<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">Hello,<br>
      <br>
      syslog-ng is configured to write that file:<br>
      <tt><br>
      </tt>source s_sys {<br>
      <span class="m_-2743256449419163976gmail-Apple-converted-space"> 
          </span>system();<br>
      <span class="m_-2743256449419163976gmail-Apple-converted-space"> 
          </span>internal();<br>
      <span class="m_-2743256449419163976gmail-Apple-converted-space">  
          </span>udp(ip(0.0.0.0) port(514));<br>
      };<br>
      <br>
      destination d_mesg { file("/var/log/messages"); };<br>
      <br>
      filter f_default<span
        class="m_-2743256449419163976gmail-Apple-converted-space">    </span>{
      level(info..emerg) and<br>
      <span class="m_-2743256449419163976gmail-Apple-converted-space"> 
                              </span>not (facility(mail)<br>
      <span class="m_-2743256449419163976gmail-Apple-converted-space"> 
                              </span>or facility(authpriv)<br>
      <span class="m_-2743256449419163976gmail-Apple-converted-space"> 
                              </span>or facility(cron)); };<br>
      <br>
      log { source(s_sys); filter(f_default); destination(d_mesg); };<br>
      <tt><tt><br>
        </tt></tt>This should get read as:<br>
      <br>
      whatever is read from system(), internal() or udp port 514 AND
      f_default matches on it will get written to /var/log/messages<br>
      You're using the same source/filter pair in<br>
      <br>
      log { source(s_sys); filter(f_default); destination(d_graylog); };<br>
      <br>
      so d_graylog should get the same messages as d_mesg. From this
      point the configuration and your observation don't match.<br>
      <br>
      Is there anything else on your machine writing to
      /var/log/messages? Did you remove the duplicate udp() source to
      make sure that the s_sys and s_net sources don't collide?<br>
      <br>
      What level of troubleshooting / testing was done? Packet capture,
      syslog trace, ... ? Which syslog-ng version was used (there was no
      @version in the config), what warnings/ errors did it emit during
      startup and later?<br>
      <br>
      Regards,<br>
      Sandor<br>
      <br>
      On 11/06/2018 03:52 PM, Rodney Bizzell wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CABCJT8vEZSxR_Lz_OSHXd=-HJ4amTgTyaufxLnooR4j1jsQ-oA@mail.gmail.com">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <div dir="auto">/var/log/messages </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr">On Tue, Nov 6, 2018, 9:50 AM Sandor Geller <<a
            href="mailto:sandor.geller@ericsson.com"
            moz-do-not-send="true">sandor.geller@ericsson.com</a> wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0 0 0
          .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div text="#000000" bgcolor="#FFFFFF">
            <div class="m_-2743256449419163976moz-cite-prefix">Hello,<br>
              <br>
              On 11/06/2018 01:57 PM, Rodney Bizzell wrote:<br>
            </div>
            <blockquote type="cite">
              <div dir="ltr">If you look to the bottom of the config I
                have made changes to source(sys) pointing it to my
                graylog server. I am reading through the documentation I
                am thinking that should send the logs to graylog server 
                I am just asking  I apologize if I am making
                assumptions. The documentation isn't always clear, so I
                am just asking if I want to send /var/logs to my graylog
                server do I need to add a new source for var log?</div>
            </blockquote>
            <br>
            There is no such thing as /var/logs, please be much more
            precise. It doesn't make any sense to read back contents of
            files written by syslog-ng itself, such potential logging
            loops should get avoided anyway. If you've got additional
            stuff under /var/log (some apps could log there directly)
            then you can add these files as sources to process them by
            syslog-ng. Your current configuration doesn't contain such
            source definitions.<br>
            <br>
            <blockquote type="cite">
              <div dir="ltr">
                <div> <span>options {</span></div>
                <p class="m_-2743256449419163976gmail-p1"><span
                    class="m_-2743256449419163976gmail-Apple-converted-space"> 
                      </span>flush_lines (0);</p>
                <p class="m_-2743256449419163976gmail-p1"><span
                    class="m_-2743256449419163976gmail-Apple-converted-space"> 
                      </span>time_reopen (10);</p>
                <p class="m_-2743256449419163976gmail-p1"><span
                    class="m_-2743256449419163976gmail-Apple-converted-space"> 
                      </span>log_fifo_size (250000);</p>
                <p class="m_-2743256449419163976gmail-p1"><span
                    class="m_-2743256449419163976gmail-Apple-converted-space"> 
                      </span>chain_hostnames (off);</p>
                <p class="m_-2743256449419163976gmail-p1"><span
                    class="m_-2743256449419163976gmail-Apple-converted-space"> 
                      </span>use_dns (no);</p>
