
<div dir="auto">There's an in-list() filter iirc for that purpose.<div dir="auto"><br></div><div dir="auto">Also there's a Splunk Collector for syslog, which is syslog-ng based. It might be useful to check out how that approaches the sourcetype problem, even if you end up using something different.</div><div dir="auto"><br></div><div dir="auto"><a href="https://splunkbase.splunk.com/app/4740/">https://splunkbase.splunk.com/app/4740/</a><br></div><div dir="auto"><br></div><div dir="auto">The native syslog-ng solution would be to use app-parser() and IP based filtering to map fields to Splunk. App-parser() can hide details such as db-parser or kv-parser on an app by app basis.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 12, 2021, 16:59 Peter Griggs <<a href="mailto:peter@petergriggs.co.uk">peter@petergriggs.co.uk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


<div lang="EN-GB" link="#0563C1" vlink="#954F72">

<div class="m_35163702860263905WordSection1">

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Hiya,<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thanks for this – most useful.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Is it possible to lookup the IP Addresses from a list (we are likely to be talking in the range of hundreds of addresses)<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thanks<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Pete.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<div>

<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm">

<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng-bounces@lists.balabit.hu</a>>

<b>On Behalf Of </b>Attila Szakacs (aszakacs)<br>

<b>Sent:</b> 12 January 2021 14:11<br>

<b>To:</b> Syslog-ng users' and developers' mailing list <<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng@lists.balabit.hu</a>><br>

<b>Subject:</b> Re: [syslog-ng] Filtering Destination by Source<u></u><u></u></span></p>

</div>

</div>

<p class="MsoNormal"><u></u> <u></u></p>

<div>

<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif;color:black">Hi Peter,<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif;color:black">If the decision can be made with the source IP or hostname, it is pretty easy to do.<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif;color:black">You can create multiple filters, each corresponding to one known source IP: netmask(), or hostname: host().<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif;color:black">Then you can create embedded log statements. Don't forget to add flags(final), or it will flow through that branch.<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif;color:black">An example configuration:<u></u><u></u></span></p>

</div>

<div>

<div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">@version: 3.30<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u> <u></u></span></p>

</div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"># One network source, which collects logs from various hosts<u></u><u></u></span></p>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">source s_network {<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">    network(port(12345))</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">}</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u> <u></u></span></p>

</div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"># One known host, with the IP 127.0.0.1<u></u><u></u></span></p>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">filter f_host1 {<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">    netmask(</span><span style="font-size:10.5pt;font-family:"Courier New";color:#ce9178">"127.0.0.1"</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">)</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">}</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u> <u></u></span></p>

</div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"># Another known host with the IP 127.0.0.2<u></u><u></u></span></p>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">filter f_host2 {<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">    netmask(</span><span style="font-size:10.5pt;font-family:"Courier New";color:#ce9178">"127.0.0.2"</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">)</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">}</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u> <u></u></span></p>

</div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"># The destination, where host1's logs will be forwarded to<u></u><u></u></span></p>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">destination d_network1 {<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">    network(</span><span style="font-size:10.5pt;font-family:"Courier New";color:#ce9178">"localhost"</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"> port(23456))</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">}</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4;background:#1e1e1e"><u></u> <u></u></span></p>

</div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4;background:#1e1e1e"># The destination, where host2's logs will be forwarded to</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">destination d_network2 {<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">    network(</span><span style="font-size:10.5pt;font-family:"Courier New";color:#ce9178">"localhost"</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"> port(23457))</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">}</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u> <u></u></span></p>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">log {<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">    source(s_network)</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u> <u></u></span></p>

</div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">    # First branch, for host1 -> destination1<u></u><u></u></span></p>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">    log {<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">        filter(f_host1)</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">        destination(d_network1)</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">        flags(final)</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">; # Don't forget to

 stop processing</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">    }</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u> <u></u></span></p>

</div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">    # Second branch, for host2 -> destination2<u></u><u></u></span></p>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">    log {<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">        filter(f_host2)</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">        destination(d_network2)</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">        flags(final)</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">; <span style="background:#1e1e1e">#

 Don't forget to stop processing</span></span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">    }</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">}</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

</div>

<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif;color:black">You can use inline filters too, if it is more convenient. With this, you do not need to define f_host1 and f_host2:<u></u><u></u></span></p>

</div>

<div>

<div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">log {<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">    source(s_network)</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u> <u></u></span></p>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">   

</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955"># First branch, for 127.0.0.1 -> destination1</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">    log {<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">        filter { netmask(</span><span style="font-size:10.5pt;font-family:"Courier New";color:#ce9178">"127.0.0.1"</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">)</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;

 };</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">        destination(d_network1)</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">        flags(final)</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">; # Don't forget to

 stop processing</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">    }</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u> <u></u></span></p>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">   

</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955"># Second branch, for 127.0.0.2 -> destination2</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">    log {<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">        filter { netmask(</span><span style="font-size:10.5pt;font-family:"Courier New";color:#ce9178">"127.0.0.2"</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">)</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;

 };</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">        destination(d_network2)</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">        flags(final)</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">; # Don't forget to

 stop processing</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">    }</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="line-height:14.25pt;background:#1e1e1e"><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4">}</span><span style="font-size:10.5pt;font-family:"Courier New";color:#6a9955">;</span><span style="font-size:10.5pt;font-family:"Courier New";color:#d4d4d4"><u></u><u></u></span></p>

</div>

</div>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif;color:black">Cheers,<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif;color:black">Attila<u></u><u></u></span></p>

</div>

<div class="MsoNormal" align="center" style="text-align:center">

<hr size="2" width="98%" align="center">

</div>

<div id="m_35163702860263905divRplyFwdMsg">

<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng-bounces@lists.balabit.hu</a>>

 on behalf of Peter Griggs <<a href="mailto:peter@petergriggs.co.uk" target="_blank" rel="noreferrer">peter@petergriggs.co.uk</a>><br>

<b>Sent:</b> Tuesday, January 12, 2021 2:31 PM<br>

<b>To:</b> Syslog-ng users' and developers' mailing list <<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng@lists.balabit.hu</a>><br>

<b>Subject:</b> [syslog-ng] Filtering Destination by Source</span> <u></u><u></u></p>

<div>

<p class="MsoNormal"> <u></u><u></u></p>

</div>

</div>

<div>

<div style="border:solid #9c6500 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">

<p class="MsoNormal" style="line-height:12.0pt;background:#ffeb9c"><b><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:#9c6500">CAUTION:</span></b><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:black"> This email originated

 from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.<u></u><u></u></span></p>

</div>

<p class="MsoNormal"><u></u> <u></u></p>

<div>

<div>

<p class="m_35163702860263905xmsonormal">Hello,<u></u><u></u></p>

<p class="m_35163702860263905xmsonormal"> <u></u><u></u></p>

<p class="m_35163702860263905xmsonormal">We have a lot of network logs all being pointed to a central syslog however this is a mix of vendors (Cisco / Juniper / Checkpoint) etc. is there a way of splitting the destination file by vendor type / or source IP address? We ingest

 this data into Splunk so want to get the source typing right however I am unable to get the sources to point to various listeners and I would prefer.<u></u><u></u></p>

<p class="m_35163702860263905xmsonormal"> <u></u><u></u></p>

<p class="m_35163702860263905xmsonormal">Thanks<u></u><u></u></p>

<p class="m_35163702860263905xmsonormal">Peter.<u></u><u></u></p>

</div>

</div>

</div>

</div>

</div>


______________________________________________________________________________<br>

Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>

Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>

FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>

<br>

</blockquote></div>