[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1152
  • Last Modified:

Syslog-ng Remote logging won't work

I've got syslog-ng running on my server. I set the client to log tot my server by editing the /etc/syslog.conf and add *.* @ip
Now i'm trying to configure my server where syslog-ng is running but i can't seem to get it working

my configfile of syslog-ng on the server

source s_sys { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); };
source s_test { udp( ip("xxx.xxx.xxx.xxx"); port("514");); };

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog"); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_mlal { usertty("*"); };
destination d_hosts {file("/var/log/$HOST" owner(root) group(root) perm(0755) dir_perm(0755) create_dirs(yes)); };

filter f_filter1     { facility(kern); };
filter f_filter2     { level(info) and
                     not (facility(mail)
                        or facility(authpriv) or facility(cron)); };
filter f_filter3     { facility(authpriv); };
filter f_filter4     { facility(mail); };
filter f_filter5     { level(emerg); };
filter f_filter6     { facility(uucp) or
                     (facility(news) and level(crit)); };
filter f_filter7     { facility(local7); };
filter f_filter8     { facility(cron); };

#log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter4); destination(d_mail); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };
log { source(s_test); destination(d_hosts); };

end syslog-ng config

So i added 2 lines to the standerd config file:

source s_test { udp( ip("xxx.xxx.xxx.xxx"); port("514");); };
destination d_hosts {file("/var/log/$HOST" owner(root) group(root) perm(0755) dir_perm(0755) create_dirs(yes)); };
log { source(s_test); destination(d_hosts); };

So what i'm trying to reach is that all syslog messages from the source machine xxx.xxx.xxx.xxx(client side wich is running basis syslog configured to log remotely) are logged in the folder /var/logl/$host ($host is going to be the name of the source machine).

after configuring it like this i'll get the error there is a error in line 40, and that would be this line:
source s_test { udp( ip("xxx.xxx.xxx.xxx"); port("514");); };

can you guys help me out please

  • 3
  • 2
2 Solutions
No ";" are allowed inside (), try:
source s_test { udp( ip("xxx.xxx.xxx.xxx") port("514")); };

But usually it's like:
source r_src { tcp(ip("") port(5140)); };
so I'm not sure if "514" is correct
Mr-sarkAuthor Commented:
i know it's that is TCP, but on the client side i run SYSLOGD the basic syslog daemon and that one is using UDP. Should i also install syslog-ng on the client side to get it to use TCP?

thnx in advance
Mr-sarkAuthor Commented:
after applying your line i'll get this error

Error finding port for service 514.  Falling back to default
io.c: bind_inet_socket() bind failed Cannot assign requested address
Error initializing configuration, exiting.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

The syslog port is

I thought I had made that clear
my bad - udp port 514 is the default.

But according to the error message, port("514") seems to be looking for the service "514", not port number 514 - so changing that would reduce the errors to 2.
But the fallback tries port 514, and fails...

Are you sure that machine is set up correctly?
from man syslogd:
 To have this work correctly the services(5)
       files (typically found in /etc) must have the following entry:

                   syslog          514/udp

       If this entry is missing syslogd neither can  receive  remote  messages
       nor  send  them,  because the UDP port cant be opened.

Otherwise, I'm stumped...


In file

By default following option will be there

add "-r" to list to look like


-r will allow remote login

restart syslogd service...

thats it..


Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now