Syslog module overview

About

The Syslog module logs events by sending messages to the logging facility of your web server's operating system. Syslog is an operating system administrative logging tool that provides valuable information for use in system management and security auditing. Most suited to medium and large sites, Syslog provides filtering tools that allow messages to be routed by type and severity.

It is not suitable for shared hosting environments.

It might not be as user friendly as Database Logging but will allow you to see logs and troubleshoot if your site is not accessible. Since the Database Logging module writes logs to the database, it can slow down the website. By using Syslog, you can potentially improve the performance of the implicated site.

Using rsyslog

Recent versions of Debian and CentOS use rsyslog instead of syslog.  rsyslog is a more flexible and powerful version of syslog.  It is also 100% compatible with how syslog logs events, though its configuration files are not at all the same. 

Configuring rsyslog FOR CENTOS / Ubuntu / Debian

Configuring this module for rsyslog oriented systems is pretty straightforward:

1.  Configure the Syslog module as you would normally. 

2.  Be sure that the Syslog identity field starts with the string "drupal".

3.  Create /etc/rsyslog.d/drupal.conf with the following code inside:

# Optional Comment

if $programname startswith 'drupal' then {

    action(type="omfile" File="/var/log/drupal.log")

    & stop # Stops syslog posting to other files, such as /var/log/syslog.

}

4.  Restart rsyslog

Using Syslog

Here is a four-step guide to switching from Drupal's default database. It is for Linux systems only.

1. Install & configure the Syslog module

• Enable the module Syslog on the Extend page at admin/modules (Drupal 8)
• Configure the module on the 'Logging and errors' configuration page at admin/config/development/logging
• Select which Syslog facility to attach to the log messages. Choose one that is not in use by Syslog.
• Set the syslog identity (a string that will be prepended to every message logged to Syslog), for example drupal_www_example_com.

2. Configure Syslog to log to a separate file (optional)

You can write the log messages to a separate file (If you dont the messages will most likely end up in /var/log/messages)

Edit the syslog configuration file at:

/etc/syslog.conf

or

/etc/rsyslog.conf

Add the following line at the bottom of the file:

local0.* /var/log/drupal.log

Where local0 is the Syslog facility that you chose in the Syslog configuration (see Step 1)

How to restart the syslog daemon for most Unix/Linux systems:

sudo service syslog restart

or

sudo service rsyslog restart

or

sudo systemctl restart rsyslog.service

Here's how to restart syslog on Mac OS X.

Check that you are seeing messages in the syslog:

tail /var/log/drupal.log

This shows the bottom of the log file. To see the complete log file use:

less /var/log/drupal.log

To see new log messages appearing in the log file use:

tail -f /var/log/drupal.log

Exit using ctrl+c

3. Disable the Database Logging (formerly, Watchdog) module (optional)

If you have the Database logging (dblog) enabled, disable it at on the Extend page /admin/build/modules.

4. Configure Syslog to log to a separate file for each domain

You can use separate log files for each website.

Edit the syslog configuration file at:

/etc/syslog.conf

or

/etc/rsyslog.conf

and add:

Note that the following syntax uses an if block (RainerScript) and is only available in rsyslog, not syslog.

if $programname == 'drupal_www_example_com' then /var/log/drupal/drupal_www_example_com.log
& stop

local0.* /var/log/drupal/others.log
& stop

$programname drupal_www_example_com is the Sylog identity that you have set in the Logging and errors configuration page, (admin/config/development/logging), see step 1.

With the last line you are sure to put all Drupal log (if you choose facility local0) in one file.

The lines, & stop, prevent the log record being posted in other files such as /var/log/syslog. If this continues with these lines, ensure the precedence of the file is high enough (eg. rename your configuration file from /etc/rsyslog.d/drupal.conf to /etc/rsyslog.d/20-drupal.conf.

Note If you use rsyslog with a /etc/rsyslog.d/ folder, you can create a new file there, with the same content (preferred method).

More information

Write drupal logs to rsyslog instead of to dblog

See also the PHP's documentation pages for the openlog and syslog functions.

On syslog facilities, severity levels, and how to setup a syslog.conf file, see UNIX/Linux syslog.conf.

Advanced use

A more modern way is to use the monolog module (based on the monolog Symfony package), it's quite helpful to handle nicely multilines logs such as php backtraces.

It could also allow to use a great deal of formats, processing and target services (processor) such as  : text file, rsyslog, filebeat, ...

Debugging

Test from linux shell if the targeted rsyslog server receives your messages:

echo "test message" | logger -t my_tag_name -n localhost

my_tag_name is usually drupal and the rsyslog hostname (-n) could be local or remote

Notes

On Windows Server 2003R2, syslog doesn't write successfully to the Event Log. Instead, an Application Warning appears (Source: PHP-5.2.0) which starts with: "The description for Event ID ( 3 ) in Source ( PHP-5.2.9 ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer". According to http://www.php.net/manual/en/function.syslog.php#41832 , the default IUSR_ needs to be added to the Users group

php.ini needs to explicitly state that error logs are written to syslog (ie. error_log = syslog), otherwise the syslog module will not work.