I have gone back and forth with reading, testing, and have very little hair left! Anyway, have 7 webservers which I wish to remote log just the weblogs. All webservers are running Ubuntu 8.10, syslog-ng. Command line was a bit tricky, so tried webmin, and did the following;
1st, simply removed the # in the #upd() on the server and restarted;
2nd setup log source, checked the selected stream box, and selected the 1st website access file to test /var/log/apache2/www.website1.com-access_log.
3rd, created log_destination, selected the syslog radio button, entered the local IP, selected UDP.
4th went to log_target, selected the source (step 2) and desination (step 3) and saved. When I restarted syslog-ng I get the following;
* Starting system logging syslog-ng Error binding socket; addr='AF_UNIX(/var/log/apache2/www.website1.com-access_log)', error='Address already in use (98)'
Error initializing source driver; source='website1_access'
[fail]
root@ws7:/var/log/apache2# lsof | grep
www.website1.com
apache2 12029 root 14w REG 8,1 15084543 2089517 /var/log/apache2/www.website1.com-error_log
apache2 12029 root 36w REG 8,1 3878226148 2089606 /var/log/apache2/www.website1.com-access_log
sys
So it seems that apache is still using/writing that log and I am not sure how to tell it to stop. It can't be remove it from the vhost as that is the file I said to stream. I have the client and server conf files up on a temp website, this really has me so confused and sure it's a simple thing!
http://www.darkerforce.com/syslog_server.conf
http://www.darkerforce.com/syslog_client.conf
note website1 is not the domain (did I really have to say that)! Shows how shot I am!
Thanks