<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">I would favour a config like<br>
<br>
<div>log {<br>
source(s_net_tcp); <br>
channel { filter(f_pci); destination (d_splunk_PCI); };<br>
channel { filter(f_pci); destination (d_sumo_PCI); };<br>
</div>
<div> channel { filter(f_pci); destination (d_secureworks); };<br>
};<br>
</div>
<div><br>
Although I think your config should work I don't like the idea
of "re-sourcing" the stream.<br>
<br>
Now that I look closer at what you have done you are using the
same filter, so it could be<br>
<br>
<div>log {<br>
source(s_net_tcp); <br>
filter(f_pci);<br>
destination (d_splunk_PCI);<br>
destination (d_sumo_PCI);<br>
</div>
<div> destination (d_secureworks);<br>
};<br>
</div>
<div><br>
<br>
which takes the source, filters it and sends to all three
destinations.<br>
<br>
Evan.<br>
</div>
</div>
<br>
<br>
On 01/20/2018 07:28 AM, Scot wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAOxbc8FV694h9iCjmyd3G6TF6gFbRDgrofqcputAVx4P1naKdQ@mail.gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div dir="ltr">Thanks Jim,
<div>I have 4 configs
<div>sources.conf</div>
<div>destinations.conf </div>
<div>filters.conf</div>
<div>log.conf </div>
<div><br>
</div>
<div>Can't post them without revealing sensitive network info
but wanted to make sure I wasn't assuming something should
just work. </div>
<div>I'll post more after I dig into it but seems to favor the
first matching log destination when I switch the order and
reload with syslog-ng-ctl. </div>
<div><br>
</div>
<div>log { source(s_net_tcp); filter(f_pci); destination
(d_splunk_PCI);};<br>
</div>
<div>log { source(s_net_tcp); filter(f_pci); destination
(d_sumo_PCI);};<br>
</div>
<div>log { source(s_net_tcp); filter(f_pci); destination
(d_secureworks);};<br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Jan 19, 2018 at 6:41 PM,
james.r.hendrick <span dir="ltr"><<a
href="mailto:james.r.hendrick@gmail.com" target="_blank"
moz-do-not-send="true">james.r.hendrick@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>It should work. Would you share the config?</div>
<div>Jim</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div id="m_5017559045485440611composer_signature">
<div style="font-size:85%;color:#575757" dir="auto">Sent
from my Verizon, Samsung Galaxy smartphone</div>
</div>
<div>
<div class="h5">
<div><br>
</div>
<div style="font-size:100%;color:#000000">
<div>-------- Original message --------</div>
<div>From: Scot <<a
href="mailto:scotrn@gmail.com" target="_blank"
moz-do-not-send="true">scotrn@gmail.com</a>>
</div>
<div>Date: 1/19/18 4:23 PM (GMT-05:00) </div>
<div>To: Syslog-ng users' and developers' mailing
list <<a
href="mailto:syslog-ng@lists.balabit.hu"
target="_blank" moz-do-not-send="true">syslog-ng@lists.balabit.hu</a>>
</div>
<div>Subject: [syslog-ng] One source multiple
destinations ? </div>
<div><br>
</div>
</div>
<div dir="ltr">I'm having a problem where I am trying
to take input source(s) and write them out to
multiple destinations.
<div><br>
</div>
<div>Before I go barking up the wrong tree I just
wanted to make sure I wasn't missing something. </div>
<div><br>
</div>
<div>We should be able to take a source and send it
to file, elastic-search and SPLUNK and sumologic
all at the same time right ? </div>
<div><br>
</div>
<div>Troubleshooting an odd behavior where only one
network destination will work but then I switch
the order the other starts working.</div>
<div><br>
</div>
<div>I know it's vague but has anyone seen this
behavior? </div>
<div><br>
</div>
<div>Thanks </div>
<div>Scot </div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
</body>
</html>