On Fri, Jan 23, 2004 at 11:00:32AM -0500, Wang, Philip R. wrote:
I am new to syslog-ng. I used the following config file to test it out under Solaris. Then I used a pc application to generate udp message to port 514.
I started the process using "syslog-ng -f filename".
I can see log message in "messages" indicating the process started.
However, when I send the simulated message from my PC app. It does not show up in the log file.
I was reading some Linux syslog-ng document: an chapter from a book. It mentioned using the '-r' option to allow accepting remote message. I have syslog 1.6.1 and it does not have this option. Not sure if I missed anything?
Philip
--------------------------------------------------------------------- source local { internal(); udp();};
destination all { file("/opt/syslog-ng/messages"); };
log { source(local); destination(all); }; -----------------------------------------------------------------------
You don't need the -r option with syslog-ng, your udp() source is what you do for accepting remote messages. Now you need to do some basic troubleshooting: 1) Is syslog-ng still running? # ps -ef|grep syslog This ps will show if you shut down the stock syslogd, if it's running it isn't bad *for now with the config you posted above*, as long is it's not listening on the same UDP socket as syslog-ng. Solaris syslogd has the -t flag to turn off listening on the UDP port, not sure what version introduced this but it's certainly there in 8 and up. Your two syslog processes can coexist as long as they're not contending for the system messages (the syslog door) and for any TCP/IP ports. As soon as you're done testing, though, shut down one or the other permanently to avoid issues later. 2) If syslog-ng is running, is it listening on the UDP socket? Install lsof (www.sunfreeware.com), I know of no way to force Solaris netstat to give you the process name of listening sockets # lsof |grep LISTEN|grep 514 The first column is the process listening on that socket, if any. 3) Did your message even make it to your syslog server? Send it again, and watch the network: # snoop port 514 4) if you don't see it, there's a number of reasons why, too many in fact for me to be much help (could be packet filtering on the solaris box, on the network between the two hosts, asycronous routing, errors sending on the PC side, etc, etc) Good luck. -- Nate "If you give someone a program, you will frustrate them for a day; if you teach them how to program, you will frustrate them for a lifetime."