sending Apache File Not Found error messages to syslog-ng

[saadwharton]

Hi,
I am running Apache 2 on Ubuntu. I am trying to send 'File Does not exist' messages from Apache to syslog-ng on the same server.

I have the following perl script. The perl script is named apachelogger and is saved in the / directory.

#!/usr/bin/perl
Use Sys::Syslog qw( EFAULT setlogsock );
Setlogsock(‘unix’);
Openlog(‘apache’, ‘cons’, ‘pid’ ‘local2’);

While &log = <STDIN>) {
Syslog(‘notice’, $log);
}

closelog


My /etc/apache2/apache2.conf has the line:

ErrorLog |/apachelogger

The only Apache messages I see in /var/log/syslog pertain to the starting and stopping of Tomcat and JSvc.exe as well as SIGTERM messages. I don't see any 'File Does Not Exist' messages when I enter the url of an unexisting file in a browser. I am using lynx (on the same server) to test this and I enter URL requests such as

http://localhost/test3.html

where test3.html does not exist in /var/www/ . The 'File Does not exist' messages show up in the apache error.log file. What am I doing wrong above?

I have also tried this by simply adding

ErrorLog syslog:local1

Same result as above. Please help.

Thanks.

 

[donb01]

I don't know about Ubuntu, but in my world the Apache error logs are either in /var/log/httpd or /var/log/apache, with the first being more common. I have never seen anything referring to Apache other than startup or shutdown in syslog.

Try looking in there if you haven't already....

 

[Noway2]

When a user attempts to access a page that does not exist, it will generate a log entry, in addition to givin gthe user a 404 error. Also, if you don't like the default 404 page, the apache documentation has information on how to change it.

I discovered this when I saw in a Snort alert that a user (me) had attempted to access page xyz that didn't exist.

 

[saadwharton]

On Ubuntu, the error log is located at /var/log/apache2/error.log . The error.log file does contain the 'File does not exist' entries.

Each entry contains the date/time, IP Address, the words 'File does not exist' and the page that was accessed.

The problem is in sending this information to syslog-ng. The perl script above should send it to syslog. It is sending other messages but not the 'File does not exist' messages. Still looking for a solution.



Saad

 

[Noway2]

Saadwharton, don't know why you are not getting file does not exist. Perhaps there is something that needs to be changed in the apache configuration?

"Mon Aug 10 16:37:13 2009] [error] [client 204.90.101.20] File does not exist: /var/

http://www2/bull$hit"

Just tried it from my own server and found it in /var/log/apache2/error.log

 

[donb01]

One other option if it doesn't have to be in syslog and you just want to pull the errors out into a separate file:

Put these 2 directives in your apache config file for that site (if you have more than one):

ErrorLog logs/donsworlderror.log
CustomLog logs/donsworld.log combined

Obviously you would choose your own filenames! The "logs/" prefix tells the system to store the files in the standard apache log file location, which in your case from the mention above should be /var/log/apache2/

The first entry tells Apache to take just the errors and store them under the filename given, and the second format I use to provide the proper data format for how I have my AWStats package configured. You will get all the errors and not just the 404/file not found errors tho - also the redirects, permission violations, etc...

I would have to dig into the docs to find out if you can have separate error files based on the error code or not - I'm not sure on that one...

 

[elgrandeperro]

Unless you pasted wrong, you have sigificant syntax errors in your original perl script:

#!/usr/bin/perl
use Sys::Syslog;
use Sys::Syslog qw( EFAULT setlogsock );
use Sys::Syslog qw( :standard :macros );
setlogsock('unix');
openlog('apache', 'cons', 'pid', 'local2');

while ($log = <STDIN>) {
syslog('notice', $log);
}

closelog;

 

[elgrandeperro]

Oh, and you can test it easily:

echo "hello" | /apachelogger