====== Nextcloud Log to Syslog ======
Nextcloud normally creates its logs in the data directory, in a file named nextcloud.log. It will automatically rotate the logs after a specific size (default 10M). This file is parsed and available in the WebUI for administrators.
However, I prefer to have my logging in the default /var/log as I normally troubleshoot from the cli anyway. Since Nextcloud logs are fairly cumbersome, with a lot of data, I also want them in their own separate log file, but managed with the standard Linux utilities.
Following will set up rsyslog on Devuan to find all Nextcloud logs, put them in /var/log/nextcloud.log, and rotate them daily, keeping a weeks worth of logs.
I have these in a specific order, setting up rsyslogd first, then configuring nextcloud, so I don't end up with a bunch of stuff in /var/log/syslog.
===== Create rsylogd =====
This looks for a tag, //nextcloud//, which the nextcloud configuration can generate. The colon at the end is required. This tells rsyslog to place all log entries in /var/log/nextcloud.log and stop; not passing the message to any other logs.
It is important to have this processed early, so if you get the log entries in any other logs, change the name by putting a 0 in front (they are loaded alphabetically)
Create /etc/rsyslog.d/nextcloud.conf with the following contents
:syslogtag, startswith, "nextcloud" /var/log/nextcloud.log
& stop
I used the startswith since I never could get isequal to work.
restart rsyslog service rsyslog restart
===== Set up log rotation =====
Devuan comes with logrotate pre-installed. We set up a rule to rotate the logs daily, keeping the last 7 logs, and compressing the older logs
create /etc/logrotate.d/nextcloud
/var/log/nextcloud.log {
rotate 7
daily
missingok
notifempty
compress
}
===== Tell nextcloud to use syslog =====
This is fairly simple. Just add a few lines to your nextcloud configuration and the next time Nextcloud is executed, the logs will go to syslog.
We saved this for last so syslog would know how to handle it when data started coming through.
Add the following to your nextcloud configuration
"log_type" => "syslog",
"syslog_tag" => "Nextcloud",
"logfile" => "",
"loglevel" => 3,
Not sure if the //"logfile" => "",// is necessary, but Nextcloud says to do it, so I did. The syslog_tag is the tag that rsyslog will look for to send it to nextcloud.log. Here we do not use a colon at the end (that is a requirment for rsyslog's config). This is case sensitive.
Note on loglevel. 3 will only show you errors, but if you want to process for hacking (say with fail2ban), you need to use 'loglevel'=>2, which also records login failures. From the [[https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/logging_configuration.html|nextcloud documentation]]:
0: DEBUG: All activity; the most detailed logging.
1: INFO: Activity such as user logins and file activities, plus warnings, errors, and fatal errors.
2: WARN: Operations succeed, but with warnings of potential problems, plus errors and fatal errors.
3: ERROR: An operation fails, but other services and operations continue, plus fatal errors.
4: FATAL: The server stops.
===== Links =====
* https://serverfault.com/questions/514901/how-to-filter-rsyslog-messages-by-tags
* https://www.rsyslog.com/doc/configuration/filters.html
* https://askubuntu.com/questions/186592/how-do-i-configure-rsyslog-to-send-logs-from-a-specific-program-to-a-remote-sysl
* https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/logging_configuration.html