We decided to go the same way as we went with HHVM, thus relaying the logs to syslog to then deliver wherever desired.
To this aim, we added error_log = syslog and syslog.ident = php7.2-fpm to the configuration, and the corresponding rsyslog rules.
We found out, however, that whatever gets logged from the fpm pools ends up having an identifier of ool $pool_name.
This is an unfortunate bug that has been reported multiple times. As a consequence, the broken programname containing a space is invalid as far as the syslog format is concerned, and rsyslog correctly refuses to parse it. So the programname is always "ool" as far as rsyslog is concerned
There are several ways to fix this, but none is exactly attactive:
- Just add rules to catch "ool" as a programname. The log line will still be badly broken, and will be badly parsed once imported in logstash. Also, we will have to repeat all the processing rules twice.
- Add an openlog() function in the auto_prepend_file. That would set the correct ident for all requests. We might need to closelog() too, though.
- Add catch_workers_output = yes to the pool configuration, with some clever setting of error_log to send errors to stderr might do what we want (let journald collect the log lines from stderr, mark them with the correct programname (the unit name), and relay them to syslog. Sadly, catch_workers_output is known to cause a severe performance degradation at high concurrency, so it's not an option.
- Patch php-fpm so that when it sets the programname in syslog it does something sensible like setting it to php-pool-$pool_name
- Configure php-fpm to send the logs to a specialized syslog facility and filter for it. This will reduce duplication of rules but still possibly have the broken parsing issue.
As it stands, I would prefer to use the openlog() approach, which seems the cleanest way to handle this.
 the message registered in logstash becomes ool www: JOE TEST instead of JOE TEST