So then my log statement where I DON'T want duplicate copies would look something like.filter f_wineventlog_DC { "${type} eq "wineventlog" and "${tag1} eq "DC" };filter f_wineventlog_PCI { "${type} eq "wineventlog" and "${tag1} eq "PCI" };log { source(s_logstash);
parser {json-parser();};
filter { f_wineventlog_DC(); };
destination(d_wineventlog_DC);
log { filter("example"); destination(d_file2); };
};
______________________________output{if [type]=="wineventlog" and "DC" in [tags] {tcp {host => "loghost"port => "5142"mode => "client"codec => "json_lines"}} else if [type]=="wineventlog" and "PCI" in [tags] {tcp {host => "loghost"port => "5141"mode => "client"codec => "json_lines"}} else if [type]=="wineventlog" {tcp {host => "loghost"port => "5140"mode => "client"codec => "json_lines"}} else if [type]=="filebeat" and "apache" in [tags] {tcp {host => "loghost"port => "5145"mode => "client"codec => "json_lines"}} else if [type]=="filebeat" and "PCI" in [tags] {tcp {host => "loghost"port => "5144"mode => "client"codec => "json_lines"}} else if [type]=="filebeat" {tcp {host => "loghost"port => "5143"mode => "client"codec => "json_lines"}} else {file {path => "/opt/syslog-ng/logs/logstash/%{host}-%{+YYYY-MM-dd}.json" codec => "json_lines"}}}______________________________ __________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog -ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product= syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq