In Ubuntu liegt die Datei hier: "/etc/syslog-ng/syslog-ng.conf"

globaler Bereich:

options {
      # disable the chained hostname format in logs
      # (default is enabled)
      chain_hostnames(0);
      #
      # the time to wait before a died connection is re-established
      # (default is 60)
      time_reopen(10);
      #
      # the time to wait before an idle destination file is closed
      # (default is 60)
      time_reap(360);
      #
      # the number of lines buffered before written to file
      # you might want to increase this if your disk isn't catching with
      # all the log messages you get or if you want less disk activity
      # (say on a laptop)
      # (default is 0)
      sync(0);
      #
      # the number of lines fitting in the output queue
      log_fifo_size(2048);
      #
      # enable or disable directory creation for destination files
      create_dirs(yes);
      #
      # default owner, group, and permissions for log files
      # (defaults are 0, 0, 0600)
      #owner(root);
      group(adm);
      perm(0640);
      #
      # default owner, group, and permissions for created directories
      # (defaults are 0, 0, 0700)
      #dir_owner(root);
      #dir_group(root);
      dir_perm(0755);
      #
      # enable or disable DNS usage
      # syslog-ng blocks on DNS queries, so enabling DNS may lead to
      # a Denial of Service attack
      # (default is yes)
      #use_dns(no);
      use_dns(yes);
      dns_cache(yes);
      #
      # maximum length of message in bytes
      # this is only limited by the program listening on the /dev/log Unix
      # socket, glibc can handle arbitrary length log messages, but -- for
      # example -- syslogd accepts only 1024 bytes
      # (default is 2048)
      #log_msg_size(2048);
      #
      #Disable statistic log messages.
      stats_freq(0);
      #
      # Some program send log messages through a private implementation.
      # and sometimes that implementation is bad. If this happen syslog-ng
      # may recognise the program name as hostname. Whit this option
      # we tell the syslog-ng that if a hostname match this regexp than that
      # is not a real hostname.
      bad_hostname("^gconfd$");
};

hier wird die Quelle definiert

Wichtig ist hier die Zeile mit "tcp"!

source s_all {
      # message generated by Syslog-NG
      internal();
      # standard Linux log source (this is the default place for the syslog()
      # function to send logs to)
      unix-stream("/dev/log");
      # messages from the kernel
      file("/proc/kmsg" log_prefix("kernel: "));
      # use the following line if you want to receive remote UDP logging messages
      # (this is equivalent to the "-r" syslogd flag)
      udp();
      tcp(ip(0.0.0.0) port(514) max-connections(100));
};

hier wird noch in das klassische Log-File geschrieben (kann auf Wunsch entfernt werden)

destination d_syslog {
      file("/var/log/syslog" owner("root") group("adm") perm(0640));
};

log {
      source(s_all);
      destination(d_syslog);
};

hier wird in eine MySQL-DB geschrieben

### MySQL (Tabelle "$YEAR-$MONTH")
destination d_mysql {
      pipe("/tmp/mysql.pipe"
      template("INSERT INTO logs_$YEAR$MONTH (host, facility, priority, level, tag, date,
      time, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL','$TAG', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n")
      template-escape(yes));
};

log {
      source(s_all);
      destination(d_mysql);
};