I would focus on the client first. Try to get it logging the messages you want to local file destinations. Once you have it writing to local files you know you are receiving the messages and then can try forwarding them to the server.

From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of lance raymond
Sent: 09 February 2009 18:33
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Still not working at the most basic level

Thanks for the update.  I did try that and still not getting anything.  I did try both tcp and udp and just wondering one other thing (not sure if it works.)

1.
up top it shows the following on the server conf file;
## This will create seprate file for each client on central log server and log http messages
destination d_clients { file("/var/log/web.$HOST.log"); };
log { source(s_remote); destination(d_clients); };

then below in the same file shows;
destination send_http_logs { file("/var/log/web.log"); };

So, first I am not sure what exactly this is or should be doing.  If there are 5 vhosts, according to the top it will have 5 diff log files 1 for each vhost, yet the lower section shows only one file name.

ps on the server now only shows;
root     32758  0.0  0.0   7368   568 ?        Ss   13:17   0:00 /sbin/syslog-ng -p /var/run/syslogd.pid

2.
Client side I have;
   unix-stream ("/dev/log");
but (again not sure if this matters), but ALL apache logs goto the following folder;
 /home/mcp/local/apache2/logs nothing get's written to /dev/logs

ps on the client only shows;
root      5612  0.0  0.0   7236   424 ?        Ss   13:31   0:00 /sbin/syslog-ng -p /var/run/syslogd.pid

I have changed both not to run at startup (via chkconfig) but haven't restarted the box's as they are in use.  The other odd thing, I stopped syslog-ng, there was nothing running yet the local logs kept writing to the local files (didn't think they would if syslog and syslog-ng were stopped).

Thanks again, I will keep trying anything suggested till this thing works!

On Mon, Feb 9, 2009 at 11:44 AM, Fegan, Joe <Joe.Fegan@hp.com> wrote:
On the client:
 
source s_sys {
   file ("/proc/kmsg" log_prefix("kernel: "));
   unix-stream ("/dev/log");
   internal();
};

and the running process are;
root      1607  0.0  0.0   6216   904 ?        Ss    2008   0:48 syslogd -m 0
root     28374  0.0  0.0   7368   564 ?        Ss   11:24   0:00 /sbin/syslog-ng -p /var/run/syslogd.pid

The standard syslogd daemon is running and almost certainly owns the /dev/log socket and the kernel output pseudo-file /proc/kmsg. This means that syslog-ng (which starts later) will receive nothing from those sources and will forward everything it receives (i.e. nothing) to the server.
 
You need to chkconfig syslogd off (or the equivalent on your distro) to stop standard syslogd from running.
 
Joe.
 
From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of lance raymond
Sent: 09 February 2009 16:34
To: Syslog-ng users' and developers' mailing list
Subject: [syslog-ng] Still not working at the most basic level

ok, so can anyone say how to troubleshoot the most basic scenario to start.  1 server, 1 client, have client write logs to server?  I will show both config files, please note tI have tried both UDP and TCP and neither work.  I did notice doing an lsof |grep syslog that the port does change from udp to tcp so I know it's reading the config file, I just don't know how to turn on some debugging or another way to trace the log as it's still being written to the client.

ok, so server config is;
#source s_remote  { udp(); };
source s_remote  { tcp(); };
## This will create seprate file for each client on central log server and log http messages
destination d_clients { file("/var/log/web.$HOST.log"); };
log { source(s_remote); destination(d_clients); };
#################################################################

options {
sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};

source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
#udp(ip(0.0.0.0) port(514));
};

## This will log local http messages to defined file

destination send_http_logs { file("/var/log/web.log"); };

filter send_http_logs {
program("httpd.*");
};

log {
source(s_sys);
filter(send_http_logs);
destination(send_http_logs);
};

and the server shows the following running process;
root     30945  0.0  0.0   7240   636 ?        Ss   11:24   0:00 /sbin/syslog-ng -p /var/run/syslogd.pid

Client side:

options {
           sync (0);
         time_reopen (10);

          log_fifo_size (1000);
          long_hostnames(on);
          use_dns(yes);
          dns_cache(yes);
          use_fqdn(no);
          create_dirs (yes);
          keep_hostname (yes);
          perm(0640);
          dir_perm(0750);

};

source s_sys {
   file ("/proc/kmsg" log_prefix("kernel: "));
   unix-stream ("/dev/log");
   internal();
};
#destination send_http_logs { udp("192.168.2.54" port(514)); };
destination send_http_logs { tcp("192.168.2.54" port(514)); };


filter send_http_logs {
program("httpd.*");
};

log {
source(s_sys);
filter(send_http_logs);
destination(send_http_logs);
};

and the running process are;
root      1607  0.0  0.0   6216   904 ?        Ss    2008   0:48 syslogd -m 0
root     28374  0.0  0.0   7368   564 ?        Ss   11:24   0:00 /sbin/syslog-ng -p /var/run/syslogd.pid

Not sure if the client is supposed to have 2 processes or not, but any help is really appreciated.


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html