Install and configure syslog-ng
First you will need to install syslog-ng. This is the logging server that will send the log data to the syslog box.
apt-get update && apt-get install syslog-ng
syslog-ng uses a socket device to accept data from apache or whatever program is creating the logs.
Use the configuration here: Syslog-ng default config.
The first part indicates what the socket will be called and where it will live. The second part tells syslog-ng where to send the collected data. The restart syslog-ng (/etc/init.d/syslog-ng restart)l.
Configure apache’s logging
Add these directives to send apache’s logs via a socket to syslog
CustomLog "|/usr/bin/logger -s -t 'monitor.cs.auckland.ac.nz' -p info -u /var/run/apache_log.socket" Combined ErrorLog "|/usr/bin/logger -s -t 'monitor.cs.auckland.ac.nz' -p err -u /var/run/apache_log.socket"
Apache will then use the logger program to send data to syslog. /var/run/apache_log.socket refers to the device that syslog-ng has created. Data sent to this device is sent over the network to the main syslog box.
It seems that apache 2.0.54-5 does not like logging to a file and to a process at the same time. In this case log entries will become re-ordered or missed out. You can use the test scripts below to check if this is happening.
Here are some useful scripts that can help with testing to make sure the logging is working as expected.
You can simulate http accesses using lynx with this command:
watch lynx -source http://monitor.cs.auckland.ac.nz/
Which will make a http request every two seconds. Or, for a better test:
for i in `seq 1 100`; do lynx -source http://monitor.cs.auckland.ac.nz/$i;sleep 3;done
The result of this test is a sequence of log entires from 1 to 100. If entries are missing or in the wrong order, you know there is a problem.