syslog-ng.conf listen for remote servers

Question

I'm configuring /etc/syslog-ng/syslog-ng.conf on version 3.5.6-2 to listen to remote hosts on port 514 by changing the configuration like

#source s_src {
#   system();
#   internal();
#};
# If you wish to get logs from remote machine you should uncomment
# this and comment the above source line.
source s_net { tcp(ip(127.0.0.1) port(514)); udp(); };

but when I comment out s_src, as I think it suggests like:

#source s_src {
#   system();
#   internal();
#};

syslog-ng won't start due to config errors. If I just comment out these:

source s_src {
#   system();
#   internal();
};

it starts, but won't log standard syslog messages from localhost. Is there some other directive I need to add in source s_src to get it to listen on port 514 for remote hosts?

(Other possibly relevant lines in config)

log { source(s_src); filter(f_syslog3); destination(d_syslog); };   
filter f_syslog3 { not facility(auth, authpriv, mail) and not filter(f_debug); };
destination d_syslog { file("/var/log/remotelogs/$HOST/syslog"); };

Answer 1

Okay, in my version of syslog-ng 3.5.6-2 (from standard Debian Jessie vanilla package), you have to do a couple things. First, leave this uncommented:

source s_src {
   system();
   internal();
};

Then change the s_net line to read:

source s_net { tcp(ip(0.0.0.0) port(514) max-connections (5000)); udp(); };

Now you have to modify a line to put remote host syslog logs in a certain place delineated by hostname so you can figure out which host syslog is which like:

destination d_syslog { file("/var/log/remotelogs/$HOST/syslog"); };

Or if you want them all in the same file to analyze a single file just do:

destination d_syslog { file("/var/log/remotelogs/syslog"); };

Then put it all together like:

#log { source(s_src); filter(f_syslog3); destination(d_syslog); };
log { source(s_net); filter(f_syslog3); destination(d_syslog); };

Note the log entry for syslog now referenced S_NET as a source, rather than S_SRC. Now you can restart syslog-ng and see if it's listening like:

/etc/init.d/syslog-ng restart
netstat -plunt | grep syslog-ng
tcp        0      0 0.0.0.0:514           0.0.0.0:*               LISTEN      26853/syslog-ng
udp        0      0 0.0.0.0:514             0.0.0.0:*                           26853/syslog-n

Answer 2

Sources/destinations/etc. are object-like constructs in syslog-ng.

If you want to receive remote messages, you just have to create a source object that uses the tcp(), udp() plugins, exactly the way you did it:

source s_net { tcp(ip(127.0.0.1) port(514)); udp(); };

s_net is the name of the source. s_net won't work unless you add it to a log path. "Adding it to a log path" means that you link a source to other objects, for example, destinations; so a message coming from the source will go through the pipeline you created in a log path.

You can link a source to a destination using the log block, for example:

destination d_syslog { file("/var/log/$HOST/syslog"); };

log {
  source(s_net);
  destination(d_syslog);
};

s_src is used somewhere in your config in a log path, that's the reason why you can't comment it out. If you want to receive both remote and local messages, just do not comment out s_src. Another example:

log {
  source(s_src);
  source(s_net);
  destination(d_syslog);
};

The instruction in your config is misleading.

Please note that syslog-ng v3.5 is pretty old. Consider upgrading to the current version, which is v3.20.