<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#0050d0">
<font size="-1"><font face="Helvetica, Arial, sans-serif">Yes, that
should work just fine. I run a box with 4 syslog instances and they all
place nice together. My setup isnt exactly the same, but I have no
problems which you are experiencing. My setup: I have a master
syslog-ng process that does nothing but accept connections from remote
hosts and from the local system. That process then relays the messages
to other local syslog-ng processes which do the actual work (lots and
lots of parsing).<br>
I only included the options and source sections as theyre the only ones
that matter.<br>
<br>
Master syslog-ng process that accepts from local & remote &
forwards to other local processes<br>
</font></font>
<table border="1" cellpadding="2" cellspacing="2" width="100%">
<tbody>
<tr>
<td valign="top"><font size="-1"><font
face="Helvetica, Arial, sans-serif"><font color="#990000">@version: 3.0<br>
# syslog-ng configuration file.<br>
#<br>
# This should behave pretty much like the original syslog on RedHat. But<br>
# it could be configured a lot smarter.<br>
#<br>
# See syslog-ng(8) and syslog-ng.conf(5) for more information.<br>
#<br>
<br>
options {<br>
time_reopen(1);<br>
use_dns(no);<br>
use_fqdn(yes);<br>
keep_hostname(yes);<br>
create_dirs(yes);<br>
perm(0644);<br>
dir_perm(0755);<br>
log_iw_size(50000);<br>
log_fifo_size(100000);<br>
#time_sleep(1);<br>
};<br>
<br>
source s_sys {<br>
file("/proc/kmsg" program-override("kernel"));<br>
unix-stream ("/dev/log");<br>
internal();<br>
};<br>
source s_net {<br>
tcp(ip(0.0.0.0) port(514) max-connections(1000));<br>
udp(ip(0.0.0.0) port(514));<br>
};</font><br>
</font></font></td>
</tr>
</tbody>
</table>
<font size="-1"><font face="Helvetica, Arial, sans-serif"><br>
syslog-ng that accepts the forwarded messages<br>
</font></font>
<table border="1" cellpadding="2" cellspacing="2" width="100%">
<tbody>
<tr>
<td valign="top"><font color="#990000" size="-1"><font
face="Helvetica, Arial, sans-serif">@version: 3.0<br>
# syslog-ng configuration file.<br>
#<br>
# This should behave pretty much like the original syslog on RedHat. But<br>
# it could be configured a lot smarter.<br>
#<br>
# See syslog-ng(8) and syslog-ng.conf(5) for more information.<br>
#<br>
<br>
options {<br>
time_reopen(1);<br>
long_hostnames(off);<br>
use_dns(no);<br>
use_fqdn(no);<br>
keep_hostname(yes);<br>
create_dirs(yes);<br>
perm(0644);<br>
dir_perm(0755);<br>
#log_fetch_limit(100000);<br>
#log_iw_size(200000);<br>
#log_fifo_size(400000);<br>
flush_lines(50);<br>
flush_timeout(5000);<br>
#stats_freq(10);<br>
#stats_level(2);<br>
#time_sleep(1);<br>
};<br>
<br>
<br>
source s_master {<br>
#syslog(ip(127.0.0.1) port(515) transport('tcp') so_keepalive(yes)
log_iw_size(1000));<br>
tcp(ip(127.0.0.1) port(515) flags('syslog-protocol'));<br>
};<br>
source s_syslog {<br>
internal();<br>
};<br>
</font></font></td>
</tr>
</tbody>
</table>
<font size="-1"><font face="Helvetica, Arial, sans-serif"><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</font></font><br>
Sent: Saturday, June 26, 2010 6:08:42 PM<br>
From: John R. Dunning <a class="moz-txt-link-rfc2396E" href="mailto:jrd@jrd.org"><jrd@jrd.org></a><br>
To: <a class="moz-txt-link-abbreviated" href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a> <br>
Subject: [syslog-ng] Two instances of syslog-ng on the same host?
<blockquote cite="mid:19494.38538.624286.389219@bioraptor.jrd.org"
type="cite">
<pre wrap="">Hi wizards. Apologies if this is an FAQ or something, but I've dug
all around and failed to find the answer.
I have a system on which, for reasons I'd rather not go into here, it
makes sense to run two instances of syslog-ng, one for standard
logging of local events, the other acting as a proxy for a flock of
other systems.
The proxy starts first, very early in the init sequence, the regular
one starts later.
This all worked great with syslog-ng 2, but I recently upgraded to
version 3.1.1 and I can't get it to work correctly. The proxy
instance is supposed to only be listening on a tcp socket, but it
seems to also be opening the AF_UNIX socket to /dev/log. This causes
the launch of the main instance to fail.
I've been through the docs, but it's not obvious to me how to get
syslog-ng to start without opening the socket to /dev/log. Hints?
Thanks in advance...
______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
</body>
</html>