<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3492" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=265090801-10022009><FONT face=Arial
color=#0000ff size=2>I would focus on the client first. Try to get it
logging the messages you want to local file destinations. Once you have it
writing to local files you know you are receiving the messages and then can
try forwarding them to the server.</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> syslog-ng-bounces@lists.balabit.hu
[mailto:syslog-ng-bounces@lists.balabit.hu] <B>On Behalf Of </B>lance
raymond<BR><B>Sent:</B> 09 February 2009 18:33<BR><B>To:</B> Syslog-ng users'
and developers' mailing list<BR><B>Subject:</B> Re: [syslog-ng] Still not
working at the most basic level<BR></FONT><BR></DIV>
<DIV></DIV>Thanks for the update. I did try that and still not getting
anything. I did try both tcp and udp and just wondering one other thing
(not sure if it works.)<BR><BR><B>1.</B><BR>up top it shows the following on the
server conf file;<BR>## This will create seprate file for each client on central
log server and log http messages<BR>destination d_clients {
file("/var/log/web.$HOST.log"); };<BR>log { source(s_remote);
destination(d_clients); };<BR><BR>then below in the same file
shows;<BR>destination send_http_logs { file("/var/log/web.log"); };<BR><BR>So,
first I am not sure what exactly this is or should be doing. If there are
5 vhosts, according to the top it will have 5 diff log files 1 for each vhost,
yet the lower section shows only one file name.<BR><BR>ps on the server now only
shows;<BR>root 32758 0.0 0.0
7368 568 ? Ss
13:17 0:00 /sbin/syslog-ng -p /var/run/syslogd.pid<BR><BR><B>2.</B>
<BR>Client side I have;<BR> unix-stream ("/dev/log");<BR>but (again
not sure if this matters), but ALL apache logs goto the following
folder;<BR> /home/mcp/local/apache2/logs nothing get's written to
/dev/logs<BR><BR>ps on the client only
shows;<BR>root 5612 0.0
0.0 7236 424 ?
Ss 13:31 0:00 /sbin/syslog-ng -p
/var/run/syslogd.pid<BR><BR>I have changed both not to run at startup (via
chkconfig) but haven't restarted the box's as they are in use. The other
odd thing, I stopped syslog-ng, there was nothing running yet the local logs
kept writing to the local files (didn't think they would if syslog and syslog-ng
were stopped).<BR><BR>Thanks again, I will keep trying anything suggested till
this thing works!<BR><BR>
<DIV class=gmail_quote>On Mon, Feb 9, 2009 at 11:44 AM, Fegan, Joe <SPAN
dir=ltr><<A href="mailto:Joe.Fegan@hp.com">Joe.Fegan@hp.com</A>></SPAN>
wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV>
<DIV dir=ltr align=left><SPAN><SPAN><FONT face=Arial color=#0000ff size=2>On
the client:</FONT></SPAN></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN></SPAN><SPAN></SPAN> </DIV>
<DIV dir=ltr align=left>
<DIV class=Ih2E3d><SPAN></SPAN>source s_sys {<BR> file
("/proc/kmsg" log_prefix("kernel: "));<BR> unix-stream
("/dev/log");<BR> internal();<BR></DIV>
<DIV class=Ih2E3d>};<BR><BR>and the running process
are;<BR>root 1607 0.0
0.0 6216 904
? Ss
2008 0:48 syslogd -m 0<BR>root 28374
0.0 0.0 7368 564
? Ss 11:24
0:00 /sbin/syslog-ng -p /var/run/syslogd.pid<BR><BR></DIV><SPAN><FONT
face=Arial color=#0000ff size=2>The standard syslogd daemon is running
and almost certainly owns the /dev/log socket and the kernel
output pseudo-file /proc/kmsg. This means that syslog-ng (which starts
later) will receive nothing from those sources and will forward
everything it receives (i.e. nothing) to the server.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>You need
to chkconfig syslogd off (or the equivalent on your distro) to stop
standard syslogd from running.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>Joe.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left>
