Error in syslog-ng.conf file on syslog-ng Client

I have redhat server as my syslog-ng server and AIX as my client server. I am not able to forward syslog-ng messages on AIX to my syslog-ng server. Here is the error

820>syslog-ng -f syslog-ng.conf
Error binding socket; addr='AF_INET(', error='Address already in use (67)'
Error initializing source driver; source='s_local'
Here is the Client Configuration file

# syslog-ng client configuration: some local logs, in addition to TCP
# logging to central loghost.

    sync (0);
    stats (0);
    create_dirs (yes);
    time_reopen (10);

source s_local  { unix-stream ("/dev/log"); udp( ip( port(514));  internal(); };

#  Standard Log file locations
destination d_cons      { file("/dev/console"); };
destination d_mesg      { file("/var/adm/messages"); };
destination d_mail      { file("/var/log/syslog"); };
destination d_auth      { file("/var/log/authlog"); };
destination d_mlop      { usertty("operator"); };
destination d_mlrt      { usertty("root"); };
destination d_mlal      { usertty("*"); };

#  Forward to a loghost server
destination d_loghostdr   { tcp("" port(514)); };

#  Standard filters for the standard destinations.
filter f_filter1   { level(err) or
                     (level(notice) and facility (auth, kern)); };
filter f_filter2   { level(err) or
                     (facility(kern) and level(notice)) or
                     (facility(daemon) and level(notice)) or
                     (facility(mail) and level(crit)); };
filter f_filter3   { level(alert) or
                     (facility(kern) and level(err)) or
                     (facility(daemon) and level(err)); };
filter f_filter4   { level(alert); };
filter f_filter5   { level(emerg); };
filter f_filter6   { facility(kern) and level(notice); };
filter f_filter7   { facility(mail) and level(debug); };
filter f_filter8   { facility(user) and level(err); };
filter f_filter9   { facility(user) and level(alert); };

#  Standard logging
log { source(s_local); filter(f_filter1); destination(d_cons); };
log { source(s_local); filter(f_filter2); destination(d_mesg); };
log { source(s_local); filter(f_filter3); destination(d_mlop); };
log { source(s_local); filter(f_filter4); destination(d_mlrt); };
log { source(s_local); filter(f_filter5); destination(d_mlal); };
log { source(s_local); filter(f_filter6); destination(d_auth); };
log { source(s_local); filter(f_filter7); destination(d_mail); };
log { source(s_local); filter(f_filter8); destination(d_cons);
                                        destination(d_mesg); };
log { source(s_local); filter(f_filter9); destination(d_mlop);
                                        destination(d_mlrt); };

#  Send to a remote loghost
log { source(s_local); destination(d_loghostdr); };
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

seems that the port syslog-ng wants to use is already occupied by AIXs own syslog.
Since you don't need this any longer with syslog-ng, stop it with 'stopsrc -s syslog'

You should also remove it from /etc/rc.tcpip (comment it out wih 2 #'s) -
# # start /usr/sbin/syslogd "$src_running"

Sorry, the stop command is of course

 'stopsrc -s syslogd'

jdenver247Author Commented:
 Looks like syslogd is not running and I also commented the start /usr/sbin/syslogd "$src_running". Here are my port info

834>lsof -i :514
lsof: WARNING: compiled for AIX version; this is
inetd     139488 root    5u  IPv6 0xf10002000019fb98      0t0  TCP *:shell (LISTEN)
syslog-ng 241754 root    4u  IPv4 0xf100020000aca400      0t0  UDP *:syslog

837>netstat -an |grep 514
tcp        0      0  *.514                  *.*                    LISTEN
udp4       0      0  *.514                  *.*

838>cat /etc/services|grep 514
shell                    514/tcp                # cmd
syslog                  514/udp         #

So I really dont know why its throwing this error...
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

jdenver247Author Commented:
Also I am not able to use a logger command to log in  a sample message, I cgecked syslogng was active

841>lssrc -a |grep syslogng
 syslogng         ras              241754       active

840>logger system restart
Could not send msg system restart . Please retry
Seems that your syslog-ng is already running -
syslog-ng 241754 root    4u  IPv4 0xf100020000aca400      0t0  UDP *:syslog

I think you should not use a port for internal, perhaps this is also the cause of your problem.
Try it this way -
source src { unix-dgram("/dev/log"); internal(); };

jdenver247Author Commented:
I tried taking off the internal port and seems its working...but here is what I have..

862>syslog-ng -d

863>syslog-ng -f syslog-ng.conf

864>logger -p auth.debug "this is a test"
Could not send msg this is a test . Please retry

So its not logging the sample messages and looks like its also not sending the data to the syslog server...
jdenver247Author Commented:
To add to my previous statement I see that its not connecting to my syslog server

Nov  6 17:13:15 syslog-ng[323640]: Log statistics; dropped='tcp(AF_INET(', processed='center(queued)=1178', processed='center(received)=589', processed='destination(console)=0', processed='destination(mail)=0', processed='destination(messages)=589', processed='destination(loghost)=589', processed='destination(lpr)=0', processed='destination(console_all)=0', processed='source(src)=589'

Did you change 'src' in my example to your value 's_local'?
jdenver247Author Commented:
Yes I did...Here is how its looks now
source s_local  { unix-stream ("/dev/log");  internal(); };
the only thing I see is the 'unix-stream' instead of my 'unix-dgram'. Not sure if this is a problem ...
I assume your loghost has all the 'source' and 'log' statements for this host and has syslog-ng running and listening on port 514?
jdenver247Author Commented:
Yes.. syslog-ng is running on the server. Here is my port info

[root@reddev2 syslog-ng]# lsof -i :514
syslog-ng 12260 root    4u  IPv4 280160       UDP *:syslog
syslog-ng 13907 root    4u  IPv4 287237       UDP *:syslog
syslog-ng 13907 root    5u  IPv4 287238       TCP *:shell (LISTEN)
syslog-ng 13907 root    8u  IPv4 287240       TCP> (ESTABLISHED)
syslog-ng 13907 root   11u  IPv4 287244       TCP> (ESTABLISHED)
syslog-ng 13907 root   12u  IPv4 287245       TCP> (ESTABLISHED)
syslog-ng 13907 root   13u  IPv4 287269       TCP> (ESTABLISHED)
syslog-ng 13907 root   15u  IPv4 287275       TCP> (ESTABLISHED)
syslog-ng 13965 root    4u  IPv4 287496       UDP *:syslog
syslog-ng 13965 root    5u  IPv4 287497       UDP
syslog-ng 13968 root    4u  IPv4 287505       UDP *:syslog
syslog-ng 13968 root    5u  IPv4 287506       UDP

[root@redhat syslog-ng]# netstat -an|grep 514
tcp        0      0       *                   LISTEN
tcp        0      0              ESTABLISHED
tcp        0      0              ESTABLISHED
tcp        0      0              ESTABLISHED
tcp        0      0              ESTABLISHED
tcp        0      0              ESTABLISHED
udp        0      0   *
udp        0      0       *
udp        0      0   *
udp        0      0       *
udp        0      0       *
udp        0      0       *
Seems that /dev/log is actually a SOCK_DGRAM socket!
Please try  'unix-dgram'!
 Despite my many years with AIX I didn't know (or remember) that!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jdenver247Author Commented:
hello wmp,
I have changed it to unix-dgram..It worked..
Have fun and success!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.