I have two syslog-ng servers configured, one in the DMZ for devices outside firewall send logs to and another one in the LAN. The logs send to the DMZ one will be forwarded to the LAN one, at least that's my original idea. However, it seems very unstable on the forwarding. Some of the logs appeared in the DMZ one were not shown up in the LAN one. For example, I just did a test from two routers outside the firewall and there were two logs generated in DMZ log server: [root@rcarhlp01 qwestdia1]# tail -1 qwestdia1.log Aug 9 13:30:25 qwestdia1 128: *Apr 28 06:56:48: %SYS-5-CONFIG_I: Configured from console by vty0 (204.146.209.151) [root@rcarhlp01 qwestdia1]# tail -1 ../qwestdia2/qwestdia2.log Aug 9 13:30:59 qwestdia2 46: *Apr 28 06:57:24: %SYS-5-CONFIG_I: Configured from console by vty0 (204.146.209.151) However, I only saw one in the LAN log server: [root@rcarhlp02 qwestdia1]# tail -1 qwestdia1.log Aug 8 16:18:39 qwestdia1 127: *Apr 27 09:35:42: %SYS-5-CONFIG_I: Configured from console by vty0 (204.146.209.248) ** This is still the one from last night ** [root@rcarhlp02 qwestdia1]# tail -1 ../qwestdia2/qwestdia2.log Aug 9 13:30:59 qwestdia2 46: *Apr 28 06:57:24: %SYS-5-CONFIG_I: Configured from console by vty0 (204.146.209.151) My configurations on both machines are like the following: ---- Configuration for LAN server -------- [root@rcarhlp02 syslog-ng]# more syslog-ng.conf options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (yes); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source s_slng { internal(); }; source s_tcp { tcp(port (5140) tcp-keep-alive(yes)); }; source s_udp { udp(port (514)); }; destination d_slng { file("/var/syslog-ng/syslog-ng.log"); }; destination d_file { file("/var/syslog-ng/HOSTS/$HOST/$HOST.log" owner (root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); }; destination d_mysql { pipe("/var/syslog-ng/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes)); }; log { source(s_slng); destination(d_slng); }; log { source(s_tcp); source(s_udp); destination(d_file); destination (d_mysql); }; #log { source(s_tcp); destination(d_mysql); }; #log { source(s_udp); destination(d_file); }; #log { source(s_udp); destination(d_mysql); }; # vim: syntax=syslog-ng [root@rcarhlp02 syslog-ng]# ----- Configuration for DMZ server --------- [root@rcarhlp01 syslog-ng]# more syslog-ng.conf options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (yes); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source s_udp { udp(port(514)); }; source s_slng { internal(); }; destination d_slng { file("/var/syslog-ng/syslog-ng.log"); }; destination d_local { file("/var/syslog-ng/HOSTS/$HOST/$HOST.log" owner (root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); }; destination d_remote { tcp("10.17.2.146" port(5140) tcp-keep-alive (yes)); }; log { source(s_udp); destination(d_local); destination(d_remote); }; #log { source(s_udp); destination(d_remote); }; log { source(s_slng); destination(d_slng); }; # vim: syntax=syslog-ng [root@rcarhlp01 syslog-ng]#