I have syslog-ng and logzilla 2.9.9g installed on a Debian squeeze machine. I can see the logs at the web interface. I configured syslog-ng to collect apache error and access logs. The problem is that i don't see IP information at the message part, on web interface. For ex, one of the machine that is sending apache logs is "www" machine. The syslog-ng configuration is as below: # All messages send to a remote site # #log { source(s_src); destination(d_net); }; #manual edit options { log_msg_size(8192); }; ####### # sources # ####### source s_apache_access { # unix-stream("/var/log/httpd/apache_log.socket" # max-connections(512) # keep-alive(yes)); file ("/var/log/apache2/access.log" flags(no-parse)); }; source s_apache_error { # unix-stream("/var/log/httpd/apache_log.socket" # max-connections(512) # keep-alive(yes)); file ("/var/log/apache2/error.log" flags(no-parse)); }; ################ # destinations # ################ destination d_custom_access { file("/var/log/apache2/custom_access.log"); }; destination d_custom_error { file("/var/log/apache2/custom_error.log"); }; destination d_apache_tls { tcp("192.168.1.145" port(6514) tls(ca_dir("/etc/syslog-ng/etc/ca.d") key_file("/etc/syslog-ng/etc/key.d/debian4key.pem") cert_file("/etc/syslog-ng/etc/cert.d/debian4cert.pem"))); }; ########### # filters # ########### filter f_apache_access { message("GET|POST"); }; filter f_apache_error { message("error"); }; log { source(s_apache_access); # filter(f_apache_access); destination(d_apache_tls); }; log { source(s_apache_error); # filter(f_apache_access); destination(d_apache_tls); }; and # tail -n1 /var/log/apache2/access.log 78.185.240.170 - - [01/Jan/2012:13:35:06 +0200] "GET /images/rand/randpic11.jpg HTTP/1.1" 200 45670 "http://www.comu.edu.tr/" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7" www:/home/oguz# For the www machine i don't see the 78.185.240.170 information at the web ui, but the rest of the line starting with -- Thogh another machine, "reverse", is sending apache logs with and additional field and i can see its log at the web ui without any missing information. The reverse has the same configuration except from the key information. # tail -n1 /var/log/apache2/other_vhosts_access.log www.beeseurope.eu:80 178.154.160.29 - - [01/Jan/2012:13:36:46 +0200] "GET /mod/forum/discuss.php?d=55&parent=88 HTTP/1.1" 200 34557 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)" At the web interface, I can see the IP information also at the message part. My syslog-ng configuration at the server is as below: options { long_hostnames(off); # doesn't actually help on Solaris, log(3) truncates at 1024 chars log_msg_size(8192); # buffer just a little for performance flush_lines(16384); # memory is cheap, buffer messages unable to write (like to loghost) log_fifo_size(16384); # Hosts we don't want syslog from #bad_hostname("^(ctld.|cmd|tmd|last)$"); # The time to wait before a dead connection is reestablished (seconds) time_reopen(10); #Use DNS so that our good names are used, not hostnames use_dns(yes); dns_cache(yes); #Use the whole DNS name use_fqdn(yes); keep_hostname(yes); chain_hostnames(no); #Read permission for everyone perm(0644); # The default action of syslog-ng 1.6.0 is to log a STATS line # to the file every 10 minutes. That's pretty ugly after a while. # Change it to every 12 hours so you get a nice daily update of # # how many messages syslog-ng missed (0). # stats(43200); log_msg_size(8192); }; source s_apache { tcp(ip(0.0.0.0) port(6514) tls( key_file("/etc/syslog-ng/etc/key.d/debian1key.pem") cert_file("/etc/syslog-ng/etc/cert.d/debian1cert.pem") ca_dir("/etc/syslog-ng/etc/ca.d"))); }; filter f_apache_access { message("GET|POST"); }; filter f_apache_error { message("error"); }; # Create destination to LogZilla destination d_logzilla { program("/opt/logzilla-2.9.9g/scripts/db_insert.pl" template("$HOST\t$FACILITY\t$PRIORITY\t$LEVEL\t$TAG\t$YEAR-$MONTH-$DAY\t$HOUR:$MIN:$SEC\t$PROGRAM\t$MSG\n") #template("$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC\t$HOST\t$PRI\t$PROGRAM\t$MSGONLY\n") ); }; # test purposes destination d_apache_test_access { file("/var/log/apache2/hosts/$HOST/$YEAR/$MONTH/$DAY/access.log" create_dirs(yes)); }; destination d_apache_test_error { file("/var/log/apache2/hosts/$HOST/$YEAR/$MONTH/$DAY/error.log" create_dirs(yes)); }; # Tell syslog-ng to log to our new destination log { source(s_apache); destination(d_logzilla); }; log { source(s_apache); filter(f_apache_error); destination(d_apache_test_error); }; log { source(s_apache); filter(f_apache_access); destination(d_apache_test_access); }; Any ides about how i can fix the missing IP information at the web ui of logzilla?