TLDR Summary: How Apache access logs can be sent directly to a remote syslog server (such as Papertrail) using a single CustomLog directive in httpd.conf. By combining Apache’s piped logging feature with netcat (nc), Apache formats each access log entry as a syslog message and streams it over UDP without needing rsyslog, syslog‑ng, or an agent. The approach supports custom host and program names, works in global or VirtualHost configs, and can be adapted to other daemons that can log to a pipe. An alternative using the logger command is also mentioned.
Papertrail supports the remote syslog protocol, so it accepts Web server access logs from rsyslog, syslog-ng, the tiny remote_syslog log file to remote syslog daemon, and other senders.
In that “other senders” category, here’s an elegant hack to have Apache transmit access logs directly to a remote syslog server, using a one-line httpd.conf change.
To transmit with the hostname “www1” and the program name “apache”, add this line:
CustomLog '|nc -u logs.papertrailapp.com 1111' '<134>%{%b %d %X}t www1 apache %h %l %u %t '%r'%>s %b '%{Referer}i' '%{User-agent}i''
Note: For Apache 2.4.x, add a $ sign before the nc command. Use the line below:
CustomLog '|$nc -u logs.papertrailapp.com 1111' '<134>%{%b %d %X}t www1 apache %h %l %u %t '%r'%>s %b '%{Referer}i' '%{User-agent}i''
This combines netcat, Apache’s CustomLog configuration directive, and Apache’s piped logs feature (which will even restart nc if it crashes). Apache outputs a syslog-framed message to a pipe and nc does the rest. The <134> is the syslog’s priority identifier for facility local0, severity info. That’s followed by the syslog timestamp, system name, and program name.
Everything after “apache” is format specifiers to generate the standard combined log format. The format can be customized. The CustomLog directive works globally and can be used in VirtualHost stanzas.
The reference example is:
CustomLog '|nc -u <destination hostname> <destination port>' '<134>%{%b %d %X}t <system hostname> <program name> %h %l %u %t '%r'%>s %b '%{Referer}i' '%{aUser-agent}i''
This would work for any daemons which can output to a pipe, don’t block on the output (or automatically restart the pipe program, as Apache does), and support a user-supplied template for message formatting. It’s also possible to CustomLog to pipe to the “logger” program (instead of netcat), like this:
CustomLog '|logger -t httpd -p local1.info'
.. and then use your existing syslog daemon to transmit those to Papertrail.
