httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fiedler Roman <Roman.Fied...@ait.ac.at>
Subject Questions on mod_syslog (RFC somehow)
Date Mon, 24 Mar 2014 10:12:41 GMT
Hello List,

I noticed, that with Apache 2.5 a new mod_syslog seems be added ([1]). Tell me if I'm wrong,
but I suppose that is result of the intentions to modularize/improve support on that functionality.
I'm very keen on using syslogging and, but in my opinion support on 2.2 (out main production
version) was suboptimal. Therefore I'm using 3 workarounds with using pipe-logging, something
that would be fine to get rid of to avoid a) inter-process handling of Apache with loggers
b) numerous logging processes increasing load (usually 4 per 80/443-hosted domain).

Which of the functions of our current setup would make sense to support within Apache natively,
which of those workarounds could be done better already with current functionality and proposed
mod_syslog and which of them might be stupid anyway?


Current logging configuration example:

ErrorLog "||/usr/local/sbin/customlogger -p local1.err -t \"apache: default:443\""
CustomLog "||/usr/bin/customlogger -p local1.notice -t apache" my-combined

Rationale:

/usr/local/sbin/customlogger: Deliver a custom logger binary (I hate it). Current syslog implementation
has a historic 1024 byte line length limit, which is not so problematic with error messages
but very annoying on customlog: Long URLs are split up, IDS (using the remote syslog stream)
has to put them together again, races might occur, ... Since remote logging infrastructure
already supports 64k, this workaround enables syslogging from apache with 64k also.  Would
it make sense to add a maximal-line-length-parameter to mod_syslog? Or is this a move in the
wrong direction anyway, a race-free multi-line logging representation should be implemented,
that can be understood easily by IDS importer functions?

-p local1.err: Facility is supported by ErrorLog directive anyway, does level support make
also sense. With good Apache-native syslog support, I would guess I could live without it
since I guess default would be "err" for error logs, info or notice for everything else (customlog,
rewrite log, forensic-log??) anyway.

-t \"apache: default:443\"": Use a per-vhost logging tag (would be [domain]:port on non-default
vhosts), that makes it easier for remote systems using the logs (IDS, monitoring) to split
up traffic, especially, when multiple vhosts with same name exist, e.g. running on port 80,
port 443, one for intranet, one external, .... That is more an issue with error logging ,
with custom-log the configurable custom-logging statement can be used add this information
anyway.


Any opinions?

Kind regards,
Roman

[1] http://httpd.apache.org/docs/trunk/mod/mod_syslog.html

Mime
View raw message