Here is my config
@version:3.18
@include "scl.conf"

# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# Note: it also sources additional configuration files (*.conf)
#       located in /etc/syslog-ng/conf.d/

options {
    flush_lines (10);
    time_reopen (10);
#    chain_hostnames (off);
    use_dns (yes);
    use_fqdn (no);
    create_dirs (no);
    keep_hostname (yes);
};

source s_sys {
    system();
    internal();
#     udp(ip(0.0.0.0) port(514));
};

source s_net {
udp(ip(0.0.0.0) port(514));
tcp(ip(0.0.0.0) port(514) max-connections(256));
#log_iw_size(25000) so_keepalive(yes) log_fetch_limit(100));
};

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" flush_lines(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };


destination d_graylog {
tcp("hostname of Graylog server"
port (12201)
);
};


filter f_kernel     { facility(kern); };
filter f_default    { level(info..emerg) and
                        not (facility(mail)
                        or facility(authpriv) 
                        or facility(cron)); };
filter f_auth       { facility(authpriv); };
filter f_mail       { facility(mail); };
filter f_emergency  { level(emerg); };
filter f_news       { facility(uucp) or
                        (facility(news) 
                        and level(crit..emerg)); };
filter f_boot   { facility(local7); };
filter f_cron   { facility(cron); };

log { source(s_sys); filter(f_kernel); destination(d_cons); };
log { source(s_sys); filter(f_kernel); destination(d_kern); };
log { source(s_sys); filter(f_default); destination(d_mesg); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_emergency); destination(d_mlal); };
log { source(s_sys); filter(f_news); destination(d_spol); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };



log { source(s_net); destination(d_graylog); };
log { source(s_sys); destination(d_graylog); };


# Source additional configuration files (.conf extension only)
@include "/etc/syslog-ng/conf.d/*.conf"


# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:


On Mon, Nov 12, 2018 at 2:02 PM PÁSZTOR György <pasztor@linux.gyakg.u-szeged.hu> wrote:
Hi Rodney,

"Rodney Bizzell" <hardworker30@gmail.com> írta 2018-11-12 13:28-kor:
> So I upgraded to syslog-ng 3.18 and it has syslog-ng-debun options. I was

Just to run syslog-ng-debun, you should not had to upgrade your syslog-ng.
syslog-ng-debun is a simple all in one portable shell script which's
purpose is to gather information about any kind of syslog-ng installation.
Always safe to use the latest one of this from the master branch, as I
suggested to download via wget.

> reading through the documentation and when I issue syslog-ng-debun -d -P
> 'port 12201' should I see anything on standard out because all that happen
> was it displayed the options for the command.  That is all that happened

Yepp. In the meantime János Szigetrvári added an extra -r option to the
script and that changed the default behaviour. Without the -r option it's
just a "--dry-run"-ish parametering. It does nothing, except test the
parameters.
You can see that changeset following this link:
https://github.com/balabit/syslog-ng/commit/f9312f87b758c450c6108abe8da9cf0b4d16ced4

So, from that point on, every syslog-ng-debun command should be replaced
with the same, just adding an extra -r option.

Which in your case, means: you should've run:
syslog-ng-debun -r -d -P 'port 12201'

> when I issued the command below in this email. I tried to run
> syslog-ng-debun -r and that executed and created a tarball.

Yep. This -r -d -P 'port 12201' will also create a tarball. Just a more
useful one: It will run tcpdump in the bacground, to collect network
traffic at the same time, matching the "port 12201" filtering expression.

Btw.: Make sure, you have tcpdump installed on the system. Otherwise the
script won't be able to run tcpdump.

When you finished, we need that tarball what the script created.

Regards,
Gyu
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq