Hi,
I apologize, i forgot some important details like you said, i'm using udp protocol and the both APs are logging into one file, but i want to log into another file for second AP. Something like this
1 AP ---------LocalFirewall--------INTERNET------------MyNetwork-------SyslogServer port 514 pass RULE pass RULE UDP 514
2 AP ---------LocalFirewall--------INTERNET------------MyNetwork-------SyslogServer port 515 pass Rule pass Rule UDP 515
I configure 2 sources, 2 destinations and 2 filters with these udp ports but without success.
you didn't configure both ports
I wish to make some others tests like you said with tcpdump but i haven't remote access.
Syslog's server knows in wich file has to write by the udp port?
although syslog-ng is quite advanced it doesn't have mind-reading capabilities (yet) so you must tell it how to process messages
I post my syslog-ng-conf
source AP1 { udp();
instead of plain udp() you could use udp(port(514)); although 514 is the default port but it won't hurt to set it explicitely ...
source AP2 { udp();
and here use udp(port(515)); so syslog-ng will actually listen on the port your filters imply dynamic DNS so I'm not sure that it is a good idea to use hostnames for filtering (especially when you're using the *same* hostname for two different devices so unless NAT is involved at least one filter won't match on incoming logs). Just remove the filters and when the logs are written to disk you can add back / refine the filtering. hth, Sandor