Hi! It seems that our syslog-ng (1.5.18, upgraded from 1.5.14 today) stopped logging messages from some routers. It seems to be a syslog-ng problem because the routers don't have anything in common (except that all of them are ciscos, but completely different hardware/ios versions). My configuration (only the relevant parts of the configfile are shown): --- options { sync (0); log_fifo_size (1000); use_fqdn (yes); chain_hostnames(no); stats (3600); use_time_recvd(no); use_dns(no); }; source netrout { udp(ip(213.229.60.108) port(514)); }; destination router { file("/var/log/router/$HOST/$YEAR-$MONTH-$DAY" create_dirs(yes) template("$DATE $HOST $MSG\n")); }; destination unknown { file("/var/log/unknown/$HOST/$YEAR-$MONTH-$DAY" create_dirs(yes) template("$DATE $HOST $MSG\n")); }; filter f_router { facility(local1,local2,local3,local4,local5,local6,local7); }; log { source(netrout); filter(f_router); destination(router); flags(final); }; log { source(netrout); destination(unknown); flags(fallback); }; --- "tcpdump -i eth0 -n -X -s0 port 514 and src 195.58.180.178" shows the following ouptut: This is a packet which doesn't get logged: 15:35:02.920137 195.58.180.178.54088 > 213.229.60.108.514: udp 129 0x0000 4500 009d 3294 0000 fc11 017d c33a b4b2 E...2......}.:.. 0x0010 d5e5 3c6c d348 0202 0089 545b 3c31 3733 ..<l.H....T[<173 0x0020 3e32 3733 3332 3136 3a20 4a75 6c20 3137 >2733216:.Jul.17 0x0030 2031 353a 3335 3a30 322e 3135 3520 4d45 .15:35:02.155.ME 0x0040 542d 4453 543a 2025 4c49 4e45 5052 4f54 T-DST:.%LINEPROT 0x0050 4f2d 352d 5550 444f 574e 3a20 4c69 6e65 O-5-UPDOWN:.Line 0x0060 2070 726f 746f 636f 6c20 6f6e 2049 6e74 .protocol.on.Int 0x0070 6572 6661 6365 2056 6972 7475 616c 2d41 erface.Virtual-A 0x0080 6363 6573 7338 3135 2c20 6368 616e 6765 ccess815,.change 0x0090 6420 7374 6174 6520 746f 2075 70 d.state.to.up --- "tcpdump -i eth0 -n -X -s0 port 514 and src 195.58.172.146" shows the following ouptut: This is a packet which gets correctly logged: 15:36:49.431070 195.58.172.146.9914 > 213.229.60.108.514: udp 123 0x0000 4500 0097 2c3a 0000 fc11 0ffd c33a ac92 E...,:.......:.. 0x0010 d5e5 3c6c 26ba 0202 0083 7d61 3c31 3733 ..<l&.....}a<173 0x0020 3e31 3538 3431 3837 3a20 4a75 6c20 3137 >1584187:.Jul.17 0x0030 2031 353a 3336 3a34 382e 3532 3020 4d45 .15:36:48.520.ME 0x0040 542d 4453 543a 2025 4c49 4e45 5052 4f54 T-DST:.%LINEPROT 0x0050 4f2d 352d 5550 444f 574e 3a20 4c69 6e65 O-5-UPDOWN:.Line 0x0060 2070 726f 746f 636f 6c20 6f6e 2049 6e74 .protocol.on.Int 0x0070 6572 6661 6365 2053 6572 6961 6c31 3a32 erface.Serial1:2 0x0080 2c20 6368 616e 6765 6420 7374 6174 6520 ,.changed.state. 0x0090 746f 2064 6f77 6e to.down --- I doubt that there's a permission problem on the syslog-ng side (All dirs have the permissions bits 700, logfiles 600; everything owned by root:root), the local syslog messages (internal()) don't show any suspicious messages (none at all). Can you give me a hint on how to resolve this problem? mfg/best regards -- Inode Telekommunikationsdienstleistungs GmbH - http://www.inode.at/ Michael Renner - Junior System Engineer m.renner@inode.at, Tel.: +43 59999 0 Fax.: +43 59999 6599 Buero Wien - Millennium Tower Handelskai 94-96/43 - A-1200 Wien Buero Graz - Schmiedlstrasse 1 - A-8042 Graz Buero Sbg - Schillerstrasse 30 - A-5020 Salzburg Buero Ibk - Eduard Bodem Gasse 5-7 - A-6020 Innsbruck