Sending Apache log messages to syslog

Written by:

Sending Apache log messages to syslog
  • 0.00 / 5 5
0 votes, 0.00 avg. rating (0% score)

Needing to send apache logs to my syslog server of which we have a syslog security monitoring application that parses through the content to alert on nefarious activity. Searching on the net there seems to be a number of ways to accomplish this so this is what I ended up doing.


In the apache httpd.conf file, include this:

LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

CustomLog "|/usr/local/apache2/bin/apache_syslog.pl -r  -s tcp -f local3 -t apache_access -n |/usr/local/apache2/bin/rotatelogs /usr/local/apache2/logs/-access_log 86400" combined

ErrorLog "|/usr/local/apache2/bin/apache_syslog.pl -r  -s tcp -f local3 -t apache_errors -n |/usr/local/apache2/bin/rotatelogs /usr/local/apache2/logs/-error_log 86400"

Here is the apache_syslog.pl perl script used:

#!/usr/bin/perl

use Sys::Syslog qw( :DEFAULT setlogsock );
use Getopt::Long;
use Data::Dumper;

# Set out default values
my $facility = 'local2';
my $priority = 'notice';
my $socktype = 'udp';
my $ident = 'apache';

# Read in options
our %opts = (
"facility|f=s" => \$facility,
"priority|p=s" => \$priority,
"remote|r=s" => \$remotehost,
"socktype|s=s" => \$socktype,
"screen|n" => \$screen,
"ident|t=s" => \$ident,
"help|h" => \$help,
);

GetOptions(%opts) or die &usage();

# print Dumper( \\%opts );print "\n";

&usage() if (defined($help));

if (defined($remotehost)) {
   setlogsock($socktype, $remotehost);
} else {
   setlogsock($socktype, port => 514);
}
# openlog('apache', 'ndelay,pid', $facility);
while ($log = ) {
   openlog($ident, 'ndelay,pid', $facility);

   syslog($priority, $log);
   if (defined($screen)) {
	print STDOUT $log;
   }
   closelog;
}

sub usage(){
        print STDERR "Usage:  $0 [-h]
	[-f facility] # Facility
	[-p priority] # Priority
	[-n] # Print to screen
	[-r remotehost]  # Remote Log Host
	[-s [udp|tcp|unix|inet] ]  # Socket Type
	[-t   # Ident
	\n";
        exit 0;
}

Note: To get this to work with syslog tcp vs udp, you need to have syslog 514/tcp in the /etc/services file.

Leave a Reply