# syslog-ng and remote logging

## mellofone

I have setup a handful of servers to remotely log to a centralized log server, and so far it seems to be working. However, I am using that log server to watch the logs at the console using aterm -C. This works, all of the messages are appearing as they should. However, it no longer logs to /var/log/syslog as well. I am using the stock syslog-ng.conf file from portage, except I added the option to turn on remote logging as well as logging to the console:

```

# $Header: /home/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo,v 1.1 2003/03/11 04:05:11 agriffis Exp $

#

# Syslog-ng default configuration file for Gentoo Linux

# contributed by Michael Sterrett

#

options {

        long_hostnames(off);

        sync(0);

        

        # The default action of syslog-ng 1.6.0 is to log a STATS line

        # to the file every 10 minutes.  That's pretty ugly after a while.

        # Change it to every 12 hours so you get a nice daily update of

        # how many messages syslog-ng missed (0).

        stats(43200);

};

source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg");

tcp();

};

destination messages { file("/var/log/messages"); };

# By default messages are logged to tty12...

destination console_all { file("/dev/tty12"); };

# ...if you intend to use /dev/console for programs like xconsole

# you can comment out the destination line above that references /dev/tty12

# and uncomment the line below.

destination console_all { file("/var/log/syslog"); };

destination console_all { file("/dev/console"); };

log { source(src); destination(messages); };

log { source(src); destination(console_all); };

```

Is there anyway to log both to the console AND to /var/log/syslog? I have both lines there, but it's not working.

----------

## think4urs11

 *mellofone wrote:*   

> 
> 
> destination console_all { file("/var/log/syslog"); };
> 
> destination console_all { file("/dev/console"); };
> ...

 

remove the .../dev/console... line and you should be fine.

HTH

T.

----------

## kompressor

Im trying to get remote logging to work with syslog-ng.

I added these lines to the stock syslog-ng.conf file:

```
destination remote { udp(ip(192.168.1.14) port(514)); };

log { source(src); destination(remote); };
```

I get a parse error on the first line. Any ideas?

----------

## kompressor

any help would be cool....

----------

## kompressor

or not

----------

## nevynxxx

@ mellophone, if you are still logging to /var/log/messages try 

```
tail -f -n 50 /var/log/messages
```

, mess with the 50 bit, its the number of lines output.

@ kompressor This help? That is the server conf, the client confs look have something like

```
destination loghost       { udp("10.1.1.254" port(514)); };
```

expect I think I specified tcp not udp

this is useful, I printed a copy for reference, which I found through this which I found through googling for syslog-ng faq.

Phew, that enough to get you started?

----------

## nevynxxx

Oh and if you notice the mysql stuff and want to know more just ask, I use a modified version of sqlsyslogd, that puts things in the correct column a little better than the original

----------

## acdispatcher

I pulled out my hair over syslog-ng for a while. I found the website nevynxxx posted. I was very helpfull (google is a good thing). 

I have a Linux firewall/router (coyote) for my home network. Its a Coyote Linux box. http://www.coyotelinux.com/ . Its sends its log file to my laptop (arora). Here is my setup:

options { 

	long_hostnames(off); 

	sync(0); 

	# The default action of syslog-ng 1.6.0 is to log a STATS line

	# to the file every 10 minutes.  That's pretty ugly after a while.

	# Change it to every 12 hours so you get a nice daily update of

	# how many messages syslog-ng missed (0).

	stats(43200); 

};

source src { unix-stream("/dev/log"); internal(); udp(ip(0.0.0.0) port(514)); pipe("/proc/kmsg"); };

destination messages { file("/var/log/messages"); };

# By default messages are logged to tty12...

destination console_all { file("/dev/tty12"); };

# ...if you intend to use /dev/console for programs like xconsole

# you can comment out the destination line above that references /dev/tty12

# and uncomment the line below.

#destination console_all { file("/dev/console"); };

destination syslog { file("/var/log/syslog"); };

destination coyote { file("/var/log/coyote"); };

destination mail { file("/var/log/mail.log"); };

destination mayday { file("/var/log/mayday.log"); };

filter f_info  { host(coyote); };

filter f_mail { facility(mail); };

filter f_syslog { not facility(auth, authpriv) and not host(coyote); };

filter f_warn { level(warn); };

filter f_crit { level(crit); };

filter f_err { level(err); };

log { source(src); destination(messages); };

log { source(src); destination(console_all); };

log { source(src); filter(f_info); destination(coyote); };

log { source(src); filter(f_syslog); destination(syslog); };

log { source(src); filter(f_mail); destination(mail); };

log { source(src); filter(f_warn); filter(f_crit); filter(f_err); destination(mayday); };

As you can see I have added a few personal log files. Now Im no expert (by no means) so take this file for whats its worth. Half of this is to see if anyone else can improve this or tell me what I did wrong. Anywho this is the setup -

 *Quote:*   

> 
> 
> source src { unix-stream("/dev/log"); internal(); udp(ip(0.0.0.0) port(514)); pipe("/proc/kmsg"); };

 

tcp never worked for me. udp is traditionally the syslog protocol, but tcp is better if it works. My coyote box is a dchp server, so my laptop (arora's) ip address is not static. I put  ip(0.0.0.0) port(514)) to make syslog-ng listen on all available interfaces, port 514.

 *Quote:*   

> 
> 
> destination coyote { file("/var/log/coyote"); };

 

Set my destination to /var/log/coyote

 *Quote:*   

> 
> 
> filter f_info  { host(coyote); };

 

 I set this as the filter for coyote messages in /var/log/messages. I opened /var/log/messages and saw that the remote logs showed up like this:

# cat /var/log/messages | grep coyote 

Apr 19 13:59:09 coyote thttpd[569]: spawned CGI process 1921 for file 'cgi-bin/index.cgi'

 *Quote:*   

> 
> 
> log { source(src); filter(f_info); destination(coyote); };

 

I set to log all data from the f_info filter(above) to the coyote log (/var/log/coyote) set in the destination line.

Now this is the setup for my Laptop (arora) to recieve logs from a remote box (coyote). I think that udp only works for me because the coyote box is one way with its log information. Doesnt matter if my laptop is up or not it just blindly sends the log data. A tcp connection provides connection-oriented service where udp provides a simple datagram oriented protocol. 

The page nevynxxx

 pointed out is very helpfull. Give it a look.

----------

## kompressor

Thanks for your help guys. I got it working.

Here are the lines I added

Client

```
#----------------------------------------------------------------------

#  Forward to a loghost server

#----------------------------------------------------------------------

destination loghost       { udp("10.1.1.254" port(514)); };

log { source(src); destination(loghost); };
```

My 'loghost' looks like this:

```
source client { udp(); };

destination client_logs { file("/var/log/client"); };

log { source(client); destination(client_logs);};
```

its not pretty but it gets the job done.

the absolute minimum to get logs sent to a server.  :Very Happy: 

----------

