Re: [squid-users] Fwd: squid 3.1 to export access_log to rsyslog

On Thu, 7 Apr 2011, Osmany Goderich wrote:

> -----Mensaje original-----
> De: david_at_lang.hm [mailto:david_at_lang.hm]
> Enviado el: Tuesday, April 05, 2011 11:13 PM
> Para: osmany_at_es.quimefa.cu
> CC: squid-users_at_squid-cache.org
> Asunto: Re: [squid-users] Fwd: squid 3.1 to export access_log to rsyslog
>
> On Tue, 5 Apr 2011, osmany_at_es.quimefa.cu wrote:
>
>
> I have this in my rsyslog.conf file:
>
> $ModLoad immark.so # provides --MARK-- message capability
> $ModLoad imuxsock.so # provides support for local system logging
> $ModLoad imklog.so # kernel logging
>
> $WorkDirectory /rsyslog/spool # where to place spool files
> $ActionQueueFileName uniqName # unique name prefix for spool files
> $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
> $ActionQueueSaveOnShutdown on # save messages to disk on shutdown
> $ActionQueueType LinkedList # run asynchronously
> $ActionResumeRetryCount -1 # infinite retries if host is down
> squid.* @@10.25.1.20:2001
>
> *.err;kern.warning;auth.notice;mail.crit /dev/console
> *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err
> /var/log/message
> squid.*
> /usr/local/squid/var/logs/access.log
>
>
> I'm sure that the configuration on the rsyslog remote server is fine because
> it's receiving logs successfully from other servers (other services).
> I know this is actually going out of subject because this is a squid mailing
> list, but I'm sure some of you have run to a similar problem so I figured to
> keep asking you. Can you please keep helping me to solve this?

Ok, the problem is that 'squid' is not something that syslog knows about,
so you can't say 'squid.*'

if you just log *.* I beleive that you will see that you are receiving
(and forwarding) the squid logs, but that may be more logs than you want
to do that with.

IIRC there are 14-16 'facilities' that syslog knows about

in the squid.conf

instead of saying

access_log syslog squid

say

access_log syslog:local2 squid

and then in rsyslog try

local2.*

as your filter and see how that works.

most examples use 'local0', but exactly because of that I try to avoid
using local0 and use one of the other ones.

David Lang
Received on Fri Apr 08 2011 - 00:21:03 MDT