Re: [squid-users] Fwd: squid 3.1 to export access_log to rsyslog

On 08/04/11 12:20, david_at_lang.hm wrote:
> On Thu, 7 Apr 2011, Osmany Goderich wrote:
>
>> -----Mensaje original-----
>> De: david_at_lang.hm [mailto:david_at_lang.hm]
>> Enviado el: Tuesday, April 05, 2011 11:13 PM
>> Para: osmany_at_es.quimefa.cu
>> CC: squid-users_at_squid-cache.org
>> Asunto: Re: [squid-users] Fwd: squid 3.1 to export access_log to rsyslog
>>
>> On Tue, 5 Apr 2011, osmany_at_es.quimefa.cu wrote:
>>
>>
>> I have this in my rsyslog.conf file:
>>
>> $ModLoad immark.so # provides --MARK-- message capability
>> $ModLoad imuxsock.so # provides support for local system logging
>> $ModLoad imklog.so # kernel logging
>>
>> $WorkDirectory /rsyslog/spool # where to place spool files
>> $ActionQueueFileName uniqName # unique name prefix for spool files
>> $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
>> $ActionQueueSaveOnShutdown on # save messages to disk on shutdown
>> $ActionQueueType LinkedList # run asynchronously
>> $ActionResumeRetryCount -1 # infinite retries if host is down
>> squid.* @@10.25.1.20:2001
>>
>> *.err;kern.warning;auth.notice;mail.crit /dev/console
>> *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err
>> /var/log/message
>> squid.*
>> /usr/local/squid/var/logs/access.log
>>
>>
>> I'm sure that the configuration on the rsyslog remote server is fine
>> because
>> it's receiving logs successfully from other servers (other services).
>> I know this is actually going out of subject because this is a squid
>> mailing
>> list, but I'm sure some of you have run to a similar problem so I
>> figured to
>> keep asking you. Can you please keep helping me to solve this?
>
> Ok, the problem is that 'squid' is not something that syslog knows
> about, so you can't say 'squid.*'
>
> if you just log *.* I beleive that you will see that you are receiving
> (and forwarding) the squid logs, but that may be more logs than you want
> to do that with.
>
> IIRC there are 14-16 'facilities' that syslog knows about
>
> in the squid.conf
>
> instead of saying
>
> access_log syslog squid
>
> say
>
> access_log syslog:local2 squid
>
> and then in rsyslog try
>
> local2.*
>
> as your filter and see how that works.
>
> most examples use 'local0', but exactly because of that I try to avoid
> using local0 and use one of the other ones.
>
> David Lang

It's good to be aware of the defaults as well.

A facility is pretty much required. If unset the log details show up at
whatever default the OS has. Which can be the kernel-level priority on
some systems. Very annoying.

If unset the priority used in "info"

So this
  access_log syslog:local2 squid
is the same as this:
  access_log syslog:local2.info squid

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.6