I'm trying to get my SLES 11 SP 1 server to accept a remote syslog stream from another system but I'm not having any luck and could really use some help. For explanations sake, let's say that the remote system has an IP address of 10.1.1.1 and the SLES server's interface has an IP address of 10.1.1.2.

Also, I'm running AppArmor but I have both the syslogd and syslog-ng default AppArmor profiles in complain mode, so even if apparmor events were being generated, they would still be allowed and just logged to the audit.log.

I have a rule (two actually; one for tcp and one for udp) in the Suse Firewall (under the custom rules) to allow tcp 514 (and udp 514) to come in through the firewall from 10.1.1.1. I have the -r option set in the syslog.conf file (I did this using the YaST /etc/sysconfig editor. Using that editor, under System -> Logging -> SYSLOGD_PARAMS, I entered

-r

and under SYSLOG_NG_PARAMS I put in

source s_tcp {tcp(ip(10.1.1.1) port(514)); };

From the books that I have, that is all that should be required. Tell syslogd to accept remote connections, punch a hole through the firewall on that port, and tell syslog-ng to accept the remote source syslog stream (from what IP address and on what port). Now, using tcpdump, I've verified that the syslog stream is getting to the SLES server on port 514. But when I use the YaST log viewer to look in the audit.log file, I don't see any of the remote syslog stream data in there. So, either I've configured something wrong or there is some other service (other than syslog) using port 514 and it is interfering with the process or when syslog-ng gets the remote data, it is not storing it in the audit.log file (either it isn't storing it at all, but just rejecting it, or it is storing it in some other file I don't know about). The source sending the stream is sending it to facility local2 on 10.1.1.2. Since I'm not all that familiar with how the facilities work, maybe that is where my problem is coming from.

I could really use some help.