Hi!
1. you full configuration. you can mask proprietary information For the full config, have a look at the end of this message.
2. a capture of the network traffic which proves that the logs arrive to your host Network traffic is definetly arriving at my host, because *this* works:
############################################################## source net { udp(ip("0.0.0.0") port(514)); }; destination netlog { file("/var/log/netlog/net.log" template( "[$YEAR/$MONTH/$DAY $HOUR:$MIN:$SEC] '$HOST' '$PRIORITY' $MESSAGE\n")); }; log { source(net); destination(netlog); }; ############################################################## The file /var/log/netlog/net.log is written and has the following content: [2008/09/18 16:24:44] '192.168.xx.xx' 'info' %ASA-6-302013: Built outbound TCP connection 1296007 for proxy :192.168.xx.xx/8080 (192.168.xx.xx/8080) to inside:192.168.xx.xx/39564 (192.168.xx.xx.1/39564) [2008/09/18 16:24:44] '192.168.xx.xx' 'info' %ASA-6-302014: Teardown TCP connection 1296007 for proxy:192.1 68.xxx.xxx/8080 to inside:192.168.xxx.xxx/39564 duration 0:00:00 bytes 1343 TCP FINs etc.
3. a strace output of the syslog-ng daemon which proves that it did receive the packets
Ahem... how many lines of output from strace would you like to see? :-) I have over 2000 in less than a minute... :-) I think you're looking for something like the following: recvfrom(3, "<166>%ASA-6-302016: Teardown UDP"..., 2048, 0, {sa_family=AF_INET, sin_port=htons(514), sin_addr=inet_addr("192.168.xx.xx")}, [16]) = 125 I can also see my logfile being opened: open("/var/log/netlog/net.log", O_WRONLY|O_NONBLOCK|O_APPEND|O_CREAT|O_NOCTTY|O_LARGEFILE, 0644) = 6 chown32("/var/log/netlog/net.log", 0, 0) = 0 chmod("/var/log/netlog/net.log", 0644) = 0 No hints of any mysql activity, though.
4. the resources your syslog-ng daemon is actually using, like `ls -l /proc/[PID]/fd`, netstat output, etc.
srv-kon-log:/var/log # ls -l /proc/26666/fd/* lrwx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/0 -> /dev/null lrwx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/1 -> /dev/null lrwx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/2 -> /dev/null lrwx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/3 -> socket:[15236977] l-wx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/4 -> /var/log/messages lrwx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/5 -> socket:[15236978] l-wx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/6 -> /var/log/netlog/net.log l-wx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/7 -> /var/log/warn lrwx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/8 -> /dev/xconsole l-wx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/9 -> /dev/tty10 srv-kon-log:/var/log # netstat -an | grep 514 udp 0 0 0.0.0.0:514 0.0.0.0:* And now for the full config. Here it comes: ######################################################################## ##### options { long_hostnames(off); sync(1); log_fifo_size(16384); time_reopen(10); dns_cache(yes); perm(0644); stats(43200); use_fqdn(yes); use_dns(yes); chain_hostnames(no); keep_hostname(yes); }; source src { internal(); unix-dgram("/dev/log"); }; source net { udp(ip("0.0.0.0") port(514)); }; filter f_iptables { facility(kern) and match("IN=") and match("OUT="); }; filter f_console { level(warn) and facility(kern) and not filter(f_iptables) filter f_newsnotice { level(notice) and facility(news); }; filter f_newscrit { level(crit) and facility(news); }; filter f_newserr { level(err) and facility(news); }; filter f_news { facility(news); }; filter f_mailinfo { level(info) and facility(mail); }; filter f_mailwarn { level(warn) and facility(mail); }; filter f_mailerr { level(err, crit) and facility(mail); }; filter f_mail { facility(mail); }; filter f_cron { facility(cron); }; filter f_local { facility(local0, local1, local2, local3, filter f_acpid { match('^\[acpid\]:'); }; filter f_netmgm { match('^NetworkManager:'); }; filter f_messages { not facility(news, mail) and not filter(f_iptables); }; filter f_warn { level(warn, err, crit) and not filter(f_iptables); }; filter f_alert { level(alert); }; destination console { file("/dev/tty10" group(tty) perm(0620)); }; log { source(src); filter(f_console); destination(console); }; destination xconsole { pipe("/dev/xconsole" group(tty) perm(0400)); }; log { source(src); filter(f_console); destination(xconsole); }; destination newscrit { file("/var/log/news/news.crit" log { source(src); filter(f_newscrit); destination(newscrit); }; destination newserr { file("/var/log/news/news.err" log { source(src); filter(f_newserr); destination(newserr); }; destination newsnotice { file("/var/log/news/news.notice" log { source(src); filter(f_newsnotice); destination(newsnotice); }; destination mailinfo { file("/var/log/mail.info"); }; log { source(src); filter(f_mailinfo); destination(mailinfo); }; destination mailwarn { file("/var/log/mail.warn"); }; log { source(src); filter(f_mailwarn); destination(mailwarn); }; destination mailerr { file("/var/log/mail.err" fsync(yes)); }; log { source(src); filter(f_mailerr); destination(mailerr); }; destination mail { file("/var/log/mail"); }; log { source(src); filter(f_mail); destination(mail); }; destination acpid { file("/var/log/acpid"); }; log { source(src); filter(f_acpid); destination(acpid); flags(final); }; destination netmgm { file("/var/log/NetworkManager"); }; log { source(src); filter(f_netmgm); destination(netmgm); flags(final); }; destination localmessages { file("/var/log/localmessages"); }; log { source(src); filter(f_local); destination(localmessages); }; destination messages { file("/var/log/messages"); }; log { source(src); filter(f_messages); destination(messages); }; destination firewall { file("/var/log/firewall"); }; log { source(src); filter(f_iptables); destination(firewall); }; destination warn { file("/var/log/warn" fsync(yes)); }; log { source(src); filter(f_warn); destination(warn); }; destination netlog { file("/var/log/netlog/net.log" template( "[$YEAR/$MONTH/$DAY $HOUR:$MIN:$SEC] '$HOST' '$PRIORITY' $MESSAGE\n")); }; log { source(net); destination(netlog); }; destination mysql { #file("/var/log/mysqltest.log" program("/usr/bin/mysql --reconnect -f -T --user=syslogadmin --password=xxxxx syslog >> /var/log/db_log.log 2>&1" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC','$PROGRAM', '$MSG' );\n") template-escape(yes)); }; log { source(net); destination(mysql); }; ######################################################################## ####### By the way, I also tried destination mysql { program("/usr/bin/mysql -u=syslogadmin -p=xxxxx syslog" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC','$PROGRAM', '$MSG' );\n") template-escape(yes)); }; with the same (=no) effect. Please let me know, if and where I made any mistakes. Thanks a lot for your help! Andreas -- CONET Solutions GmbH Andreas Stallmann, Senior Berater Theodor-Heuss-Allee 19, 53773 Hennef Tel.: +49 2242-939-677, Fax: +49 2242-939-393 Internet: http://www.conet.de, mailto: astallmann@conet.de ----------------------------------- CONET Solutions GmbH, Theodor-Heuss-Allee 19, 53773 Hennef Registergericht/Registration Court: Amtsgericht Siegburg (HRB Nr. 9136) Geschaftsfuhrer/Managing Directors: Dipl.-Inform. Rudiger Zeyen (Sprecher/Chairman), Dipl.-Betriebsw. Wilfried Putz und Dipl.-Inform. Jurgen Zender Vorsitzender des Aufsichtsrates/Chairman of the Supervisory Board: Dipl.-Math. Hans-Jurgen Niemeier