[syslog-ng] Error binding socket;

Gergely Nagy algernon at balabit.com
Mon May 14 15:16:16 UTC 2018

>>>>> "vinod" == vinod samant <vinod.samant.123 at gmail.com> writes:

    vinod> Hi Gergely,
    vinod> My configuration my of both client and server side.

    >>>>>>>>>>>>>>>>>>>>>>>>>>>>> client confg<<<<<<<<<<<<<<<<<<<<<<<<<<<
    vinod> @version:3.13
    vinod> @include "scl.conf"
    vinod> @define allow-config-dups 1

...and herein lies one of your problems. You have multiple blocks with
the same name (`s_local`, `d_network`, etc). Only one of them will be
active, the last one.

In case of the client config, it will only forward apache logs, because
the last `s_local` block sources from there. If you want to forward
system and internal logs too, you'll have to name the block differently.
And likely forward to a different port, because in the examples I
provided, the server-side will only handle the apache logs correctly.

    vinod> >>>>>>>>>>>>>>>>>>>>> server side cong<<<<<<<<<<<<<<<<<<<<<<<<<<<<

    vinod> source s_network{
    vinod> udp();
    vinod> tcp();
    vinod> };

    vinod> log { source(s_network); destination(d_from_net); };

The above two snippets will make syslog-ng listen on the default udp &
tcp ports, and route every message to the `d_from_net` destination.
Which happens to be `/var/log/from_net`.

    vinod> source s_net {
    vinod> network(flags(no-parse));
    vinod> };

Because the `s_network` source uses the default ports, and so does this,
this will not be able to start, because the previous one already
occupies the port.

    vinod> log{
    vinod> source (s_net);
    vinod> parser (p_apache);
    vinod> destination(d_apache);
    vinod> };

For the above reason, `s_network` will see no traffic, and nothing will
get routed this way. This is why your logs end up in

I would suggest starting from the simple - but complete - examples I
gave, and extending it step-by-step to include other logs than apache.


More information about the syslog-ng mailing list