Logging to syslog

addis_a · February 19, 2015, 10:50am

Hi all.
I am logging to syslog with the following configuration:
log_format custom '$remote_addr $remote_user ’
'“$request” $status $body_bytes_sent ’
‘“$http_referer” “$http_user_agent” UPSTREAM:
$upstream_addr SSL: $ssl_protocol $ssl_cipher $ssl_session_reused TIME:
$request_time’;
access_log syslog:server=localhost,facility=local2 custom;
error_log syslog:server=localhost,facility=local1 info;
Access.log entries looks like this:
Feb 19 10:39:50 localhost nginx: 192.168.11.18 - “GET /%%% HTTP/1.1” 400
166
“-” “-” UPSTREAM: - SSL: TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 r TIME:
0.008
And error.log entries looks like this:
Feb 19 10:39:19 localhost nginx: 2015/02/19 10:39:19 [info] 53270#0:
*1032
client sent invalid request while reading client request line, client:
192.168.11.18, server: payment.architrade.com, request: “GET /%%%
HTTP/1.1”

As you can see, the error log has two timestamps. How do I get rid of
the
one? My rsyslog-conf is handling local1 and local2 the same way, so I am
thinking, since error_log directive has no log_format, nginx sends over
a
timestamp by default.

Posted at Nginx Forum:

scaarup · February 19, 2015, 11:26am

Hi,

have you checked that it’s not your logserver ho adds a timestamp
itself?
I’m not sure, but afair rsyslog adds own timestamps and you have to use
a
template to get rid of them.

Regards, Axel

Am Donnerstag, 19. Februar 2015, 04:49:28 schrieb scaarup:

Feb 19 10:39:50 localhost nginx: 192.168.11.18 - “GET /%%% HTTP/1.1” 400
166
“-” “-” UPSTREAM: - SSL: TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 r TIME:
0.008
And error.log entries looks like this:
Feb 19 10:39:19 localhost nginx: 2015/02/19 10:39:19 [info] 53270#0: *1032
client sent invalid request while reading client request line, client:
192.168.11.18, server: payment.architrade.com, request: “GET /%%%
HTTP/1.1”

scaarup · February 19, 2015, 12:38pm

Yes rsyslog adds the first timestamp as I have configured it to. But it
does
not add the second. So is it a feature or bug, that you can configure
nginx
to send timestamp on acccess_log but not on error_log?

Posted at Nginx Forum:

scaarup · February 19, 2015, 12:39pm

What I am saying is, that there should be a log_format for error_log as
well.

Posted at Nginx Forum:

scaarup · February 19, 2015, 11:40am

On Thu, Feb 19, 2015 at 04:49:28AM -0500, scaarup wrote:

Feb 19 10:39:50 localhost nginx: 192.168.11.18 - “GET /%%% HTTP/1.1” 400 166

nginx send to remote server exactly same message as it would write to
the disk and adds syslog header to it. If you care about duplication of
timestamps, you can configure your syslog server to process incoming
messages intelligently and ignore some fields for specific clients.