I've got a problem with receiving remote logs from syslog-ng OSE to syslog-ng OSE. I am configuring loghost and at now - i how no idea what i am doing wrong. It seems like filters are not working for received logs from remote hosts.
This is a part of my configuration related to loghost:
Client (syslog-ng 3.3.5) (it's working good because logs are reaching the loghost - i ran it in debug mode so i was able to confirm that)
destination d_net { syslog("10.20.8.2" transport ("tcp") port(514) ); };
filter f_auth { facility(auth, authpriv) and not filter(f_debug); };
log { source(s_src); filter(f_auth); destination(d_net); };
and server (syslog-ng 3.2.5 - my server syslog-ng.conf part:
source s_network { tcp(); udp(); };
destination d_loghost_auth { file("/opt/logs/sys/$YEAR-$MONTH-$DAY/auth.log" create_dirs(yes) ); };
filter f_loghost_auth { facility(auth) or facility(authpriv) };
log { source(s_network); filter(f_loghost_auth); destination(d_loghost_auth); };
so when i run server in debug & verbose mode and test it with logger (from client):
logger -n 10.20.8.2 -p auth.info "auth.info test syslog"
i'm getting this:
Incoming log entry; line='95 <38>1 2014-12-17T13:03:16+01:00 ibanez logger - - [meta sequenceId="65"] auth.info test syslog'
Filter rule evaluation begins; filter_rule='f_loghost_auth'
Filter node evaluation result; filter_result='not-match', filter_type='facility'
Filter node evaluation result; filter_result='not-match', filter_type='facility'
Filter node evaluation result; filter_result='not-match', filter_type='OR'
Filter rule evaluation result; filter_result='not-match', filter_rule='f_loghost_auth'
I don't think that version mismatch is the reason. I will appreciate any kind of help!
The issue was that I used tcp() and udp() source driver [BSD format] instead of syslog() [IETF format]. It's working now.