Help us understand the problem. What is going on with this article?

Nginxのsyslog転送設定でちょっとハマった件

More than 1 year has passed since last update.

nginxのsyslog転送でちょっとハマったのでポイントをメモします。

環境

Amazon Linux AMI release 2013.09
nginx 1.7.6
rsyslog 5.8.10

ハマりポイント

syslogtagは英数のみ

試しにtagにhttp-accessを指定してみると

nginx.conf
access_log  syslog:server=転送先サーバのIP:514,facility=local1,tag=http-access,severity=info main;

下記のようにNginxさんに怒られます。

console
# /etc/init.d/nginx configtest
nginx: [emerg] syslog "tag" only allows alphanumeric characters in /etc/nginx/nginx.conf:10
nginx: configuration file /etc/nginx/nginx.conf test failed

ハイフンぐらい使いたかったよ。。:tired_face: :tired_face: :tired_face:

転送はudp

syslog転送する設定例

転送元設定

nginx.conf
access_log  syslog:server=転送先サーバのIP:514,facility=local1,tag=httpaccess,severity=info main;

転送先設定

/etc/rsyslog.conf
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
/etc/rsyslog.d/nginx.conf
$template access_log, "%msg:2:$%\n"

$template access_log_file, "/var/log/rsyslog/nginx/%hostname%-%fromhost-ip%-access_log.%$NOW%"

if $syslogfacility-text == 'local1' and $syslogtag == 'httpaccess:' then -?access_log_file;access_log

あとは、転送元サーバからのUDP:514ポートを解放すればOK:ok_hand:
  
  
  
  
  
  
  
でも既存のlogサーバはTCPしか受け付けてくれないないんだけど。。:scream:

そんなときは、一旦ローカルのrsyslog等でUDPで受けてからTCPで転送しなおせば大丈夫:smile:

TCPでsyslog転送する設定例

転送元設定

nginx.conf
access_log  syslog:server=127.0.0.1:514,facility=local1,tag=httpaccess,severity=info main;
/etc/rsyslog.conf
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
/etc/rsyslog.d/nginx.conf
local1.*        @@転送先サーバのIP:514

転送先設定

/etc/rsyslog.conf
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
/etc/rsyslog.d/nginx.conf
$template access_log, "%msg:2:$%\n"

$template access_log_file, "/var/log/rsyslog/nginx/%hostname%-%fromhost-ip%-access_log.%$NOW%"

if $syslogfacility-text == 'local1' and $syslogtag == 'httpaccess:' then -?access_log_file;access_log

転送元サーバからのTCP:514を解放すること。

Why do not you register as a user and use Qiita more conveniently?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away