                <p class="m_-2743256449419163976gmail-p1"><span
                    class="m_-2743256449419163976gmail-Apple-converted-space"> 
                      </span>use_fqdn (no);</p>
                <p class="m_-2743256449419163976gmail-p1"><span
                    class="m_-2743256449419163976gmail-Apple-converted-space"> 
                      </span>create_dirs (no);</p>
                <p class="m_-2743256449419163976gmail-p1"><span
                    class="m_-2743256449419163976gmail-Apple-converted-space"> 
                      </span>keep_hostname (yes);</p>
                <p class="m_-2743256449419163976gmail-p1">};</p>
                <p class="m_-2743256449419163976gmail-p2"><br>
                </p>
                <p class="m_-2743256449419163976gmail-p1">source s_sys {</p>
                <p class="m_-2743256449419163976gmail-p1"><span
                    class="m_-2743256449419163976gmail-Apple-converted-space"> 
                      </span>system();</p>
                <p class="m_-2743256449419163976gmail-p1"><span
                    class="m_-2743256449419163976gmail-Apple-converted-space"> 
                      </span>internal();</p>
                <p class="m_-2743256449419163976gmail-p1"><span
                    class="m_-2743256449419163976gmail-Apple-converted-space">  
                      </span>udp(ip(0.0.0.0) port(514));</p>
                <p class="m_-2743256449419163976gmail-p1">};</p>
                <p class="m_-2743256449419163976gmail-p2"><br>
                </p>
                <p class="m_-2743256449419163976gmail-p1">source s_net {</p>
                <p class="m_-2743256449419163976gmail-p1">udp(ip(0.0.0.0)
                  port(514));</p>
                <p class="m_-2743256449419163976gmail-p1">tcp(ip(0.0.0.0)
                  port(514) max-connections(256));</p>
                <p class="m_-2743256449419163976gmail-p1">};</p>
              </div>
            </blockquote>
            Note: you're using the same udp() source twice (the first
            occurence is in the s_sys source) so one of them won't
            receive messages
            <blockquote type="cite">
              <div dir="ltr">
                <p class="m_-2743256449419163976gmail-p1">destination
                  d_cons { file("/dev/console"); };</p>
                <p class="m_-2743256449419163976gmail-p1">destination
                  d_mesg { file("/var/log/messages"); };</p>
                <p class="m_-2743256449419163976gmail-p1">destination
                  d_auth { file("/var/log/secure"); };</p>
                <p class="m_-2743256449419163976gmail-p1">destination
                  d_mail { file("/var/log/maillog" flush_lines(10)); };</p>
                <p class="m_-2743256449419163976gmail-p1">destination
                  d_spol { file("/var/log/spooler"); };</p>
                <p class="m_-2743256449419163976gmail-p1">destination
                  d_boot { file("/var/log/boot.log"); };</p>
                <p class="m_-2743256449419163976gmail-p1">destination
                  d_cron { file("/var/log/cron"); };</p>
                <p class="m_-2743256449419163976gmail-p1">destination
                  d_kern { file("/var/log/kern"); };</p>
                <p class="m_-2743256449419163976gmail-p1">destination
                  d_mlal { usertty("*"); };</p>
                <p class="m_-2743256449419163976gmail-p2"><br>
                </p>
                <p class="m_-2743256449419163976gmail-p2"><br>
                </p>
                <p class="m_-2743256449419163976gmail-p1">destination
                  d_graylog {</p>
                <p class="m_-2743256449419163976gmail-p1">tcp("graylog.server”</p>
                <p class="m_-2743256449419163976gmail-p1">port (12201)</p>
                <p class="m_-2743256449419163976gmail-p1">);</p>
                <p class="m_-2743256449419163976gmail-p1">};</p>
                <p class="m_-2743256449419163976gmail-p2"><br>
                </p>
                <p class="m_-2743256449419163976gmail-p2"><br>
                </p>
                <p class="m_-2743256449419163976gmail-p1">filter
                  f_kernel <span
                    class="m_-2743256449419163976gmail-Apple-converted-space"> 
                      </span>{ facility(kern); };</p>
                <p class="m_-2743256449419163976gmail-p1">filter
                  f_default<span
                    class="m_-2743256449419163976gmail-Apple-converted-space"> 
                      </span>{ level(info..emerg) and</p>
                <p class="m_-2743256449419163976gmail-p1"><span
                    class="m_-2743256449419163976gmail-Apple-converted-space"> 
                                          </span>not (facility(mail)</p>
                <p class="m_-2743256449419163976gmail-p1"><span
                    class="m_-2743256449419163976gmail-Apple-converted-space"> 
                                          </span>or facility(authpriv)</p>
                <p class="m_-2743256449419163976gmail-p1"><span
                    class="m_-2743256449419163976gmail-Apple-converted-space"> 
                                          </span>or facility(cron)); };</p>
                <p class="m_-2743256449419163976gmail-p1">filter f_auth
                  <span
                    class="m_-2743256449419163976gmail-Apple-converted-space"> 
