[syslog-ng] changing incoming facility.level -> kern.emerg

[Sandor Geller]

Hi,

> 32443 recvfrom(3, "<173>nginx: ScrubbedIP www.fa"..., 8192, 0,
> {sa_family=AF_INET, sin_port=htons(514),
> sin_addr=inet_addr("ScrubbedIP")}, [16]) = 412
>
> What I can't tell is how they are actually coming in (meaning what
> level / facility).

<173> = 21 * 8 + 5, so this message is facility 21 (local5) severity 5 (notice)
/usr/include/sys/syslog.h contains the definitions

> # External Syslog
> source s_external {
> #       udp();
>        udp(ip("0.0.0.0") port(514) flags(no_parse));
> };

Why is the no_parse flag used here???

> log { source(s_external); destination(d_log); };
> The only problem here is that I'm not getting any access.log or
> error.log. I'm only getting kern.emerg log with EVERYTHING in it (the
> last log rule).

This happens because you set it up exactly this way by disabling
parsing of the incoming remote logs. The last log section doesn't have
any filters therefore it gets the unclassified logs.

Regards,

Sandor