Drupal rsyslog with separate log files

This just took a little figuring out, so I'm recording it for posterity. I maintain many Drupal sites, almost all hosted in multisite installations. To save DB server traffic, I've started experimenting with the syslog facility. Here's how I set things up on my Debian server to log each site to its own file. First, I created a /var/log/drupal directory to hold the log files and gave it the appropriate permissions (group etc. will vary by distro). Next, I enabled the syslog module on my sites. The module allows you to identify the logs by logging to a particular log facility (local0, local1, etc) and by specifying a custom "Syslog identity". Since I generally have more than ten sites per server, I used the syslog identity to distinguish them and left the default local0 setting for syslog facility. I chose variations on "drupal_SOMETHING" for each site, ensuring they are all distinct and share the common drupal_ prefix. The log destinations can be defined in rsyslog.conf or in a file in rsyslog.d, depending on your distro. The only secret here is that the "Syslog identity" defined in the module's UI corresponds to the rsyslog 'programname' entity. I created a /etc/rsyslog.d/drupal.conf that looks like this: # stevemccullough.ca :programname, isequal, "drupal_sm" /var/log/drupal/stevemccullough.ca.log # irrational.ca :programname, isequal, "drupal_irr" /var/log/drupal/irrational.ca.log # prevent logging to /var/log/messages :programname, contains, "drupal" ~ (I added the final discard line to prevent my overall system log files from filling with Drupal activity. Just a personal preference.) Restart rsyslog, and voila! Separate syslog files for each site. I also set up weekly log rotation by creating /etc/logrotate.d/drupal like so: /var/log/drupal/*.log { weekly missingok rotate 52 compress delaycompress notifempty create 640 root adm } Depending on how large the files prove to be, daily rotation might be better, but I'll see what happens. And in addition to saving DB traffic, syslog has the huge advantage of exposing Drupal events to OSSEC, an open-source security monitor that can lock out attackers if it detects problematic activity. The go-to decoder and rules for Drupal can be found here.

Add new comment

This question is for testing whether you are a human visitor and to prevent automated spam submissions.