I see that version 14 version does not support "sync" now ( -/var/log/xxx.log alternative in standard syslogd). As a rule a big logging may incredible slow down logstation without "-" mode. It's too bad for central logstation.
I'll add sync as soon as I have a little time.
Next. Standard syslogd writes "host" field correct - corresponding to client name, but remote client's messages in syslog-ng always looks like "srcname/syslog-ng_server_name". It's too hard for admin to separate logfiles visually.
Yes, there's a problem in hostname generation in current versions, it's fixed here in my local copy, but the source is in a bit of flux now, and I didn't want to release it.
For last :) Can somebody give me _working_ example of log separating by remote hostname or IP address. It's not trivial for me :)
There are two ways doing this: modifying the /etc/services file to make your syslogd to log to a different port (instead of 514). Each client hosts log to a different port number, then declare a source for each client: source c1 { udp 0.0.0.0,514; }; source c2 { udp 0.0.0.0,515; }; etc. Each computer's log come from a distinct source. Another solution is to use the new host() filter: source src { udp 0.0.0.0,514; }; # each computer logs to this source filter f_c1 { host("hostname1"); }; filter f_c2 { host("hostname2"); }; log { source src; filter f_c1; destination c1; }; ... -- Bazsi PGP key: http://www.balabit.hu/pgpkey.txt, or finger bazsi@balabit.hu