On the client:
 
source s_sys {
   file ("/proc/kmsg" log_prefix("kernel: "));
   unix-stream ("/dev/log");
   internal();
};

and the running process are;
root      1607  0.0  0.0   6216   904 ?        Ss    2008   0:48 syslogd -m 0
root     28374  0.0  0.0   7368   564 ?        Ss   11:24   0:00 /sbin/syslog-ng -p /var/run/syslogd.pid

The standard syslogd daemon is running and almost certainly owns the /dev/log socket and the kernel output pseudo-file /proc/kmsg. This means that syslog-ng (which starts later) will receive nothing from those sources and will forward everything it receives (i.e. nothing) to the server.
 
You need to chkconfig syslogd off (or the equivalent on your distro) to stop standard syslogd from running.
 
Joe.
 
From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of lance raymond
Sent: 09 February 2009 16:34
To: Syslog-ng users' and developers' mailing list
Subject: [syslog-ng] Still not working at the most basic level

ok, so can anyone say how to troubleshoot the most basic scenario to start.  1 server, 1 client, have client write logs to server?  I will show both config files, please note tI have tried both UDP and TCP and neither work.  I did notice doing an lsof |grep syslog that the port does change from udp to tcp so I know it's reading the config file, I just don't know how to turn on some debugging or another way to trace the log as it's still being written to the client.

ok, so server config is;
#source s_remote  { udp(); };
source s_remote  { tcp(); };
## This will create seprate file for each client on central log server and log http messages
destination d_clients { file("/var/log/web.$HOST.log"); };
log { source(s_remote); destination(d_clients); };
#################################################################

options {
sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};

source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
#udp(ip(0.0.0.0) port(514));
};

## This will log local http messages to defined file

destination send_http_logs { file("/var/log/web.log"); };

filter send_http_logs {
program("httpd.*");
};

log {
source(s_sys);
filter(send_http_logs);
destination(send_http_logs);
};

and the server shows the following running process;
root     30945  0.0  0.0   7240   636 ?        Ss   11:24   0:00 /sbin/syslog-ng -p /var/run/syslogd.pid

Client side:

options {
           sync (0);
         time_reopen (10);

          log_fifo_size (1000);
          long_hostnames(on);
          use_dns(yes);
          dns_cache(yes);
          use_fqdn(no);
          create_dirs (yes);
          keep_hostname (yes);
          perm(0640);
          dir_perm(0750);

};

source s_sys {
   file ("/proc/kmsg" log_prefix("kernel: "));
   unix-stream ("/dev/log");
   internal();
};
#destination send_http_logs { udp("192.168.2.54" port(514)); };
destination send_http_logs { tcp("192.168.2.54" port(514)); };


filter send_http_logs {
program("httpd.*");
};

log {
source(s_sys);
filter(send_http_logs);
destination(send_http_logs);
};

and the running process are;
root      1607  0.0  0.0   6216   904 ?        Ss    2008   0:48 syslogd -m 0
root     28374  0.0  0.0   7368   564 ?        Ss   11:24   0:00 /sbin/syslog-ng -p /var/run/syslogd.pid

Not sure if the client is supposed to have 2 processes or not, but any help is really appreciated.