Questions on mod_syslog (RFC somehow)

[Fiedler Roman <Ro...@ait.ac.at>]

Hello List,

I noticed, that with Apache 2.5 a new mod_syslog seems be added ([1]). Tell me if I'm wrong, but I suppose that is result of the intentions to modularize/improve support on that functionality. I'm very keen on using syslogging and, but in my opinion support on 2.2 (out main production version) was suboptimal. Therefore I'm using 3 workarounds with using pipe-logging, something that would be fine to get rid of to avoid a) inter-process handling of Apache with loggers b) numerous logging processes increasing load (usually 4 per 80/443-hosted domain).

Which of the functions of our current setup would make sense to support within Apache natively, which of those workarounds could be done better already with current functionality and proposed mod_syslog and which of them might be stupid anyway?


Current logging configuration example:

ErrorLog "||/usr/local/sbin/customlogger -p local1.err -t \"apache: default:443\""
CustomLog "||/usr/bin/customlogger -p local1.notice -t apache" my-combined

Rationale:

/usr/local/sbin/customlogger: Deliver a custom logger binary (I hate it). Current syslog implementation has a historic 1024 byte line length limit, which is not so problematic with error messages but very annoying on customlog: Long URLs are split up, IDS (using the remote syslog stream) has to put them together again, races might occur, ... Since remote logging infrastructure already supports 64k, this workaround enables syslogging from apache with 64k also.  Would it make sense to add a maximal-line-length-parameter to mod_syslog? Or is this a move in the wrong direction anyway, a race-free multi-line logging representation should be implemented, that can be understood easily by IDS importer functions?

-p local1.err: Facility is supported by ErrorLog directive anyway, does level support make also sense. With good Apache-native syslog support, I would guess I could live without it since I guess default would be "err" for error logs, info or notice for everything else (customlog, rewrite log, forensic-log??) anyway.

-t \"apache: default:443\"": Use a per-vhost logging tag (would be [domain]:port on non-default vhosts), that makes it easier for remote systems using the logs (IDS, monitoring) to split up traffic, especially, when multiple vhosts with same name exist, e.g. running on port 80, port 443, one for intranet, one external, .... That is more an issue with error logging , with custom-log the configurable custom-logging statement can be used add this information anyway.


Any opinions?

Kind regards,
Roman

[1] http://httpd.apache.org/docs/trunk/mod/mod_syslog.html