<div dir="ltr">Thanks for the feedback. <div><br></div><div>While looking at this i'm scratching my head. </div><div>If I am only getting UDP Syslog from ASA's then why does the sumo_asa filter still send data with this config ? </div><div><br></div><div><br></div><div><div>source s_net_tcp {tcp(ip(0.0.0.0) port(514) max-connections(300) keep_hostname(yes) so_rcvbuf(262142) log_iw_size(25000)); };</div><div>source s_net_udp {syslog(ip(0.0.0.0) keep_hostname(yes) port(514) transport("udp") flags(no-hostname) so_rcvbuf(262142));};<br></div></div><div><br></div><div><div>filter f_sumo_asa {</div><div> host("192.168.1.101") or</div><div> host("<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">192.168.1.102</span>") or</div><div> host("<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">192.168.1.103</span>") or</div><div> host("<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">192.168.1.104</span>") or</div><div> host("<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">192.168.1.105</span>");};</div></div><div><br></div><div><br></div><div><div>log { source(s_net_udp);</div><div> channel {destination (d_file); };</div><div> #channel {filter(f_sumo_asa); destination (d_sumo_514);};<br></div><div> channel {filter(f_sumo_palto); destination (d_sumo_palto);};</div><div> channel {parser(pattern_db); destination (d_es);};</div><div>};</div><div><br></div><div>log { source(s_net_tcp);</div><div> channel {destination (d_file); };</div><div><b> channel {filter(f_sumo_asa); destination (d_sumo_514:);};</b></div><div> channel {filter(f_sumo_palto); destination (d_sumo_palto);};</div><div> channel {parser(pattern_db); destination (d_es);};</div><div>};</div></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 9, 2018 at 4:50 AM, Nagy, Gábor <span dir="ltr"><<a href="mailto:gabor.nagy@balabit.com" target="_blank">gabor.nagy@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi again!<div><br></div><div>What I left out is that if you need embedded log paths I would recommend using the `log` keyword explicitly rather than the `channel` keyword for clarity.</div><div><br></div><div>Regards,</div><div>Gabor</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 9, 2018 at 10:48 AM, Nagy, Gábor <span dir="ltr"><<a href="mailto:gabor.nagy@balabit.com" target="_blank">gabor.nagy@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">rHi Scot!<br><br>Yes messages are copied because you wrote embedded log paths above.<div>The `channel` keyword is an alias (in some contexts) for the `log` keyword.</div><div>There are some rules that apply to embedded log paths:</div><div><a href="https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/concepts-embedded-logpaths.html" target="_blank">https://syslog-ng.com/document<wbr>s/html/syslog-ng-ose-latest-<wbr>guides/en/syslog-ng-ose-guide-<wbr>admin/html/concepts-embedded-<wbr>logpaths.html</a><br></div><div><a href="https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/configuring-embedded-logpaths.html" target="_blank">https://syslog-ng.com/document<wbr>s/html/syslog-ng-ose-latest-<wbr>guides/en/syslog-ng-ose-guide-<wbr>admin/html/configuring-<wbr>embedded-logpaths.html</a><br></div><div><br></div><div>If you need different processing on messages that are coming from the same source but they format could be different, you can use junctions and handle the messages differently.</div><div>One of the main differences between embedded log paths and junctions is that with junctions the different branches will be merged, therefore it is possible to have your messages duplicated.</div><div>Also after a junction statement you can invoke any configuration blocks that could be otherwise applied (well it's still context dependent, you still can't put a source after a destination block).</div><div><br></div><div>BR,</div><div>Gabor</div><div><br></div></div><div class="m_8504984480765606808HOEnZb"><div class="m_8504984480765606808h5"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 9, 2018 at 6:12 AM, Scot <span dir="ltr"><<a href="mailto:scotrn@gmail.com" target="_blank">scotrn@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>T/F </div><div><br></div><div>On a log statement with 3 or more channels would a <b>copy</b> of each message matching the filter would be sent to that destination. </div><span><div><br></div><div><div dir="ltr" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><div style="font-size:12.8px">log {<br> source(s_net_tcp); <br> <span> </span><span class="m_8504984480765606808m_4029743998855853098m_-2438829722119929416gmail-il">channel</span><span> </span>{ filter(f_allpci); destination (d_splunk_PCI); };<br> <span> </span><span class="m_8504984480765606808m_4029743998855853098m_-2438829722119929416gmail-il">channel</span><span> </span>{ filter(f_allpci); destination (d_sumo_PCI); };<br></div><div style="font-size:12.8px"> <span> </span><span class="m_8504984480765606808m_4029743998855853098m_-2438829722119929416gmail-il">channel</span><span> </span>{ filter(f_swpci); destination (d_secureworks); };<br>}; </div></div><div class="m_8504984480765606808m_4029743998855853098m_-2438829722119929416gmail-yj6qo m_8504984480765606808m_4029743998855853098m_-2438829722119929416gmail-ajU" style="outline:none;padding:10px 0px;width:22px;margin:2px 0px 0px;color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br class="m_8504984480765606808m_4029743998855853098m_-2438829722119929416gmail-Apple-interchange-newline"></div><br></div><div> <br></div></span></div><div class="m_8504984480765606808m_4029743998855853098HOEnZb"><div class="m_8504984480765606808m_4029743998855853098h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jan 22, 2018 at 2:04 PM, Scot <span dir="ltr"><<a href="mailto:scotrn@gmail.com" target="_blank">scotrn@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div style="font-size:12.8px">That was a bad example on my part. I will need unique filters for each