                        </span>{ facility(authpriv); };</p>
                <p class="m_-2743256449419163976gmail-p1">filter f_mail
                  <span
                    class="m_-2743256449419163976gmail-Apple-converted-space"> 
                        </span>{ facility(mail); };</p>
                <p class="m_-2743256449419163976gmail-p1">filter
                  f_emergency<span
                    class="m_-2743256449419163976gmail-Apple-converted-space"> 
                  </span>{ level(emerg); };</p>
                <p class="m_-2743256449419163976gmail-p1">filter f_news
                  <span
                    class="m_-2743256449419163976gmail-Apple-converted-space"> 
                        </span>{ facility(uucp) or</p>
                <p class="m_-2743256449419163976gmail-p1"><span
                    class="m_-2743256449419163976gmail-Apple-converted-space"> 
                                          </span>(facility(news)</p>
                <p class="m_-2743256449419163976gmail-p1"><span
                    class="m_-2743256449419163976gmail-Apple-converted-space"> 
                                          </span>and
                  level(crit..emerg)); };</p>
                <p class="m_-2743256449419163976gmail-p1">filter f_boot
                  <span
                    class="m_-2743256449419163976gmail-Apple-converted-space"> 
                  </span>{ facility(local7); };</p>
                <p class="m_-2743256449419163976gmail-p1">filter f_cron
                  <span
                    class="m_-2743256449419163976gmail-Apple-converted-space"> 
                  </span>{ facility(cron); };</p>
                <p class="m_-2743256449419163976gmail-p2"><br>
                </p>
                <p class="m_-2743256449419163976gmail-p1">log {
                  source(s_sys); filter(f_kernel); destination(d_cons);
                  };</p>
                <p class="m_-2743256449419163976gmail-p1">log {
                  source(s_sys); filter(f_kernel); destination(d_kern);
                  };</p>
                <p class="m_-2743256449419163976gmail-p1">log {
                  source(s_sys); filter(f_default); destination(d_mesg);
                  };</p>
                <p class="m_-2743256449419163976gmail-p1">log {
                  source(s_sys); filter(f_auth); destination(d_auth); };</p>
                <p class="m_-2743256449419163976gmail-p1">log {
                  source(s_sys); filter(f_mail); destination(d_mail); };</p>
                <p class="m_-2743256449419163976gmail-p1">log {
                  source(s_sys); filter(f_emergency);
                  destination(d_mlal); };</p>
                <p class="m_-2743256449419163976gmail-p1">log {
                  source(s_sys); filter(f_news); destination(d_spol); };</p>
                <p class="m_-2743256449419163976gmail-p1">log {
                  source(s_sys); filter(f_boot); destination(d_boot); };</p>
                <p class="m_-2743256449419163976gmail-p1">log {
                  source(s_sys); filter(f_cron); destination(d_cron); };</p>
                <p class="m_-2743256449419163976gmail-p2"><br>
                </p>
                <p class="m_-2743256449419163976gmail-p2"><br>
                </p>
                <p class="m_-2743256449419163976gmail-p2"><br>
                </p>
                <p class="m_-2743256449419163976gmail-p1">log {
                  source(s_net); destination(d_graylog); };</p>
                <p class="m_-2743256449419163976gmail-p1">log {
                  source(s_sys); filter(f_default);
                  destination(d_graylog);};</p>
                <p class="m_-2743256449419163976gmail-p1">log {
                  source(s_sys); filter(f_kernel);
                  destination(d_graylog); };</p>
                <p class="m_-2743256449419163976gmail-p1">log {
                  source(s_sys); filter(f_default);
                  destination(d_graylog); };</p>
              </div>
            </blockquote>
            Note: the last line is a duplicate of the entry two lines
            earlier so will duplicate the data sent to d_graylog so it
            should get deleted. Also note that the intersection of the
            f_kernel and f_default filters isn't empty so some kernel
            messages would be sent twice to d_graylog.<br>
            <br>
            Regards,<br>
            Sandor<br>
            <br>
          </div>
______________________________________________________________________________<br>
          Member info: <a
            href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
            rel="noreferrer noreferrer" target="_blank"
            moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
          Documentation: <a
            href="http://www.balabit.com/support/documentation/?product=syslog-ng"
            rel="noreferrer noreferrer" target="_blank"
            moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
          FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq"
            rel="noreferrer noreferrer" target="_blank"
            moz-do-not-send="true">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
          <br>
        </blockquote>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>

</pre>
    </blockquote>
    <p><br>
    </p>
  </body>
</html>