That was a bad example on my part. I will need unique filters for each destination.  

log {
    source(s_net_tcp); 
    channel { filter(f_allpci); destination (d_splunk_PCI); };
    channel { filter(f_allpci); destination (d_sumo_PCI); };
    channel { filter(f_swpci); destination (d_secureworks); };
}; 

On Sun, Jan 21, 2018 at 9:41 PM, Scot <scotrn@gmail.com> wrote:
Evan, 
Thats very helpful, is there somewhere these performance considerations are outlined? 
Only think I see related is 2.2.1 in the manual. 

I'll try tying combining the destinations under on log statement in the morning. 


On Sat, Jan 20, 2018 at 11:02 AM, Evan Rempel <erempel@uvic.ca> wrote:
I would favour a config like

log {
    source(s_net_tcp);
    channel { filter(f_pci); destination (d_splunk_PCI); };
    channel { filter(f_pci); destination (d_sumo_PCI); };
    channel { filter(f_pci); destination (d_secureworks); };
};

Although I think your config should work I don't like the idea of "re-sourcing" the stream.

Now that I look closer at what you have done you are using the same filter, so it could be

log {
    source(s_net_tcp);
    filter(f_pci);
    destination (d_splunk_PCI);
     destination (d_sumo_PCI);
    destination (d_secureworks);
};


which takes the source, filters it and sends to all three destinations.

Evan.


On 01/20/2018 07:28 AM, Scot wrote:
Thanks Jim, 
I have 4 configs
sources.conf
destinations.conf 
filters.conf
log.conf 

Can't post them without revealing sensitive network info but wanted to make sure I wasn't assuming something should just work. 
I'll post more after I dig into it but seems to favor the first matching log destination when I switch the order and reload with syslog-ng-ctl. 

log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI);};
log { source(s_net_tcp); filter(f_pci); destination (d_sumo_PCI);};
log { source(s_net_tcp); filter(f_pci); destination (d_secureworks);};



On Fri, Jan 19, 2018 at 6:41 PM, james.r.hendrick <james.r.hendrick@gmail.com> wrote:
It should work. Would you share the config?
Jim



Sent from my Verizon, Samsung Galaxy smartphone

-------- Original message --------
From: Scot <scotrn@gmail.com>
Date: 1/19/18 4:23 PM (GMT-05:00)
To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Subject: [syslog-ng] One source multiple destinations ?

I'm having a problem where I am trying to take  input source(s) and write them out to multiple destinations.  

Before I go barking up the wrong tree I just wanted to make sure I wasn't missing something. 

We should be able to take a source and send it to file, elastic-search and SPLUNK and sumologic all at the same time right ? 

Troubleshooting an odd behavior where only one network destination will work but then I switch the order the other starts working.

I know it's vague but has anyone seen this behavior? 

Thanks 
Scot 


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq