Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. RSyslog>
  3. users
imfile module - input line transformation
pieter.thysebaert at intec
Mar 24, 2009, 4:02 AM
Post #1 of 4 (4559 views)
Permalink
Hello rsyslog users,


We are currently running a small rsyslog setup (i.e. TCP-based remote
logging) in our test environment.

This setup is also used to transfer Apache access logs, using the pipe
operator in the Apache config and a Bash shell script which calls the
"logger" tool to log a message to local rsyslog in a loop like

# read first line
#...

while [ $result -eq 0 ]; do
# log $line to $filename
logger -p local0.info -t "APACHE" "$filename?$line"
read line
result=$?
done


The problem with this approach is twofold. First, we are experiencing
performance issues under increased load (all Apache workers in status "L"
on the Apache server status page when stress testing).

Secondly, in order to resolve the first issue, we thought about moving to
the file based input module which would make (we hope) Apache performance
less depending on the logging infrastructure - as it would just log to the
native filesystem as usual. However, as can be seen above, we're currently
transforming the log messages to include the destination filename.
On the remote rsyslog server (the receiving end), the messages are logged
into a file whose name is dynamically derived from the first part of the
log (the part before the first question mark).

So my question is: can rsyslog be configured to
1. Read new lines from Apache access log as they become available
2. prepend an arbitrary string to the message (the destination filename)
3. log this transformed message instead of the original

Or is there a more "best-practices" approach to do what I want (which is :
filter messages on the remote end based on the tag and write them to a
dynamically generated filename using regexps)

Thanks,
Pieter


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
Re: imfile module - input line transformation [ In reply to ]
Luis.Fernando.Munoz.Mejias at cern
Mar 24, 2009, 4:44 AM
Post #2 of 4 (4477 views)
Permalink
Hi,

> We are currently running a small rsyslog setup (i.e. TCP-based remote
> logging) in our test environment.
>
> This setup is also used to transfer Apache access logs, using the pipe
> operator in the Apache config and a Bash shell script which calls the
> "logger" tool to log a message to local rsyslog in a loop like
>
> # read first line
> #...
>
> while [ $result -eq 0 ]; do
> # log $line to $filename
> logger -p local0.info -t "APACHE" "$filename?$line"
> read line
> result=$?
> done

Why not use the CustomLog Apache directive to pipe directly the logger
command:

...
LogFormat "%b%l%a%h %b%l%a%h ..." logger_pipe
CustomLog |/usr/bin/logger -p local0.info -t "apache" logger_pipe

It should spawn only one logger process for the whole Apache host, and
most likely reduce the load.

> Secondly, in order to resolve the first issue, we thought about moving to
> the file based input module which would make (we hope) Apache performance
> less depending on the logging infrastructure - as it would just log to the
> native filesystem as usual. However, as can be seen above, we're currently
> transforming the log messages to include the destination filename.
> On the remote rsyslog server (the receiving end), the messages are logged
> into a file whose name is dynamically derived from the first part of the
> log (the part before the first question mark).

Again, you can use the LogFormat for that, and let Apache do the work
without spawning processes over and over, which is most likely the slow
part.
>
> So my question is: can rsyslog be configured to
> 1. Read new lines from Apache access log as they become available
> 2. prepend an arbitrary string to the message (the destination
> filename)

In principle, you should use a template for that (untested):

$template TemplateName,"CONSTANT_ARBITRARY_STRING?%message%"
if ($programname = "apache") then destination;TemplateName

(Although I cannot assure how it behaves with TCP...)

Cheers.
--
Luis Fernando Muñoz Mejías
Luis.Fernando.Munoz.Mejias@cern.ch

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
Re: imfile module - input line transformation [ In reply to ]
THe_ZiPMaN+rsyslog at zipman
Mar 24, 2009, 6:24 AM
Post #3 of 4 (4496 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

pieter.thysebaert@intec.ugent.be wrote:
| # read first line
| #...
|
| while [ $result -eq 0 ]; do
| # log $line to $filename
| logger -p local0.info -t "APACHE" "$filename?$line"
| read line
| result=$?
| done

You are spawning a logger process for each log line... brrrr....

| Or is there a more "best-practices" approach to do what I want (which is :
| filter messages on the remote end based on the tag and write them to a
| dynamically generated filename using regexps)

Personally I do this way:

On the apache side for every VirtualHost:

ErrorLog "|/usr/bin/logger -p local5.err -t http_example.com"
CustomLog "|/usr/bin/logger -p local5.info -t http_example.com" combined

On the rsyslog side:

# Let the message "untouched" without adding any information for easy
# parsing by webalizer & company
$template ApacheLog,"%msg:2:$:drop-last-lf%\r\n"

# Define an archiving policy that allows for simpler analisys and archiving
# The number 58 should be tuned for your system. Obviously everything must
# be on the same line.
$template
ArchiveApache,"/var/log/apache/%$YEAR%/%$MONTH%/%$DAY%/%syslogtag:F,58:1%_%syslogseverity-text%.log"

# Define the destinations and prevent writing on other standard logs
# Put this near the beginning of the conf file
:syslogtag,startswith,"http" -?ArchiveApache;ApacheLog
:syslogtag,startswith,"http" ~


- --
Flavio Visentin
GPG Key: http://www.zipman.it/gpgkey.asc

There are only 10 types of people in this world:
those who understand binary, and those who don't.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAknI3yMACgkQusUmHkh1cnrISACfQNkWSda9yPICMM/ie78SGhLe
FOMAniAk8S0coDfgCSNQp/IXGqCRfZd2
=IhIf
-----END PGP SIGNATURE-----
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
Re: imfile module - input line transformation [ In reply to ]
aoz.syn at gmail
Mar 24, 2009, 9:17 AM
Post #4 of 4 (4490 views)
Permalink
> The problem with this approach is twofold. First, we are experiencing
> performance issues under increased load (all Apache workers in status "L"
> on the Apache server status page when stress testing).

I am somewhat surprised neither of the responders did what seems
obvious to me and bypass the pipe/execution altogether. Unless
someone else here has had a problem doing so, there's no reason you
couldn't just use a named pipe on both ends:

[shell]
mkfifo /var/run/htlog-1

[apache]
CustomLog "/var/run/htlog-1"

[rsyslog]
$ModLoad imfile
$InputFileName /var/run/htlog-1
$InputFileTag apache1
$InputFileRunMonitor

That puts the logs in rsyslog with no extra executions or running
processes; what you do after that for filtering is up to you. The
nice thing about using a named pipe is that if the reading process
dies, the buffer doesn't go away and you have less chance of losing
messages.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal