I would focus on the client first. Try to get it logging the messages you want to local file destinations. Once you have it writing to local files you know you are receiving the messages and then can try forwarding them to the server. ________________________________ From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of lance raymond Sent: 09 February 2009 18:33 To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Still not working at the most basic level Thanks for the update. I did try that and still not getting anything. I did try both tcp and udp and just wondering one other thing (not sure if it works.) 1. up top it shows the following on the server conf file; ## This will create seprate file for each client on central log server and log http messages destination d_clients { file("/var/log/web.$HOST.log"); }; log { source(s_remote); destination(d_clients); }; then below in the same file shows; destination send_http_logs { file("/var/log/web.log"); }; So, first I am not sure what exactly this is or should be doing. If there are 5 vhosts, according to the top it will have 5 diff log files 1 for each vhost, yet the lower section shows only one file name. ps on the server now only shows; root 32758 0.0 0.0 7368 568 ? Ss 13:17 0:00 /sbin/syslog-ng -p /var/run/syslogd.pid 2. Client side I have; unix-stream ("/dev/log"); but (again not sure if this matters), but ALL apache logs goto the following folder; /home/mcp/local/apache2/logs nothing get's written to /dev/logs ps on the client only shows; root 5612 0.0 0.0 7236 424 ? Ss 13:31 0:00 /sbin/syslog-ng -p /var/run/syslogd.pid I have changed both not to run at startup (via chkconfig) but haven't restarted the box's as they are in use. The other odd thing, I stopped syslog-ng, there was nothing running yet the local logs kept writing to the local files (didn't think they would if syslog and syslog-ng were stopped). Thanks again, I will keep trying anything suggested till this thing works! On Mon, Feb 9, 2009 at 11:44 AM, Fegan, Joe <Joe.Fegan@hp.com<mailto:Joe.Fegan@hp.com>> wrote: On the client: source s_sys { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); }; and the running process are; root 1607 0.0 0.0 6216 904 ? Ss 2008 0:48 syslogd -m 0 root 28374 0.0 0.0 7368 564 ? Ss 11:24 0:00 /sbin/syslog-ng -p /var/run/syslogd.pid The standard syslogd daemon is running and almost certainly owns the /dev/log socket and the kernel output pseudo-file /proc/kmsg. This means that syslog-ng (which starts later) will receive nothing from those sources and will forward everything it receives (i.e. nothing) to the server. You need to chkconfig syslogd off (or the equivalent on your distro) to stop standard syslogd from running. Joe. ________________________________ From: syslog-ng-bounces@lists.balabit.hu<mailto:syslog-ng-bounces@lists.balabit.hu> [mailto:syslog-ng-bounces@lists.balabit.hu<mailto:syslog-ng-bounces@lists.balabit.hu>] On Behalf Of lance raymond Sent: 09 February 2009 16:34 To: Syslog-ng users' and developers' mailing list Subject: [syslog-ng] Still not working at the most basic level ok, so can anyone say how to troubleshoot the most basic scenario to start. 1 server, 1 client, have client write logs to server? I will show both config files, please note tI have tried both UDP and TCP and neither work. I did notice doing an lsof |grep syslog that the port does change from udp to tcp so I know it's reading the config file, I just don't know how to turn on some debugging or another way to trace the log as it's still being written to the client. ok, so server config is; #source s_remote { udp(); }; source s_remote { tcp(); }; ## This will create seprate file for each client on central log server and log http messages destination d_clients { file("/var/log/web.$HOST.log"); }; log { source(s_remote); destination(d_clients); }; ################################################################# options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source s_sys { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); #udp(ip(0.0.0.0) port(514)); }; ## This will log local http messages to defined file destination send_http_logs { file("/var/log/web.log"); }; filter send_http_logs { program("httpd.*"); }; log { source(s_sys); filter(send_http_logs); destination(send_http_logs); }; and the server shows the following running process; root 30945 0.0 0.0 7240 636 ? Ss 11:24 0:00 /sbin/syslog-ng -p /var/run/syslogd.pid Client side: options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames(on); use_dns(yes); dns_cache(yes); use_fqdn(no); create_dirs (yes); keep_hostname (yes); perm(0640); dir_perm(0750); }; source s_sys { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); }; #destination send_http_logs { udp("192.168.2.54" port(514)); }; destination send_http_logs { tcp("192.168.2.54" port(514)); }; filter send_http_logs { program("httpd.*"); }; log { source(s_sys); filter(send_http_logs); destination(send_http_logs); }; and the running process are; root 1607 0.0 0.0 6216 904 ? Ss 2008 0:48 syslogd -m 0 root 28374 0.0 0.0 7368 564 ? Ss 11:24 0:00 /sbin/syslog-ng -p /var/run/syslogd.pid Not sure if the client is supposed to have 2 processes or not, but any help is really appreciated. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html