I am trying to forward my apache logs to rsyslog then to splunk

0
votes

I am trying to make all of my apache and drush logs forward to my Splunk server via rsyslog.

First, in my /etc/httpd/conf/httpd.conf file I change the entry:

ErrorLog var/log/httpd/error_log

to:

ErrorLog syslog:local1

as described at: http://wiki.rsyslog.com/index.php/Working_Apache_and_Rsyslog_configuration

Then in /etc/rsyslog.conf, I add:

# Save apache messages to apache.log
local1.*                                                /var/log/apache.log

to have the logs prefixed with local1. to the local file /var/log/apache.log and then:

local1.* @@splunk.myserver.com:8002

where my splunk server is set to listen for tcp connections on port 8002. I haven't made an attempt at drush yet. The problem is that apache is logging fine to the previous setting to log to /var/log/httpd/error_log, but after I make my changes nothing goes to /var/log/apache.log or to my splunk server.
I restart both rsyslog and apache after making my changes to conf files.

1
apacheloggingsplunkrsyslog
You haven't specified the file '/var/log/apache.log' anywhere in the config I can see. Don't you need it after local1.* ?spacepickle

1 Answers

1
votes

I met the same thing

I fix it follow this: 1 make a error log, like access http://192.168.1.10/sadaf.php. Then to see the /var/error.log have it?

If have it, I test splunk server use port 514,and the sourcetype use syslog. You can try it.