A log file for each virtual host with haproxy and rsyslog

When you run hundreds of web sites, it might be really convenient to store the access logs separately. While it is pretty straightforward to do this with Apache (just log each vhost in a distinct file), it gets more complicated with HaProxy. As a matter of facts, it only logs to syslog, so your syslog server will be required to do the sorting.

Here is a configuration excerpt that is used to log the host name queried by the client, and rejects requests to site not present in the websites.lst file.

capture request  header Host len 256
acl h_website hdr(host) -i -f /etc/haproxy/websites.lst
http-request deny if ! h_website

And here is how I do it on rsyslog :

$template HaLogs,"/logs/services/haproxy/%$YEAR:::secpath-replace%/%$MONTH:::secpath-replace%/%$DAY:::secpath-replace%/%syslogfacility-text:::secpath-replace%.%syslogseverity-text:::secpath-replace%.log"
$template HaHostnameLogs,"/logs/services/haproxy/%$YEAR:::secpath-replace%/%$MONTH:::secpath-replace%/%$DAY:::secpath-replace%/%msg:R,ERE,1,BLANK:[0-9]+/[0-9]+ \{([-.A-Za-z0-9]*)--end%/%syslogfacility-text:::secpath-replace%.%syslogseverity-text:::secpath-replace%.log"
if $programname == 'haproxy' and $msg contains '/<NOSRV> ' then -?HaLogs
& ~
if $programname == 'haproxy' then -?HaHostnameLogs
 & ~

The first two lines define where the logs are supposed to go. The secpath-replace are probably overkill, but I’m not confident the data is actually filtered. The HaLogs template stores this day common messages in /logs/services/haproxy/2011/10/05/local3.info.log, for example. The HaHostnameLogs used a regular expression to find the logged host name and use it to build the path. For example.com, this will be /logs/services/haproxy/2011/10/05/example.com/local3.info.log.

The first condition detects (very crudely) when a request is denied by HaProxy, and logs it using the first template. That way, malicious scanners will not clutter your syslog server with meaningless directory names. The rest should be neatly sorted.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s