Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationEventAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
5
Help us understand the problem. What are the problem?

More than 3 years have passed since last update.

Nginxのsyslog転送設定でちょっとハマった件

nginxのsyslog転送でちょっとハマったのでポイントをメモします。

環境

Amazon Linux AMI release 2013.09
nginx 1.7.6
rsyslog 5.8.10

ハマりポイント

syslogtagは英数のみ

試しにtagにhttp-accessを指定してみると

nginx.conf
access_log  syslog:server=転送先サーバのIP:514,facility=local1,tag=http-access,severity=info main;

下記のようにNginxさんに怒られます。

console
# /etc/init.d/nginx configtest
nginx: [emerg] syslog "tag" only allows alphanumeric characters in /etc/nginx/nginx.conf:10
nginx: configuration file /etc/nginx/nginx.conf test failed

ハイフンぐらい使いたかったよ。。:tired_face: :tired_face: :tired_face:

転送はudp

syslog転送する設定例

転送元設定

nginx.conf
access_log  syslog:server=転送先サーバのIP:514,facility=local1,tag=httpaccess,severity=info main;

転送先設定

/etc/rsyslog.conf
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
/etc/rsyslog.d/nginx.conf
$template access_log, "%msg:2:$%\n"

$template access_log_file, "/var/log/rsyslog/nginx/%hostname%-%fromhost-ip%-access_log.%$NOW%"

if $syslogfacility-text == 'local1' and $syslogtag == 'httpaccess:' then -?access_log_file;access_log

あとは、転送元サーバからのUDP:514ポートを解放すればOK:ok_hand:
  
  
  
  
  
  
  
でも既存のlogサーバはTCPしか受け付けてくれないないんだけど。。:scream:

そんなときは、一旦ローカルのrsyslog等でUDPで受けてからTCPで転送しなおせば大丈夫:smile:

TCPでsyslog転送する設定例

転送元設定

nginx.conf
access_log  syslog:server=127.0.0.1:514,facility=local1,tag=httpaccess,severity=info main;
/etc/rsyslog.conf
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
/etc/rsyslog.d/nginx.conf
local1.*        @@転送先サーバのIP:514

転送先設定

/etc/rsyslog.conf
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
/etc/rsyslog.d/nginx.conf
$template access_log, "%msg:2:$%\n"

$template access_log_file, "/var/log/rsyslog/nginx/%hostname%-%fromhost-ip%-access_log.%$NOW%"

if $syslogfacility-text == 'local1' and $syslogtag == 'httpaccess:' then -?access_log_file;access_log

転送元サーバからのTCP:514を解放すること。

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
5
Help us understand the problem. What are the problem?