next topic  
Author Message
magnific0



Joined: 27 Jan 2011
Posts: 2

PostPosted: Thu 27 Jan '11 15:36    Post subject: Error Log to Syslog Server and local error.log Reply with quote

Hi,

I am upping the security on my server a bit, so after installing mod_security I thought it would be useful to receive error messages (level error and above) in my Syslog server.

This proved to be quite tricky for Apache on Windows (running XAMPP), but I finally got it right, so I thought I would share this.

This method will send messages in compliance to RFC3164 to a local/remote Syslog server on port 514 (UDP).

1. Downloads
Get the following command line tools:
-klog.exe (http://www.tucows.com/preview/507460)
-qgrep.exe (part of Windows Resource Kit, available as single download: http://www.seascapesailing.com/tools/_resource%20kit%20tools/Windows%20Resource%20Kits/Tools/)
-wtee.exe (http://code.google.com/p/wintee/)

2. Install:
Install Kiwi Logger, goto the program folder, copy klog.exe to a safe location, uninstall Kiwi Logger.

Copy all three executables to your Windows\System32 folder.

3. Configure:
Edit your httpd.conf file find the ErrorLog line and replace with:

If you are running Apache from console:
Code:
ErrorLog "| wtee -a ../logs/error.log | qgrep -v warn | qgrep -v notice | klog -u 514 -h 127.0.0.1 -s -p 185 -i"


If you are running Apache as a service:
Code:
ErrorLog "| wtee -a logs/error.log | klog -u 514 -h 127.0.0.1 -s -p 185 -i"

Note: Unfortunately when running Apache as a service qgrep holds all message untill the service is shutdown. It will then deliver all the messages. This is simply not acceptable and so notice messages must be tolerated when running as a service. Hopefully somebody can shed a light on why qgrep is doing this.

4. Explanation:
This is all achieved with the use of piping |.

The wtee command dumps everything in a file (error.log) and passes it through.
The wtee -a parameter tells it to append the file instead off overwriting it.

qgrep -v command tells it to drop every line containing "warn" and "notice". Thus sending errorlevel error and up to syslog.

klog is a utility that generates a Syslog message, where:
-u tells it the port
-h defines the host
-s tells it to do this all silently
-p gives the message a priority (see below)
-i is the option for sending a piped stream instead of a single message

5. klog priorities
For those of you who are experienced with syslog know that you can set a facility and level, to classify the source and urgency of a message. klog does this with use of a priority, calculated as such:

Example: Facility:local7 + Level:alert, gives: 23*8+1=185

Code:
Priority=Facility*8+Level

Facility name  Alt Name  Number
Kernel         Kern        0
User                       1
Mail                       2
Daemon                     3
Auth                       4
Syslog                     5
Lpr                        6
News                       7
UUCP                       8
Cron                       9
System0        Security   10
System1        FTP        11
System2        NTP        12
System3        Logaudit   13
System4        Logalert   14
System5        Clock      15
Local0                    16
Local1                    17
Local2                    18
Local3                    19
Local4                    20
Local5                    21
Local6                    22
Local7                    23
 
Level name    Alt name     Number
Emergency     Emerg        0
Alert                      1
Critical      Crit         2
Error         Err          3
Warning       Warn         4
Notice                     5
Information   Info         6
Debug                      7
 


I hope you found it helpful, any questions/remarks are welcome.

Cheers!

Thoughts:
- I tried Windows using find /v command. but it cannot be used, because it demands the string to be between "quotes".
Back to top
EldrickTobin



Joined: 10 Oct 2011
Posts: 1
Location: Houston, TX, USA

PostPosted: Mon 10 Oct '11 21:00    Post subject: Reply with quote

I too tried qgrep, and after fighting it a bit and looking online I found the issue is with its internal buffer.

However Grep for Win32 (http://gnuwin32.sourceforge.net/packages/grep.htm) is a "much better" implementation, and allows the --line-buffered option killing the buffering issue.

I'm currently firing this all over the place:

CustomLog "|grep --line-buffered -v http://-- |wtee.exe -a logs/access.log" v-hostcombined env=!nolog

(wtee is 'legacy' from fighting qgrep and perl grep, but it isn't breaking anything so I left it in. Lovely find btw.)
Back to top
minibayit



Joined: 01 Apr 2012
Posts: 2

PostPosted: Sun 01 Apr '12 9:01    Post subject: Reply with quote

Thank you for the info on setting up Syslog with Apache on Windows.

Always wanted to find a way to monitor mod_security logs!

The issues I had when setting it up where specific to my server, (ie Apache has no permissions to access the System32 folder)

Thanks again.
Back to top


Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips
Page 1 of 1