I'm configuring /etc/syslog-ng/syslog-ng.conf on version 3.5.6-2 to listen to remote hosts on port 514 by changing the configuration like
#source s_src {
# system();
# internal();
#};
# If you wish to get logs from remote machine you should uncomment
# this and comment the above source line.
source s_net { tcp(ip(127.0.0.1) port(514)); udp(); };
but when I comment out s_src, as I think it suggests like:
#source s_src {
# system();
# internal();
#};
syslog-ng won't start due to config errors. If I just comment out these:
source s_src {
# system();
# internal();
};
it starts, but won't log standard syslog messages from localhost. Is there some other directive I need to add in source s_src to get it to listen on port 514 for remote hosts?
(Other possibly relevant lines in config)
log { source(s_src); filter(f_syslog3); destination(d_syslog); };
filter f_syslog3 { not facility(auth, authpriv, mail) and not filter(f_debug); };
destination d_syslog { file("/var/log/remotelogs/$HOST/syslog"); };
Best Answer
Okay, in my version of syslog-ng 3.5.6-2 (from standard Debian Jessie vanilla package), you have to do a couple things. First, leave this uncommented:
Then change the s_net line to read:
Now you have to modify a line to put remote host syslog logs in a certain place delineated by hostname so you can figure out which host syslog is which like:
Or if you want them all in the same file to analyze a single file just do:
Then put it all together like:
Note the log entry for syslog now referenced S_NET as a source, rather than S_SRC. Now you can restart syslog-ng and see if it's listening like: