Greetings, I did as you suggested and I do see the recvfrom() when a message arrives. Never uised truss befor. Interesting, but nothing into the log file. kparis@netlog$ ps -aef | grep sysl kparis 25013 24857 0 13:38:59 pts/1 0:00 grep sysl root 23643 1 0 Sep 12 ? 0:00 /usr/local/sbin/syslog-ng - f /usr/local/etc/syslog-ng.conf -p /var/run/syslog-n truss -p 23643 poll(0xFFBEF658, 3, 60000) = 1 recvfrom(3, " < 5 > 6 7 5 : S e p ".., 519, 0, 0xFFBEF448, 0xFFBEF444) = 99 time() = 1000499766 poll(0xFFBEF658, 3, 100) = 0 poll(0xFFBEF658, 3, 60000) (sleeping...) signotifywait() (sleeping...) lwp_cond_wait(0xFF0F55C8, 0xFF0F55D8, 0xFF1D5C48) (sleeping...) door_return(0x00000000, 0, 0x00000000, 0) (sleeping...) door_return(0x00000000, 0, 0x00000000, 0) (sleeping...) This repeats anytime I change the config on the cisco device ( which immediately sends a message to loghost ) My current config is: kparis@netlog$ cat syslog-ng.conf options { sync(0); keep_hostname(yes); chain_hostnames(no); log_fifo_size (30000); }; source s_local { sun-streams("/dev/log" door("/etc/.syslog_door")); internal (); }; source s_net_udp { udp(); }; destination d_local { file("/var/log/default"); }; log { source(s_local); source(s_net_udp); destination(d_local); }; kparis@netlog$ ls -l /var/log total 34 -rw------- 1 root sys 0 Aug 17 14:41 authlog -rw------- 1 root root 9057 Sep 14 13:29 default .... I can see this indicates the message is arriving to syslog-ng. Am I close ? I am not sure how to proceed from this point. Thanks for your suggestions and support. Best regards, Ken Paris/
try truss-ing syslog-ng whether it receives packets. you should see recvfrom() calls when a message arrives.
-- Bazsi