I upgraded a pair of debian (sarge) boxen to syslog-ng 1.6.5. One is to be the central logging server, the other is a sample client. I changed the destinations of all the logs to just include tcp("ip_address"); On the server side I added tcp() to the source s_all {} statement. My problem is that I'm getting more logging done on the remote side than on the client side. For example, the client has: wiabweb2:/etc/syslog-ng# tail /var/log/cron.log 13 Jun 05:45:01 ntpdate[22494]: ntpdate 4.2.0a@1:4.2.0a+stable-2-r Sun Jan 9 16:13:28 CET 2005 (1) 13 Jun 05:45:03 ntpdate[22494]: step time server 192.168.120.13 offset 1.988834 sec but the remote server has: Jun 13 16:51:01 192.168.120.27 CRON[1779]: pam_ldap: could not open secret file /etc/ldap.secret (No such file or directory) Jun 13 16:51:01 192.168.120.27 /USR/SBIN/CRON[12192]: (root) CMD (/bin/date >> /tmp/date) Jun 13 16:52:01 192.168.120.27 CRON[18762]: pam_ldap: could not open secret file /etc/ldap.secret (No such file or directory) Jun 13 16:52:01 192.168.120.27 /USR/SBIN/CRON[172]: (root) CMD (/bin/date >> /tmp/date) These "extra" entries show up in syslog on both systems. Why would the remote system have the entries logged to more files than the client? ***************** Long set of config files follows ********************* Rather than add a thousand lines of almost all config, I'll just add what I think is relevent. On the server side, # sources # all known message sources source s_all { # message generated by Syslog-NG internal(); # standard Linux log source (this is the default place for the syslog() # function to send logs to) unix-stream("/dev/log"); # messages from the kernel file("/proc/kmsg" log_prefix("kernel: ")); # use the above line if you want to receive remote UDP logging messages # (this is equivalent to the "-r" syslogd flag) # udp(); tcp(); }; [snip] ###### # destinations # some standard log files destination df_auth { file("/var/log/$HOST/auth.log"); }; destination df_syslog { file("/var/log/$HOST/syslog"); }; destination df_cron { file("/var/log/$HOST/cron.log"); }; [snip] ###### # filters # all messages from the auth and authpriv facilities filter f_auth { facility(auth, authpriv); }; # all messages except from the auth and authpriv facilities filter f_syslog { not facility(auth, authpriv); }; # respectively: messages from the cron, daemon, kern, lpr, mail, news, user, # and uucp facilities filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_news { facility(news); }; filter f_user { facility(user); }; filter f_uucp { facility(uucp); }; [snip] # *.*;auth,authpriv.none -/var/log/syslog log { source(s_all); filter(f_syslog); destination(df_syslog); }; # this is commented out in the default syslog.conf # cron.* /var/log/cron.log log { source(s_all); filter(f_cron); destination(df_cron); }; ========= On the client side ============= ###### # sources # all known message sources source s_all { # message generated by Syslog-NG internal(); # standard Linux log source (this is the default place for the syslog() # function to send logs to) unix-stream("/dev/log"); # messages from the kernel file("/proc/kmsg" log_prefix("kernel: ")); # use the above line if you want to receive remote UDP logging messages # (this is equivalent to the "-r" syslogd flag) # udp(); }; [snip] ###### # destinations # some standard log files destination df_auth { file("/var/log/auth.log"); tcp("192.168.120.49"); }; destination df_syslog { file("/var/log/syslog"); tcp("192.168.120.49"); }; destination df_cron { file("/var/log/cron.log"); tcp("192.168.120.49"); }; destination df_daemon { file("/var/log/daemon.log"); tcp("192.168.120.49"); }; destination df_kern { file("/var/log/kern.log"); tcp("192.168.120.49"); }; # destination df_lpr { file("/var/log/lpr.log"); tcp("192.168.120.49"); }; destination df_mail { file("/var/log/mail.log"); tcp("192.168.120.49"); }; ###### # filters # all messages from the auth and authpriv facilities filter f_auth { facility(auth, authpriv); }; # all messages except from the auth and authpriv facilities filter f_syslog { not facility(auth, authpriv); }; # respectively: messages from the cron, daemon, kern, lpr, mail, news, user, # and uucp facilities filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_news { facility(news); }; filter f_user { facility(user); }; filter f_uucp { facility(uucp); }; # some filters to select messages of priority greater or equal to info, warn, # and err # (equivalents of syslogd's *.info, *.warn, and *.err) filter f_at_least_info { level(info..emerg); }; filter f_at_least_notice { level(notice..emerg); }; filter f_at_least_warn { level(warn..emerg); }; filter f_at_least_err { level(err..emerg); }; filter f_at_least_crit { level(crit..emerg); }; # all messages of priority debug not coming from the auth, authpriv, news, and # mail facilities filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); }; # all messages of info, notice, or warn priority not coming form the auth, # authpriv, cron, daemon, mail, and news facilities filter f_messages { level(info,notice,warn) and not facility(auth,authpriv,cron,daemon,mail,news); }; # messages with priority emerg filter f_emerg { level(emerg); }; # complex filter for messages usually sent to the xconsole filter f_xconsole { facility(daemon,mail) or level(debug,info,notice,warn) or (facility(news) and level(crit,err,notice)); }; # *.*;auth,authpriv.none -/var/log/syslog log { source(s_all); filter(f_syslog); destination(df_syslog); }; # this is commented out in the default syslog.conf ***** Why is ntpdate still logging into /var/log/cron ? # cron.* /var/log/cron.log # log { # source(s_all); # filter(f_cron); # destination(df_cron); #}; [snip]