# Syslog-ng central logger howto problem

## dcreatorx

Hello ! I'm successfully receiving logs through the network by UDP 514 from routers and the like devices. Now I need to set up organized logging for the servers. The thing is that I couldn't find any howto that matches gentoo and debian systems syslog-ng configurations ( I'm sure it has to be pretty the same for both as syslog-ng is standard ). So the receiving part, at least for UDP is fine. But when I try to make other servers connect through TCP, the connection gets done, but no logs are passing through. I know why, but I don't know how to solve it. In the only more-logical howto I found, they say that you have to put this code on the SERVER to log stuff in order.

```

  destination hosts { 

   file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY/$FACILITY$YEAR$MONTH$DAY"

   owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); 

  };

  

  log {

   source(src);

   destination(hosts);

  };

```

How ever I get the following error when restarting :

```

Stopping system logging: syslog-ng not running.

Starting system logging: syslog-ngError in configuration, unresolved source reference; source='src'

 start failed.

```

The other linux end is sending because it is opening a TPC socket and permanently establishing a connection to the logger.

Any guide on this will be much appreciated, Thank you.

----------

## timeBandit

Is there a...

```
source src {

  ... stuff ...

};
```

...block in /etc/syslog.conf on the server? Are any other messages logged?

You might want to post the entire contents of /etc/syslog.conf (sans comments).

----------

## dcreatorx

Hi, thank you for your answer. The config is the one that comes by default on any syslog-ng fresh installatinon. There are many sources defined.

----------

## dcreatorx

######

# options

options {

        # disable the chained hostname format in logs

        # (default is enabled)

        chain_hostnames(0);

        # the time to wait before a died connection is re-established

        # (default is 60)

        time_reopen(10);

        # the time to wait before an idle destination file is closed

        # (default is 60)

        time_reap(360);

        # the number of lines buffered before written to file

        # you might want to increase this if your disk isn't catching with

        # all the log messages you get or if you want less disk activity

        # (say on a laptop)

        # (default is 0)

        #sync(0);

        # the number of lines fitting in the output queue

        log_fifo_size(2048);

        # enable or disable directory creation for destination files

        create_dirs(yes);

        # default owner, group, and permissions for log files

        # (defaults are 0, 0, 0600)

        #owner(root);

        group(adm);

        perm(0640);

        # default owner, group, and permissions for created directories

        # (defaults are 0, 0, 0700)

        #dir_owner(root);

        #dir_group(root);

        dir_perm(0755);

        # enable or disable DNS usage

        # syslog-ng blocks on DNS queries, so enabling DNS may lead to

        # a Denial of Service attack

        # (default is yes)

        use_dns(no);

        # maximum length of message in bytes

        # this is only limited by the program listening on the /dev/log Unix

        # socket, glibc can handle arbitrary length log messages, but -- for

        # example -- syslogd accepts only 1024 bytes

        # (default is 2048)

        #log_msg_size(2048);

};

######

# sources

# all known message sources

source s_all {

        # message generated by Syslog-NG

        internal();

        # standard Linux log source (this is the default place for the syslog()

        # function to send logs to)

        unix-stream("/dev/log");

        # messages from the kernel

        file("/proc/kmsg" log_prefix("kernel: "));

        # use the following line if you want to receive remote UDP logging messages

        # (this is equivalent to the "-r" syslogd flag)

        udp();

	tcp(port(5140) keep-alive(yes));

};

######

# destinations

# some standard log files

destination df_auth { file("/var/log/auth.log"); };

destination df_syslog { file("/var/log/syslog"); };

destination df_cron { file("/var/log/cron.log"); };

destination df_daemon { file("/var/log/daemon.log"); };

destination df_kern { file("/var/log/kern.log"); };

destination df_lpr { file("/var/log/lpr.log"); };

destination df_mail { file("/var/log/mail.log"); };

destination df_user { file("/var/log/user.log"); };

destination df_uucp { file("/var/log/uucp.log"); };

# these files are meant for the mail system log files

# and provide re-usable destinations for {mail,cron,...}.info,

# {mail,cron,...}.notice, etc.

destination df_facility_dot_info { file("/var/log/$FACILITY.info"); };

destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); };

destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); };

destination df_facility_dot_err { file("/var/log/$FACILITY.err"); };

destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); };

# these files are meant for the news system, and are kept separated

# because they should be owned by "news" instead of "root"

destination df_news_dot_notice { file("/var/log/news/news.notice" owner("news")); };

destination df_news_dot_err { file("/var/log/news/news.err" owner("news")); };

destination df_news_dot_crit { file("/var/log/news/news.crit" owner("news")); };

# some more classical and useful files found in standard syslog configurations

destination df_debug { file("/var/log/debug"); };

destination df_messages { file("/var/log/messages"); };

# pipes

# a console to view log messages under X

destination dp_xconsole { pipe("/dev/xconsole"); };

# consoles

# this will send messages to everyone logged in

destination du_all { usertty("*"); };

######

# filters

# all messages from the auth and authpriv facilities

filter f_auth { facility(auth, authpriv); };

# all messages except from the auth and authpriv facilities

filter f_syslog { not facility(auth, authpriv); };

