improved logging with rsyslog

Dockerfile

@@ -11,7 +11,7 @@ COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 
-RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils && \
+RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog && \
     chmod +x /opt/entrypoint.sh /opt/scripts/* && \
     mkdir /opt/entrypoint.d && \
     adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx

Dockerfile-amd64

@@ -11,7 +11,7 @@ COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 
-RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils && \
+RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog && \
     chmod +x /opt/entrypoint.sh /opt/scripts/* && \
     mkdir /opt/entrypoint.d && \
     adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx

Dockerfile-arm32v7

@@ -18,7 +18,7 @@ COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 
-RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils && \
+RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog && \
     chmod +x /opt/entrypoint.sh /opt/scripts/* && \
     mkdir /opt/entrypoint.d && \
     adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx

Dockerfile-i386

@@ -11,7 +11,7 @@ COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 
-RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils && \
+RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog && \
     chmod +x /opt/entrypoint.sh /opt/scripts/* && \
     mkdir /opt/entrypoint.d && \
     adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx

confs/nginx.conf

@@ -12,9 +12,6 @@ worker_processes auto;
 # faster regexp
 pcre_jit on;
 
-# display warnings and errors on stderr
-error_log stderr warn;
-
 # config files for dynamic modules
 include /etc/nginx/modules/*.conf;
 
@@ -64,9 +61,9 @@ http {
 	# get real IP address if behind a reverse proxy
         %PROXY_REAL_IP%
 
-	# write logs to local syslogd
-        access_log syslog:server=unix:/dev/log,nohostname,facility=local0 combined;
-	error_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=warn;
+	# write logs to local syslog
+	access_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=notice combined;
+	error_log syslog:server=unix:/dev/log,nohostname,facility=local0 warn;
 
 	# lua path
 	lua_package_path "/usr/local/lib/lua/?.lua;;";

entrypoint.sh

@@ -50,7 +50,7 @@ function spaces_to_lua() {
 cp /opt/confs/*.conf /etc/nginx
 cp -r /opt/confs/owasp-crs /etc/nginx
 cp /opt/confs/php.ini /etc/php7/php.ini
-cp /opt/logs/syslog.conf /etc/syslog.conf
+cp /opt/logs/rsyslog.conf /etc/rsyslog.conf
 cp /opt/logs/logrotate.conf /etc/logrotate.conf
 
 # remove cron jobs
@@ -484,8 +484,8 @@ if [ "$WRITE_ACCESS" = "yes" ] ; then
 	chmod g+w -R /www
 fi
 
-# start syslogd
-syslogd -S
+# start rsyslogd
+rsyslogd
 
 # start PHP
 if [ "$USE_PHP" = "yes" ] ; then
@@ -500,8 +500,11 @@ crond
 # start nginx
 echo "[*] Running nginx ..."
 /usr/sbin/nginx
-if [ ! -f "/var/log/nginx.log" ] ; then
-	touch /var/log/nginx.log
+if [ ! -f "/var/log/access.log" ] ; then
+	touch /var/log/access.log
+fi
+if [ ! -f "/var/log/error.log" ] ; then
+	touch /var/log/error.log
 fi
 if [ ! -f "/var/log/php.log" ] && [ "$USE_PHP" = "yes" ] ; then
 	touch /var/log/php.log
@@ -519,9 +522,9 @@ echo "0 0 * * * logrotate -f /etc/logrotate.conf > /dev/null 2>&1" >> /etc/cront
 
 # display logs
 if [ "$USE_PHP" = "yes" ] ; then
-	tail -f /var/log/nginx.log /var/log/php.log &
+	tail -f /var/log/access.log /var/log/error.log /var/log/php.log &
 else
-	tail -f /var/log/nginx.log &
+	tail -f /var/log/access.log /var/log/error.log &
 fi
 wait $!
 

fail2ban/nginx-filter.local

@@ -2,6 +2,6 @@
 before = common.conf
 
 [Definition]
-failregex = .* nginx: <HOST> - .* \[.*\] ".*" (%FAIL2BAN_STATUS_CODES%) .* ".*" ".*"
+failregex = <HOST> - .* \[.*\] ".*" (%FAIL2BAN_STATUS_CODES%) .* ".*" ".*"
 ignoreregex =
 datepattern = %%d/%%b/%%Y:%%H:%%M:%%S

fail2ban/nginx-jail.local

@@ -4,4 +4,4 @@ findtime = %FAIL2BAN_FINDTIME%
 maxretry = %FAIL2BAN_MAXRETRY%
 enabled = true
 action = nginx-action
-logpath = /var/log/nginx.log
+logpath = /var/log/access.log

logs/rsyslog.conf

@@ -0,0 +1,30 @@
+#### Global directives ####
+
+# Sets the directory that rsyslog uses for work files.
+$WorkDirectory /var/lib/rsyslog
+
+# Sets default permissions for all log files.
+$FileOwner root
+$FileGroup root
+$FileCreateMode 0600
+$DirCreateMode 0700
+$Umask 0077
+
+# Include all config files in /etc/rsyslog.d/.
+include(file="/etc/rsyslog.d/*.conf" mode="optional")
+
+#### Modules ####
+
+# Provides --MARK-- message capability.
+module(load="immark")
+
+# Provides support for local system logging (e.g. via logger command).
+module(load="imuxsock")
+
+# Nginx
+$template rawFormat,"%msg:2:2048%\n"
+local0.=notice                  /var/log/access.log;rawFormat
+local0.*;local0.!=notice        /var/log/error.log;rawFormat
+
+# PHP
+local1.*        /var/log/php.log

logs/syslog.conf

@@ -1,2 +0,0 @@
-local0.*	/var/log/nginx.log
-local1.*	/var/log/php.log