How to log Apache errors to different syslog facilities for each virtual host?

Question

There are multiple vhosts are running on apache 2.2.22(Ubuntu 12.04), i want to send each vhost error logs to separate rsyslog file, Following are configuration

Apache Vhost

<VirtualHost *:80>
  php_value auto_prepend_file sdemoqa.php
  DocumentRoot /home/www//demoqa
  ServerName sdemoqa.xyz.com
  ErrorLog "syslog:local1"
  CustomLog /var/log/apache/sdemoqa-access.log combined

  RewriteEngine on
  Include /nas/wow.conf
  Include /nas/auth.conf
</VirtualHost>


<VirtualHost *:80>
  DocumentRoot /home/www/demoqa/hearing
  ServerName shdemoqa.xyz.com
#  ErrorLog /var/log/apache/hdemoqa-error.log
  ErrorLog "syslog:local2"
  CustomLog /var/log/apache/shdemoqa-access.log combined
</VirtualHost>

Syslog config /etc/rsyslog.d/50-default.conf

#Mod Security Logs
local1.*                        /var/log/apache2/modsec/sdemoqa.log
local2.*                        /var/log/apache2/modsec/shdemoqa.log

But all vhosts error are redirect to first entry of syslog mentioned in apache configs. I mean both vhosts error logs are going to "local1.* /var/log/apache2/modsec/sdemoqa.log"

Thanks infosec.pk

Answer 1

You may need to modify your customlog line with something like the following:

CustomLog "|/bin/logger -p local1.info -t apache" combined
ErrorLog syslog:local1

Answer 2

I think the point here is that combined needs to be at the end of the first logging line in each vhost or it will combined it with the next vhost logs possibly. So as Tom mentioned or the inverted as the OP had it ordered:

ErrorLog syslog:local1 combined
CustomLog "|/bin/logger -p local1.info -t apache"

It must be this way in at least the first vhost if there are only two vhosts, if there are more it needs to be ordered this way with combined at the end of the FIRST logging line in each previous vhost otherwise the next vhost will be always get combined into the prior vhost log settings/location.

Disclaimer: I have not fully tested this, test this before implementing...

Answer 3

The syslog location for the logging directives is only available for the ErrorLog directive and the log facility is global. Whichever is last defined is the facility that will be used for all syslog logging locations.

As suggested log piping is the best way to achieve what you described is what has already been mentioned with log piping. This is unfortunate because you lose the ability to distinguish priority.

Additionally, the other answers suggest logger is located at /bin/logger on my installation of Ubuntu 12.04 it is actually located at /usr/bin/logger

<VirtualHost *:80>
  php_value auto_prepend_file sdemoqa.php
  DocumentRoot /home/www//demoqa
  ServerName sdemoqa.xyz.com
  CustomLog "|/usr/bin/logger -p local1.notice -t apache" common
  CustomLog /var/log/apache/sdemoqa-access.log combined

  RewriteEngine on
  Include /nas/wow.conf
  Include /nas/auth.conf
</VirtualHost>

<VirtualHost *:80>
  DocumentRoot /home/www/demoqa/hearing
  ServerName shdemoqa.xyz.com
  CustomLog "|/usr/bin/logger -p local2.notice -t apache" common
  CustomLog /var/log/apache/shdemoqa-access.log combined
</VirtualHost>

I piped both VirtualHost declarations on the assumption that you would like the default ErrorLog directive to also go to syslog in yet another location.