I'm trying to use a syslogAppender to send logging output from an Alfresco (Enterprise 4.2.7) backend to an ELK server (Logstash->Elastic Search->Kibana).
The configuration of the latter is out of scope as it's used for many others applications of our company and therefore must stay generic.
On the server (RHEL7) running the Alfresco, I've already modified the /etc/rsyslog.conf, setting the syslog host, port and protocol :
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# [...]
# ### end of the forwarding rule ###
*.* @<host>
Alfresco logging may be customized at different level. For developpment purpose I'm currently working on the 'highest' level (the one which override the others) in <Alfresco's Tomcat>/shared/classes/alfresco/extension/env-log4j.properties. There, I specified the following :
log4j.logger.ELKLogger=debug, Syslog # really not sure about this one ...
log4j.appender.Syslog=org.apache.log4j.net.SyslogAppender
log4j.appender.Syslog.layout=org.apache.log4j.PatternLayout
log4j.appender.Syslog.layout.ConversionPattern=[%p] %c:%L - %m%n
# following config attempt didn't help
# log4j.appender.Syslog.threshold=DEBUG
# log4j.appender.Syslog.syslogHost=<host>
# log4j.appender.Syslog.facility=SYSLOG
# log4j.appender.Syslog.port=514
# log4j.appender.Syslog.protocol=UDP
Currently, I can see log from other sources on the server (cron, daemon ...) getting on the ELK server but nothing from the alfresco.
I think my issue is either the Syslog appender is not well configured or the the debug level is not correctly set for this appender.
I unfortunately didn't find any Alfresco documentation resources to use a Syslog appender, only for files appenders. So I may have miss some details or even obvious config step, but anyhow, it seems that the Syslog appender isn't taken into account.
Does anyone have an hint or maybe some documentation to suggest that I may have miss ?
Thanks in advance for any help.
Finally I managed to fix it. My problem was due to a poor understanding of log4j configuration in general and in Alfresco specifically.
A I said before, in Alfresco log4j may be configured at 3 different levels, the first one being overwrote by the 2 others.
As I wanted to minimise the changes, I made them at the highest level. Doing so, I thought I wouldn't have to redefine the rootLogger which is already defined at the lowest level and that I'll just have to add my newly made appender to it.
As it appears it's not so easy, and I haven't found a better way to add a new appender to the default logger (rootLogger then) than redefining it.
Doing so overwrite both the previously existing appenders and the specific loggers (defined in lower level log4j.properties alfresco's files). Therefore I had to redefine them again.
While I was on it, I change the different debug levels in such a way that the ELK get all the logs (through syslog) and the local log file only the error level logs.
Finally, here is how my log4j.properties looks like :
log4j.rootLogger=debug, Console, File, Syslog
###### All outputs currently set to be a ConsoleAppender.
log4j.appender.Console=org.apache.log4j.ConsoleAppender
log4j.appender.Console.layout=org.apache.log4j.PatternLayout
log4j.appender.Console.layout.ConversionPattern=%d{ISO8601} %x %-5p [%c{3}] [%t] %m%n
log4j.appender.Console.threshold=warn
##### File appender definition #######
log4j.appender.File=org.apache.log4j.DailyRollingFileAppender
log4j.appender.File.File=alfresco.log
log4j.appender.File.Append=true
log4j.appender.File.DatePattern='.'yyyy-MM-dd
log4j.appender.File.layout=org.apache.log4j.PatternLayout
log4j.appender.File.layout.ConversionPattern=%d{yyyy-MM-dd} %d{ABSOLUTE} %-5p [%c] [%t] %m%n
log4j.appender.File.threshold=error
##### Syslog configuration #########
log4j.appender.Syslog=org.apache.log4j.net.SyslogAppender
log4j.appender.Syslog.layout=org.apache.log4j.PatternLayout
log4j.appender.Syslog.layout.ConversionPattern=%d{yyyy-MM-dd} %d{ABSOLUTE} %-5p [%c] [%t]
log4j.appender.Syslog.syslogHost=<host>
log4j.appender.Syslog.facility=LOCAL1
log4j.appender.Syslog.threshold=debug
####### Specific logger level definition ######
log4j.logger.org.alfresco.repo.jscript.ScriptLogger=debug
### external logger global level definition ###
log4j.logger.org.apache=error
log4j.logger.org.alfresco=info
log4j.logger.org.springframework=info
<alfresco's tomcat>/shared/classes/alfresco/extension/<host> is the address of the syslog target, in my case the ELK server's url.threshold attribute.It's now working and I'm quite happy with this solution. But I still would like to find a way of adding a new appender to the rootLogger without the need of redefining it.
Well, it's mostly an Alfresco oriented question as usually the rootLogger and all the appenders are defined in the same place. But if someone has an hint, I would love to hear about it.