destination. </div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">log {<br> source(s_net_tcp); <br> channel { filter(f_allpci); destination (d_splunk_PCI); };<br> channel { filter(f_allpci); destination (d_sumo_PCI); };<br></div><div style="font-size:12.8px"> channel { filter(f_swpci); destination (d_secureworks); };<br>}; </div></div><div class="m_8504984480765606808m_4029743998855853098m_-2438829722119929416HOEnZb"><div class="m_8504984480765606808m_4029743998855853098m_-2438829722119929416h5"><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jan 21, 2018 at 9:41 PM, Scot <span dir="ltr"><<a href="mailto:scotrn@gmail.com" target="_blank">scotrn@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Evan, <div>Thats very helpful, is there somewhere these performance considerations are outlined? </div><div>Only think I see related is 2.2.1 in the manual. </div><div><br></div><div>I'll try tying combining the destinations under on log statement in the morning. </div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="m_8504984480765606808m_4029743998855853098m_-2438829722119929416m_2142926784378859052h5">On Sat, Jan 20, 2018 at 11:02 AM, Evan Rempel <span dir="ltr"><<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="m_8504984480765606808m_4029743998855853098m_-2438829722119929416m_2142926784378859052h5">
<div text="#000000" bgcolor="#FFFFFF">
<div class="m_8504984480765606808m_4029743998855853098m_-2438829722119929416m_2142926784378859052m_8945445071974058476m_3686659491037748065moz-cite-prefix">I would favour a config like<br>
<br>
<div>log {<br>
source(s_net_tcp); <br>
channel { filter(f_pci); destination (d_splunk_PCI); };<br>
channel { filter(f_pci); destination (d_sumo_PCI); };<br>
</div>
<div> channel { filter(f_pci); destination (d_secureworks); };<br>
};<br>
</div>
<div><br>
Although I think your config should work I don't like the idea
of "re-sourcing" the stream.<br>
<br>
Now that I look closer at what you have done you are using the
same filter, so it could be<br>
<br>
<div><span>log {<br>
source(s_net_tcp); <br>
filter(f_pci);<br>
destination (d_splunk_PCI);<br></span>
destination (d_sumo_PCI);<br>
</div>
<div> destination (d_secureworks);<br>
};<br>
</div>
<div><br>
<br>
which takes the source, filters it and sends to all three
destinations.<span class="m_8504984480765606808m_4029743998855853098m_-2438829722119929416m_2142926784378859052m_8945445071974058476HOEnZb"><font color="#888888"><br>
<br>
Evan.<br>
</font></span></div>
</div><div><div class="m_8504984480765606808m_4029743998855853098m_-2438829722119929416m_2142926784378859052m_8945445071974058476h5">
<br>
<br>
On 01/20/2018 07:28 AM, Scot wrote:<br>
</div></div></div><div><div class="m_8504984480765606808m_4029743998855853098m_-2438829722119929416m_2142926784378859052m_8945445071974058476h5">
<blockquote type="cite">
<div dir="ltr">Thanks Jim,
<div>I have 4 configs
<div>sources.conf</div>
<div>destinations.conf </div>
<div>filters.conf</div>
<div>log.conf </div>
<div><br>
</div>
<div>Can't post them without revealing sensitive network info
but wanted to make sure I wasn't assuming something should
just work. </div>
<div>I'll post more after I dig into it but seems to favor the
first matching log destination when I switch the order and
reload with syslog-ng-ctl. </div>
<div><br>
</div>
<div>log { source(s_net_tcp); filter(f_pci); destination
(d_splunk_PCI);};<br>
</div>
<div>log { source(s_net_tcp); filter(f_pci); destination
(d_sumo_PCI);};<br>
</div>
<div>log { source(s_net_tcp); filter(f_pci); destination
(d_secureworks);};<br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Jan 19, 2018 at 6:41 PM,
james.r.hendrick <span dir="ltr"><<a href="mailto:james.r.hendrick@gmail.com" target="_blank">james.r.hendrick@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>It should work. Would you share the config?</div>
<div>Jim</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div id="m_8504984480765606808m_4029743998855853098m_-2438829722119929416m_2142926784378859052m_8945445071974058476m_3686659491037748065m_5017559045485440611composer_signature">
<div style="font-size:85%;color:#575757" dir="auto">Sent
from my Verizon, Samsung Galaxy smartphone</div>
</div>
<div>
<div class="m_8504984480765606808m_4029743998855853098m_-2438829722119929416m_2142926784378859052m_8945445071974058476m_3686659491037748065h5">
<div><br>
</div>
<div style="font-size:100%;color:#000000">
<div>-------- Original message --------</div>
<div>From: Scot <<a href="mailto:scotrn@gmail.com" target="_blank">scotrn@gmail.com</a>>
</div>
<div>Date: 1/19/18 4:23 PM (GMT-05:00) </div>
<div>To: Syslog-ng users' and developers' mailing
list <<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a>>
</div>
<div>Subject: [syslog-ng] One source multiple
destinations ? </div>
<div><br>
</div>
</div>
<div dir="ltr">I'm having a problem where I am trying
to take input source(s) and write them out to
multiple destinations.
<div><br>
</div>
<div>Before I go barking up the wrong tree I just
wanted to make sure I wasn't missing something. </div>
<div><br>
</div>
<div>We should be able to take a source and send it
to file, elastic-search and SPLUNK and sumologic
all at the same time right ? </div>
<div><br>
</div>
<div>Troubleshooting an odd behavior where only one
network destination will work but then I switch
the order the other starts working.</div>
<div><br>
</div>
<div>I know it's vague but has anyone seen this
behavior? </div>
<div><br>
</div>
<div>Thanks </div>
<div>Scot </div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
</div></div></div>
<br></div></div><span>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=syslog<wbr>-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></span></blockquote></div><br></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div><br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=syslog<wbr>-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div><br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>