<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3492" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=254513816-09022009><SPAN
class=254513816-09022009><FONT face=Arial color=#0000ff size=2>On the
client:</FONT></SPAN></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=254513816-09022009><SPAN
class=254513816-09022009><FONT face=Arial color=#0000ff
size=2></FONT></SPAN></SPAN><SPAN class=254513816-09022009></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=254513816-09022009></SPAN>source s_sys
{<BR> file ("/proc/kmsg" log_prefix("kernel: "));<BR>
unix-stream ("/dev/log");<BR> internal();<BR>};<BR><BR>and the
running process are;<BR>root 1607 0.0
0.0 6216 904 ?
Ss 2008 0:48 syslogd -m
0<BR>root 28374 0.0 0.0
7368 564 ? Ss
11:24 0:00 /sbin/syslog-ng -p /var/run/syslogd.pid<BR><BR><SPAN
class=254513816-09022009><FONT face=Arial color=#0000ff size=2>The standard
syslogd daemon is running and almost certainly owns the /dev/log
socket and the kernel output pseudo-file /proc/kmsg. This means that
syslog-ng (which starts later) will receive nothing from those sources
and will forward everything it receives (i.e. nothing) to the
server.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=254513816-09022009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=254513816-09022009><FONT face=Arial
color=#0000ff size=2>You need to chkconfig syslogd off (or the equivalent
on your distro) to stop standard syslogd from running.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=254513816-09022009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=254513816-09022009><FONT face=Arial
color=#0000ff size=2>Joe.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=254513816-09022009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left>
<HR tabIndex=-1>
</DIV>
<DIV dir=ltr align=left><FONT face=Tahoma size=2><B>From:</B>
syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu]
<B>On Behalf Of </B>lance raymond<BR><B>Sent:</B> 09 February 2009
16:34<BR><B>To:</B> Syslog-ng users' and developers' mailing
list<BR><B>Subject:</B> [syslog-ng] Still not working at the most basic
level<BR></FONT><BR></DIV>
<DIV></DIV>ok, so can anyone say how to troubleshoot the most basic scenario to
start. 1 server, 1 client, have client write logs to server? I will
show both config files, please note tI have tried both UDP and TCP and neither
work. I did notice doing an lsof |grep syslog that the port does change
from udp to tcp so I know it's reading the config file, I just don't know how to
turn on some debugging or another way to trace the log as it's still being
written to the client.<BR><BR>ok, so <B>server config is;</B><BR>#source
s_remote { udp(); };<BR>source s_remote { tcp(); };<BR>## This will
create seprate file for each client on central log server and log http
messages<BR>destination d_clients { file("/var/log/web.$HOST.log"); };<BR>log {
source(s_remote); destination(d_clients);
};<BR>#################################################################<BR><BR>options
{<BR>sync (0);<BR>time_reopen (10);<BR>log_fifo_size (1000);<BR>long_hostnames
(off);<BR>use_dns (no);<BR>use_fqdn (no);<BR>create_dirs (no);<BR>keep_hostname
(yes);<BR>};<BR><BR>source s_sys {<BR>file ("/proc/kmsg" log_prefix("kernel:
"));<BR>unix-stream ("/dev/log");<BR>internal();<BR>#udp(ip(0.0.0.0)
port(514));<BR>};<BR><BR>## This will log local http messages to defined
file<BR><BR>destination send_http_logs { file("/var/log/web.log");
};<BR><BR>filter send_http_logs {<BR>program("httpd.*");<BR>};<BR><BR>log
{<BR>source(s_sys);<BR>filter(send_http_logs);<BR>destination(send_http_logs);<BR>};<BR><BR>and
the server shows the following running process;<BR>root
30945 0.0 0.0 7240 636
? Ss 11:24
0:00 /sbin/syslog-ng -p /var/run/syslogd.pid<BR><BR><B>Client
side:</B><BR><BR>options
{<BR> sync
(0);<BR> time_reopen
(10);<BR><BR>
log_fifo_size (1000);<BR>
long_hostnames(on);<BR>
use_dns(yes);<BR>
dns_cache(yes);<BR>
use_fqdn(no);<BR>
create_dirs (yes);<BR>
keep_hostname (yes);<BR>
perm(0640);<BR>
dir_perm(0750);<BR><BR>};<BR><BR>source s_sys {<BR> file
("/proc/kmsg" log_prefix("kernel: "));<BR> unix-stream
("/dev/log");<BR> internal();<BR>};<BR>#destination send_http_logs {
udp("192.168.2.54" port(514)); };<BR>destination send_http_logs {
tcp("192.168.2.54" port(514)); };<BR><BR><BR>filter send_http_logs
{<BR>program("httpd.*");<BR>};<BR><BR>log
{<BR>source(s_sys);<BR>filter(send_http_logs);<BR>destination(send_http_logs);<BR>};<BR><BR>and
the running process are;<BR>root 1607
0.0 0.0 6216 904
? Ss
2008 0:48 syslogd -m 0<BR>root 28374
0.0 0.0 7368 564
? Ss 11:24
0:00 /sbin/syslog-ng -p /var/run/syslogd.pid<BR><BR>Not sure if the client is
supposed to have 2 processes or not, but any help is really
appreciated.<BR><BR></BODY></HTML>