Attached are part of my syslog-ng.confs (hopefully the most relevent info).
I would like to be able to use a remote logging host across the internet (I reckognize that security concerns of not using a VPN). I *am* able to do syslog-ng to syslog-ng remote logging on the same network segment. There is no issue here. I cannot log across a LAN extension or across the internet at large. I've tried UDP and TCP. I've even successfully sniffed packets on the remote log server that were sent across the internet. Is there an issue with bridges, routers or ARP and syslog-ng? As far as I can tell, the only difference between the various hosts I am trying to log from is geographic location and network location. Same OS. Same versions, same syslog-ng.conf.
There should be no packet filtering between these hosts. All IPTABLES policies are set to accept. tcpwrappers is in use but I haven't epxressely permitted loging only from the local segment so I don't think this should be an issue. Again, I am doing remote logging on the same subnet and can also see packets arriving at the front door of the remote logging server. Am I missing something?
Your issues likely have to do with packet filtering between the two hosts. You may have errors in your configuration, though, there's no way for us to tell without more information.
I plan to.
Once you work out the connection issues, use stunnel to protect your logging stream.
Thanks. ######################### # syslog-ng.conf (logging host) options { use_fqdn(yes); keep_hostname(yes); use_dns(yes); long_hostnames(off); sync(3); log_fifo_size(300); }; source src { unix-dgram("/dev/log"); internal(); udp(); tcp(); }; destination authlog { file("/var/log/auth.log" owner("root") group("adm") perm(0640)); }; # [etc] ################### # syslog-ng.conf (host) options { long_hostnames(on); sync(0); }; source src { unix-dgram("/dev/log"); internal(); }; destination loghost { tcp("w.x.y.z" port(514)); }; # wxyz=routable IP destination authlog { file("/var/log/auth.log" owner("root") group("adm") perm(0640)); }; # [etc] log { source(src); filter(f_authpriv); destination(loghost); }; # [etc] log { source(src); filter(f_authpriv); destination(authlog); }; -- Regards, Adam Tworkowski