m1cr0man
commented
4 years ago I'm saying we could change the httpd log format to something more easily parseable. http://httpd.apache.org/docs/current/mod/mod_log_config.html#logformat What do you think?
Closed butlerx closed 3 years ago
m1cr0man
commented
4 years ago I'm saying we could change the httpd log format to something more easily parseable. http://httpd.apache.org/docs/current/mod/mod_log_config.html#logformat What do you think?
butlerx
commented
4 years ago ah, then we should look at just outputting key-value or JSON logs directly and avoid needing to write parsing rules at all. Personally I'm happier if we update the logs to output key value.
If we are modifying the logs to be more easily parsable we could use rsyslog to read the files
input(type="imfile"
File="/var/log/httpd/access-*.log"
Tag="apache/access.log"
Ruleset="sendToLogserver")```something like
LogFormat "{ \"time\":\"%t\", \"remoteIP\":\"%a\", \"host\":\"%V\", \"request\":\"%U\", \"query\":\"%q\", \"method\":\"%m\", \"status\":\"%>s\", \"userAgent\":\"%{User-agent}i\", \"referer\":\"%{Referer}i\" }" accessJsonThat sounds good! We already have rsyslogd configured on all hosts.
butlerx
commented
4 years ago looking at how docker implemented logs to stdout
sed -ri \
-e 's!^(\s*CustomLog)\s+\S+!\1 /proc/self/fd/1!g' \
-e 's!^(\s*ErrorLog)\s+\S+!\1 /proc/self/fd/2!g' \
-e 's!^(\s*TransferLog)\s+\S+!\1 /proc/self/fd/1!g' \but httpd is having issues accessing these
m1cr0man
commented
4 years ago What was left to do here? Wouldn't mind having some httpd data :)
butlerx
commented
4 years ago Looking at the last change was logging to journald rather than syslog or file. So I think just testing left
butlerx
commented
3 years ago tested on rbtest and verified working
butlerx
commented
3 years ago Yep no log files anymore
im unsure what you're suggesting to change about the pr