<HR>
</DIV>
<DIV dir=ltr align=left><FONT face=Tahoma size=2><B>From:</B> <A
href="mailto:syslog-ng-bounces@lists.balabit.hu"
target=_blank>syslog-ng-bounces@lists.balabit.hu</A> [mailto:<A
href="mailto:syslog-ng-bounces@lists.balabit.hu"
target=_blank>syslog-ng-bounces@lists.balabit.hu</A>] <B>On Behalf Of
</B>lance raymond<BR><B>Sent:</B> 09 February 2009 16:34<BR><B>To:</B>
Syslog-ng users' and developers' mailing list<BR><B>Subject:</B> [syslog-ng]
Still not working at the most basic level<BR></FONT><BR></DIV>
<DIV>
<DIV></DIV>
<DIV class=Wj3C7c>
<DIV></DIV>ok, so can anyone say how to troubleshoot the most basic scenario
to start. 1 server, 1 client, have client write logs to server? I
will show both config files, please note tI have tried both UDP and TCP and
neither work. I did notice doing an lsof |grep syslog that the port does
change from udp to tcp so I know it's reading the config file, I just don't
know how to turn on some debugging or another way to trace the log as it's
still being written to the client.<BR><BR>ok, so <B>server config
is;</B><BR>#source s_remote { udp(); };<BR>source s_remote {
tcp(); };<BR>## This will create seprate file for each client on central log
server and log http messages<BR>destination d_clients {
file("/var/log/web.$HOST.log"); };<BR>log { source(s_remote);
destination(d_clients);
};<BR>#################################################################<BR><BR>options
{<BR>sync (0);<BR>time_reopen (10);<BR>log_fifo_size (1000);<BR>long_hostnames
(off);<BR>use_dns (no);<BR>use_fqdn (no);<BR>create_dirs
(no);<BR>keep_hostname (yes);<BR>};<BR><BR>source s_sys {<BR>file
("/proc/kmsg" log_prefix("kernel: "));<BR>unix-stream
("/dev/log");<BR>internal();<BR>#udp(ip(0.0.0.0) port(514));<BR>};<BR><BR>##
This will log local http messages to defined file<BR><BR>destination
send_http_logs { file("/var/log/web.log"); };<BR><BR>filter send_http_logs
{<BR>program("httpd.*");<BR>};<BR><BR>log
{<BR>source(s_sys);<BR>filter(send_http_logs);<BR>destination(send_http_logs);<BR>};<BR><BR>and
the server shows the following running
process;<BR>root 30945 0.0 0.0
7240 636 ?
Ss 11:24 0:00 /sbin/syslog-ng -p
/var/run/syslogd.pid<BR><BR><B>Client side:</B><BR><BR>options
{<BR> sync
(0);<BR> time_reopen
(10);<BR><BR>
log_fifo_size
(1000);<BR>
long_hostnames(on);<BR>
use_dns(yes);<BR>
dns_cache(yes);<BR>
use_fqdn(no);<BR>
create_dirs (yes);<BR>
keep_hostname (yes);<BR>
perm(0640);<BR>
dir_perm(0750);<BR><BR>};<BR><BR>source s_sys {<BR> file
("/proc/kmsg" log_prefix("kernel: "));<BR> unix-stream
("/dev/log");<BR> internal();<BR>};<BR>#destination send_http_logs
{ udp("192.168.2.54" port(514)); };<BR>destination send_http_logs {
tcp("192.168.2.54" port(514)); };<BR><BR><BR>filter send_http_logs
{<BR>program("httpd.*");<BR>};<BR><BR>log
{<BR>source(s_sys);<BR>filter(send_http_logs);<BR>destination(send_http_logs);<BR>};<BR><BR>and
the running process are;<BR>root 1607
0.0 0.0 6216 904
? Ss
2008 0:48 syslogd -m 0<BR>root 28374
0.0 0.0 7368 564
? Ss 11:24
0:00 /sbin/syslog-ng -p /var/run/syslogd.pid<BR><BR>Not sure if the client is
supposed to have 2 processes or not, but any help is really
appreciated.<BR><BR></DIV></DIV></DIV><BR>______________________________________________________________________________<BR>Member
info: <A href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
target=_blank>https://lists.balabit.hu/mailman/listinfo/syslog-ng</A><BR>Documentation:
<A href="http://www.balabit.com/support/documentation/?product=syslog-ng"
target=_blank>http://www.balabit.com/support/documentation/?product=syslog-ng</A><BR>FAQ:
<A href="http://www.campin.net/syslog-ng/faq.html"
target=_blank>http://www.campin.net/syslog-ng/faq.html</A><BR><BR><BR></BLOCKQUOTE></DIV><BR></BODY></HTML>