Thanks for the update. I did try that and still not getting anything. I did try both tcp and udp and just wondering one other thing (not sure if it works.)<br><br><b>1.</b><br>up top it shows the following on the server conf file;<br>
## This will create seprate file for each client on central log server and log http messages<br>destination d_clients { file("/var/log/web.$HOST.log"); };<br>log { source(s_remote); destination(d_clients); };<br>
<br>then below in the same file shows;<br>destination send_http_logs { file("/var/log/web.log"); };<br><br>So, first I am not sure what exactly this is or should be doing. If there are 5 vhosts, according to the top it will have 5 diff log files 1 for each vhost, yet the lower section shows only one file name.<br>
<br>ps on the server now only shows;<br>root 32758 0.0 0.0 7368 568 ? Ss 13:17 0:00 /sbin/syslog-ng -p /var/run/syslogd.pid<br><br><b>2.</b> <br>Client side I have;<br> unix-stream ("/dev/log");<br>
but (again not sure if this matters), but ALL apache logs goto the following folder;<br> /home/mcp/local/apache2/logs nothing get's written to /dev/logs<br><br>ps on the client only shows;<br>root 5612 0.0 0.0 7236 424 ? Ss 13:31 0:00 /sbin/syslog-ng -p /var/run/syslogd.pid<br>
<br>I have changed both not to run at startup (via chkconfig) but haven't restarted the box's as they are in use. The other odd thing, I stopped syslog-ng, there was nothing running yet the local logs kept writing to the local files (didn't think they would if syslog and syslog-ng were stopped).<br>
<br>Thanks again, I will keep trying anything suggested till this thing works!<br><br><div class="gmail_quote">On Mon, Feb 9, 2009 at 11:44 AM, Fegan, Joe <span dir="ltr"><<a href="mailto:Joe.Fegan@hp.com">Joe.Fegan@hp.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
<div dir="ltr" align="left"><span><span><font size="2" color="#0000ff" face="Arial">On the
client:</font></span></span></div>
<div dir="ltr" align="left"><span><span><font size="2" color="#0000ff" face="Arial"></font></span></span><span></span> </div>
<div dir="ltr" align="left"><div class="Ih2E3d"><span></span>source s_sys
{<br> file ("/proc/kmsg" log_prefix("kernel: "));<br>
unix-stream ("/dev/log");<br> internal();<br></div><div class="Ih2E3d">};<br><br>and the
running process are;<br>root 1607 0.0
0.0 6216 904 ?
Ss 2008 0:48 syslogd -m
0<br>root 28374 0.0 0.0
7368 564 ? Ss
11:24 0:00 /sbin/syslog-ng -p /var/run/syslogd.pid<br><br></div><span><font size="2" color="#0000ff" face="Arial">The standard
syslogd daemon is running and almost certainly owns the /dev/log
socket and the kernel output pseudo-file /proc/kmsg. This means that
syslog-ng (which starts later) will receive nothing from those sources
and will forward everything it receives (i.e. nothing) to the
server.</font></span></div>
<div dir="ltr" align="left"><span><font size="2" color="#0000ff" face="Arial"></font></span> </div>
<div dir="ltr" align="left"><span><font size="2" color="#0000ff" face="Arial">You need to chkconfig syslogd off (or the equivalent
on your distro) to stop standard syslogd from running.</font></span></div>
<div dir="ltr" align="left"><span><font size="2" color="#0000ff" face="Arial"></font></span> </div>
<div dir="ltr" align="left"><span><font size="2" color="#0000ff" face="Arial">Joe.</font></span></div>
<div dir="ltr" align="left"><span><font size="2" color="#0000ff" face="Arial"></font></span> </div>
<div dir="ltr" align="left">
<hr>
</div>
<div dir="ltr" align="left"><font size="2" face="Tahoma"><b>From:</b>
<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a> [mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>]
<b>On Behalf Of </b>lance raymond<br><b>Sent:</b> 09 February 2009
16:34<br><b>To:</b> Syslog-ng users' and developers' mailing
list<br><b>Subject:</b> [syslog-ng] Still not working at the most basic
level<br></font><br></div><div><div></div><div class="Wj3C7c">
<div></div>ok, so can anyone say how to troubleshoot the most basic scenario to
start. 1 server, 1 client, have client write logs to server? I will
show both config files, please note tI have tried both UDP and TCP and neither
work. I did notice doing an lsof |grep syslog that the port does change
from udp to tcp so I know it's reading the config file, I just don't know how to
turn on some debugging or another way to trace the log as it's still being
written to the client.<br><br>ok, so <b>server config is;</b><br>#source
s_remote { udp(); };<br>source s_remote { tcp(); };<br>## This will
create seprate file for each client on central log server and log http
messages<br>destination d_clients { file("/var/log/web.$HOST.log"); };<br>log {
source(s_remote); destination(d_clients);
};<br>#################################################################<br><br>options
{<br>sync (0);<br>time_reopen (10);<br>log_fifo_size (1000);<br>long_hostnames
(off);<br>use_dns (no);<br>use_fqdn (no);<br>create_dirs (no);<br>keep_hostname
(yes);<br>};<br><br>source s_sys {<br>file ("/proc/kmsg" log_prefix("kernel:
"));<br>unix-stream ("/dev/log");<br>internal();<br>#udp(ip(0.0.0.0)
port(514));<br>};<br><br>## This will log local http messages to defined
file<br><br>destination send_http_logs { file("/var/log/web.log");
};<br><br>filter send_http_logs {<br>program("httpd.*");<br>};<br><br>log
{<br>source(s_sys);<br>filter(send_http_logs);<br>destination(send_http_logs);<br>};<br><br>and
the server shows the following running process;<br>root
30945 0.0 0.0 7240 636
? Ss 11:24
0:00 /sbin/syslog-ng -p /var/run/syslogd.pid<br><br><b>Client
side:</b><br><br>options
{<br> sync
(0);<br> time_reopen
(10);<br><br>
log_fifo_size (1000);<br>
long_hostnames(on);<br>
use_dns(yes);<br>
dns_cache(yes);<br>
use_fqdn(no);<br>
create_dirs (yes);<br>
keep_hostname (yes);<br>
perm(0640);<br>
dir_perm(0750);<br><br>};<br><br>source s_sys {<br> file
("/proc/kmsg" log_prefix("kernel: "));<br> unix-stream
("/dev/log");<br> internal();<br>};<br>#destination send_http_logs {
udp("192.168.2.54" port(514)); };<br>destination send_http_logs {
tcp("192.168.2.54" port(514)); };<br><br><br>filter send_http_logs
{<br>program("httpd.*");<br>};<br><br>log
{<br>source(s_sys);<br>filter(send_http_logs);<br>destination(send_http_logs);<br>};<br><br>and
the running process are;<br>root 1607
0.0 0.0 6216 904
? Ss
2008 0:48 syslogd -m 0<br>root 28374
0.0 0.0 7368 564
? Ss 11:24
0:00 /sbin/syslog-ng -p /var/run/syslogd.pid<br><br>Not sure if the client is
supposed to have 2 processes or not, but any help is really
appreciated.<br><br></div></div></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
<br></blockquote></div><br>