ok, so can anyone say how to troubleshoot the most basic scenario to start. 1 server, 1 client, have client write logs to server? I will show both config files, please note tI have tried both UDP and TCP and neither work. I did notice doing an lsof |grep syslog that the port does change from udp to tcp so I know it's reading the config file, I just don't know how to turn on some debugging or another way to trace the log as it's still being written to the client. ok, so *server config is;* #source s_remote { udp(); }; source s_remote { tcp(); }; ## This will create seprate file for each client on central log server and log http messages destination d_clients { file("/var/log/web.$HOST.log"); }; log { source(s_remote); destination(d_clients); }; ################################################################# options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source s_sys { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); #udp(ip(0.0.0.0) port(514)); }; ## This will log local http messages to defined file destination send_http_logs { file("/var/log/web.log"); }; filter send_http_logs { program("httpd.*"); }; log { source(s_sys); filter(send_http_logs); destination(send_http_logs); }; and the server shows the following running process; root 30945 0.0 0.0 7240 636 ? Ss 11:24 0:00 /sbin/syslog-ng -p /var/run/syslogd.pid *Client side:* options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames(on); use_dns(yes); dns_cache(yes); use_fqdn(no); create_dirs (yes); keep_hostname (yes); perm(0640); dir_perm(0750); }; source s_sys { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); }; #destination send_http_logs { udp("192.168.2.54" port(514)); }; destination send_http_logs { tcp("192.168.2.54" port(514)); }; filter send_http_logs { program("httpd.*"); }; log { source(s_sys); filter(send_http_logs); destination(send_http_logs); }; and the running process are; root 1607 0.0 0.0 6216 904 ? Ss 2008 0:48 syslogd -m 0 root 28374 0.0 0.0 7368 564 ? Ss 11:24 0:00 /sbin/syslog-ng -p /var/run/syslogd.pid Not sure if the client is supposed to have 2 processes or not, but any help is really appreciated.