Youza. First, mine is working fine, so there must be a path back. I collect logs from my TrueNAS servers, and a node and another Asus router connected via vpn, and it's been a while since I've used the scribe configuration.
The syslog-ng.conf that entware tries to install includes the scl directory and all that good stuff, which includes the default network drivers, and uses them to create a network source. That source collects the messages other devices send to the router.
interesting...
Scribe does it a different way, and uses the deprecated udp driver to define a source to collect network messages, and doesn't include the scl directory. But it also comments out that source, so by default scribe does not collect network messages.
Couple of Interesting differences between my original (used to be) working -conf file (start I see the newer syslog-ng.conf file from 3.36
1) new has @include "scl.conf" code line enabled and in my old version its commented out.
2) new -conf is lacking most of the helpful #comments and the only comment is
log {
source(src);
source(net);
source(kernel);
destination(messages);
# uncomment this line to open port 514 to receive messages
source(s_network);
So I did...
I've modified my .conf file to include the default network drivers, so I do it the -ng way, not the Scribe way. It sounds to me like your config is doing the same, or at least trying to configure the default network drivers by including scl, and failing. Because it fails, it isn't starting the network drivers and that's why you aren't hearing the remote logging. But maybe it is also seeing the scribe parts that comment out those logging statements and source definitions.
Sorry, I wasn't clear... Remote logging IS working, but they are mixed in with the regular syslog.log (/opt/var/log/messages)
What isn't working are any of the /opt/etc/syslog.d/ filters. I checked the 3 I use with built-in examples - ioctl, ethernet and wlceventd, so their syntax requirements didn't change.
I feel the difference is how the new syslog-ng.conf structure and how its passed though the internal plumbing.
In the original syslog-ng.conf, these comments were very helpful, and showed two distinctly different ways to use the remote listener.
Snippet from old -conf
# syslog-ng gets messages from the system, kernel, and syslog-ng (internal)
# DO NOT use system() source; causes issues on HND routers
# so_rcvbuf = maximum number of messages per second * 1024
source src {
unix-dgram("/dev/log" so_rcvbuf(65536) flags(syslog-protocol));
file("/proc/kmsg" program_override("kernel") flags(kernel));
internal();
# udp(ip(192.168.x.y) port(514));
# uncomment this line to pass all network messages through syslog-ng filters
};
#
if you only want to pass network messages through some syslog-ng filters, uncomment the source line below
# then add "soource(net);" to the log statement in any filter you want to pass network messages through
#source net { udp(ip(192.168.x.y) port(514)); };
source net { network( transport(udp) ); };
I chose the 2nd option because I created a new filter to capture everything from my mesh nodes in to one file.
I'm fairly down in the weeds now, not sure how much help there is, I may just nuke and start all over, re-learning and trying each step on by one. And for the benefit of other who may have some anomaly like this.
Thanks