I'm having some funky behavior where my central syslog-ng server is marking all forwarded events as facility kern, level emerg. The remote hosts, are CentOS 5 x86_64. They are using the system install syslog. The ones I started with, have nginx web server, patched to send it's log messages under local5.crit for errors, and local5.notice for access logs. It's syslog.conf looks like so. Code: # cat /etc/syslog.conf # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # nginx local logs local5.notice /usr/ local/logs/access.log local5.crit /usr/ local/logs/error.log # Syslog-ng *.* @remoteIP They are logging locally as expected, and things are coming into the remote host as expected. (from a strace) 32443 recvfrom(3, "<173>nginx: ScrubbedIP www.fa"..., 8192, 0, {sa_family=AF_INET, sin_port=htons(514), sin_addr=inet_addr("ScrubbedIP")}, [16]) = 412 What I can't tell is how they are actually coming in (meaning what level / facility). My central logging server is running the latest syslog-ng. My configs look like... Code: # cat /etc/syslog-ng/syslog-ng.conf # Syslog-ng config options { use_dns(no); keep_hostname(yes); long_hostnames(off); chain_hostnames(off); sync(1); log_fifo_size(1024); create_dirs(yes); perm(0644); stats_freq(3600); mark_freq(600); }; # # Data Sources # # External Syslog source s_external { # udp(); udp(ip("0.0.0.0") port(514) flags(no_parse)); }; # # Where to put Data # # Access Logs destination d_access_log { file("/syslog-ng/$HOST/access.log"); }; # Error Logs destination d_error_log { file("/syslog-ng/$HOST/error.log"); }; # Everything else destination d_log { file("/syslog-ng/$HOST/$FACILITY.$LEVEL"); }; # # Data Filters # # Facility local5 filter f_local5 { facility(local5); }; # Level info filter f_info { level(info); }; # Level notice filter f_notice { level(notice); }; # Level warn filter f_warn { level(warn); }; # Level crit filter f_crit { level(crit); }; # Level err filter f_err { level(err); }; # # Data Logging Locations # # Access Log log { source(s_external); filter(f_local5); filter(f_notice); destination(d_access_log); }; # Error Log log { source(s_external); filter(f_local5); filter(f_crit); destination(d_error_log); }; log { source(s_external); destination(d_log); }; The only problem here is that I'm not getting any access.log or error.log. I'm only getting kern.emerg log with EVERYTHING in it (the last log rule). I have verified that events are coming in correctly as I expect. Code: tcpdump port 514 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 15:47:33.128579 IP scrubbed.syslog > scrubbed.syslog: SYSLOG local5.notice, length: 409 15:47:33.145029 IP scrubbed.syslog > scrubbed.syslog: SYSLOG local5.notice, length: 233 So I'm not sure what syslog-ng is doing to convert this to kern.emerg instead of leaving it local5.notice. At this point, I'm pretty sure the config is sane, but maybe I'm missing something. Syslog-NG / central server stats # /sbin/syslog-ng -V syslog-ng 2.1.4 # cat /etc/redhat-release CentOS release 5.5 (Final) Fetched with GIT. syslog / remote server stats # /sbin/syslogd -v syslogd 1.4.1 # cat /etc/redhat-release CentOS release 5.5 (Final) Any help is appreciated. Charlie