<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div><br></div><div>So then my log statement where I DON'T want duplicate copies would look something like. </div><div><br></div><div><br></div><div>filter f_wineventlog_DC { "${type} eq "wineventlog" and "${tag1} eq "DC" };</div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">filter f_wineventlog_PCI { "${type} eq "wineventlog" and "${tag1} eq "PCI" };</span><br></div><div><br></div><div>
<span></span>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-family:Helvetica">log { source(s_logstash); </p><p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-family:Helvetica"> parser {json-parser();};</p><p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-family:Helvetica"> filter { f_<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">wineventlog_DC</span>(); }; </p><p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-family:Helvetica">destination(d_wineventlog_DC);</p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-family:Helvetica"> log { filter("example"); destination(d_file2); };</p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-family:Helvetica">};</p>
<br></div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div class="gmail-h5"><div dir="ltr"><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"></div></div></blockquote></div><div>output{</div><div><div><div> if [type]=="wineventlog" and "DC" in [tags] {</div><div> tcp {</div><div> host => "loghost"</div><div> port => "5142"</div><div> mode => "client"</div><div> codec => "json_lines"</div><div> }</div><div> } else if [type]=="wineventlog" and "PCI" in [tags] {</div><div> tcp {</div><div> host => "loghost"</div><div> port => "5141"</div><div> mode => "client"</div><div> codec => "json_lines"</div><div> }</div><div> } else if [type]=="wineventlog" {</div><div> tcp {</div><div> host => "loghost"</div><div> port => "5140"</div><div> mode => "client"</div><div> codec => "json_lines"</div><div> }</div><div> } else if [type]=="filebeat" and "apache" in [tags] {</div><div> tcp {</div><div> host => "loghost"</div><div> port => "5145"</div><div> mode => "client"</div><div> codec => "json_lines"</div><div> }</div><div> } else if [type]=="filebeat" and "PCI" in [tags] {</div><div> tcp {</div><div> host => "loghost"</div><div> port => "5144"</div><div> mode => "client"</div><div> codec => "json_lines"</div><div> }</div><div> } else if [type]=="filebeat" {</div><div> tcp {</div><div> host => "loghost"</div><div> port => "5143"</div><div> mode => "client"</div><div> codec => "json_lines"</div><div> }</div><div> } else {</div><div> file {</div><div> path => "/opt/syslog-ng/logs/logstash/<wbr>%{host}-%{+YYYY-MM-dd}.json"</div><div> codec => "json_lines"</div><div> }</div><div>}</div><div>}</div></div></div></div>
<br></div></div>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=<wbr>syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div></div>