# respectively: messages from the cron, daemon, kern, lpr, mail, news, user,

# and uucp facilities

filter f_cron { facility(cron); };

filter f_daemon { facility(daemon); };

filter f_kern { facility(kern); };

filter f_lpr { facility(lpr); };

filter f_mail { facility(mail); };

filter f_news { facility(news); };

filter f_user { facility(user); };

filter f_uucp { facility(uucp); };

# some filters to select messages of priority greater or equal to info, warn,

# and err

# (equivalents of syslogd's *.info, *.warn, and *.err)

filter f_at_least_info { level(info..emerg); };

filter f_at_least_notice { level(notice..emerg); };

filter f_at_least_warn { level(warn..emerg); };

filter f_at_least_err { level(err..emerg); };

filter f_at_least_crit { level(crit..emerg); };

# all messages of priority debug not coming from the auth, authpriv, news, and

# mail facilities

filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };

# all messages of info, notice, or warn priority not coming form the auth,

# authpriv, cron, daemon, mail, and news facilities

filter f_messages {

        level(info,notice,warn)

            and not facility(auth,authpriv,cron,daemon,mail,news);

};

# messages with priority emerg

filter f_emerg { level(emerg); };

# complex filter for messages usually sent to the xconsole

filter f_xconsole {

    facility(daemon,mail)

        or level(debug,info,notice,warn)

        or (facility(news)

                and level(crit,err,notice));

};

######

# logs

# order matters if you use "flags(final);" to mark the end of processing in a

# "log" statement

# these rules provide the same behavior as the commented original syslogd rules

# auth,authpriv.*                 /var/log/auth.log

log {

        source(s_all);

        filter(f_auth);

        destination(df_auth);

};

# *.*;auth,authpriv.none          -/var/log/syslog

log {

        source(s_all);

        filter(f_syslog);

        destination(df_syslog);

};

# this is commented out in the default syslog.conf

# cron.*                         /var/log/cron.log

#log {

#        source(s_all);

#        filter(f_cron);

#        destination(df_cron);

#};

# daemon.*                        -/var/log/daemon.log

log {

        source(s_all);

        filter(f_daemon);

        destination(df_daemon);

};

# kern.*                          -/var/log/kern.log

log {

        source(s_all);

        filter(f_kern);

        destination(df_kern);

};

# lpr.*                           -/var/log/lpr.log

log {

        source(s_all);

        filter(f_lpr);

        destination(df_lpr);

};

# mail.*                          -/var/log/mail.log

log {

        source(s_all);

        filter(f_mail);

        destination(df_mail);

};

# user.*                          -/var/log/user.log

log {

        source(s_all);

        filter(f_user);

        destination(df_user);

};

# uucp.*                          /var/log/uucp.log

log {

        source(s_all);

        filter(f_uucp);

        destination(df_uucp);

};

# mail.info                       -/var/log/mail.info

log {

        source(s_all);

        filter(f_mail);

        filter(f_at_least_info);

        destination(df_facility_dot_info);

};

# mail.warn                       -/var/log/mail.warn

log {

        source(s_all);

        filter(f_mail);

        filter(f_at_least_warn);

        destination(df_facility_dot_warn);

};

# mail.err                        /var/log/mail.err

log {

        source(s_all);

        filter(f_mail);

        filter(f_at_least_err);

        destination(df_facility_dot_err);

};

# news.crit                       /var/log/news/news.crit

log {

        source(s_all);

        filter(f_news);

        filter(f_at_least_crit);

        destination(df_news_dot_crit);

};

# news.err                        /var/log/news/news.err

log {

        source(s_all);

        filter(f_news);

        filter(f_at_least_err);

        destination(df_news_dot_err);

};

# news.notice                     /var/log/news/news.notice

log {

        source(s_all);

        filter(f_news);

        filter(f_at_least_notice);

        destination(df_news_dot_notice);

};

# *.=debug;\

#         auth,authpriv.none;\

#         news.none;mail.none     -/var/log/debug

log {

        source(s_all);

        filter(f_debug);

        destination(df_debug);

};

# *.=info;*.=notice;*.=warn;\

#         auth,authpriv.none;\

#         cron,daemon.none;\

#         mail,news.none          -/var/log/messages

log {

        source(s_all);

        filter(f_messages);

        destination(df_messages);

};

# *.emerg                         *

log {

        source(s_all);

        filter(f_emerg);

        destination(du_all);

};

# daemon.*;mail.*;\

#         news.crit;news.err;news.notice;\

#         *.=debug;*.=info;\

#         *.=notice;*.=warn       |/dev/xconsole

log {

        source(s_all);

        filter(f_xconsole);

        destination(dp_xconsole);

};

  destination hosts { 

     file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY/$FACILITY$YEAR$MONTH$DAY"

        owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); 

	  };

	      log {

	      	source(src);

			destination(hosts);

			  };

----------

## timeBandit

The error message is correct, your configuration has only one message source defined and it is not named src. You need to correct the source name in your log definition, as follows:

```
log {

    source(s_all);

    destination(hosts);

};
```

I suggest you also read Chapter 3 of the Syslog Administrator's Guide, at least through section 3.8, to gain a better understanding of what you've configured and why. HOWTOs are a fine start but they can't anticipate every small mistake.

----------

