Hi,
32443 recvfrom(3, "<173>nginx: ScrubbedIP www.fa"..., 8192, 0, {sa_family=AF_INET, sin_port=htons(514), sin_addr=inet_addr("ScrubbedIP")}, [16]) = 412
What I can't tell is how they are actually coming in (meaning what level / facility).
<173> = 21 * 8 + 5, so this message is facility 21 (local5) severity 5 (notice) /usr/include/sys/syslog.h contains the definitions
# External Syslog source s_external { # udp(); udp(ip("0.0.0.0") port(514) flags(no_parse)); };
Why is the no_parse flag used here???
log { source(s_external); destination(d_log); }; The only problem here is that I'm not getting any access.log or error.log. I'm only getting kern.emerg log with EVERYTHING in it (the last log rule).
This happens because you set it up exactly this way by disabling parsing of the incoming remote logs. The last log section doesn't have any filters therefore it gets the unclassified logs. Regards, Sandor