Well now both the client and server are running syslog-ng. I don't see anything on the server side who is going to collect from a few servers, but not sure how to debug or just test/watch the connection, etc. to try and see why there is no file creation/update.

The server config looks like;
options {
sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};

source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
udp(ip(0.0.0.0) port(514));
};

destination send_http_logs { file("/var/log/web.log"); };

filter send_http_logs {
program("httpd.*");
};

log {
source(s_sys);
filter(send_http_logs);
destination(send_http_logs);
};


The client looks like;
options {
sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};

source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
# udp(ip(0.0.0.0) port(514));
};

destination send_http_logs { udp("192.168.2.54" port(514)); };

filter send_http_logs {
program("httpd.*");
};

log {
source(s_sys);
filter(send_http_logs);
destination(send_http_logs);
};

Both servers are running syslog-ng (I assume syslog can still run as well). I would figure the server would have a file /var/log/web.log but nothing. I did create one, add perm's but still nothing, and I don't see anything jumping out in messages either.

Thanks.

you certainly *CAN'T* run them both at the same time. stop and uninstall sysklogd / syslogd & klogd and restart syslog-ng. if there are no obvious problems in general, use wireshark / tcpdump to watch for the actual netwrok traffic to find if it's a client or server issue. I wouldn't rely on program details in a filter on a remote server, only the local client. you should really use basic string matching or syslog prio / facility fields once your going across a network.