If you add flags(final) to each of the log statements you wont get duplication.

Also, master already has support for the if statement, that should be released in 3.15.

if ("$type" = "DC") {
  destination { file(...); };
} elif (...) {
   ...
} else {
};

Thats more readable and achieves roughly the same.

On Apr 3, 2018 21:25, "Scot" <scotrn@gmail.com> wrote:

So then my log statement where I DON'T want duplicate copies would look something like. 


filter f_wineventlog_DC   { "${type} eq "wineventlog" and "${tag1} eq "DC" };
filter f_wineventlog_PCI  { "${type} eq "wineventlog" and "${tag1} eq "PCI" };

log { source(s_logstash); 

     parser {json-parser();};

     filter { f_wineventlog_DC(); }; 

destination(d_wineventlog_DC);

     log { filter("example"); destination(d_file2); };

};




 
output{
  if [type]=="wineventlog" and "DC" in [tags] {
    tcp {
    host => "loghost"
    port => "5142"
    mode => "client"
    codec => "json_lines"
    }
  } else if [type]=="wineventlog" and "PCI" in [tags] {
    tcp {
    host => "loghost"
    port => "5141"
    mode => "client"
    codec => "json_lines"
    }
  } else if [type]=="wineventlog" {
    tcp {
    host => "loghost"
    port => "5140"
    mode => "client"
    codec => "json_lines"
    }
  } else if [type]=="filebeat" and "apache" in [tags] {
    tcp {
    host => "loghost"
    port => "5145"
    mode => "client"
    codec => "json_lines"
    }
  } else if [type]=="filebeat" and "PCI" in [tags] {
    tcp {
    host => "loghost"
    port => "5144"
    mode => "client"
    codec => "json_lines"
    }
  } else if [type]=="filebeat" {
    tcp {
    host => "loghost"
    port => "5143"
    mode => "client"
    codec => "json_lines"
    }
 } else {
    file {
    path => "/opt/syslog-ng/logs/logstash/%{host}-%{+YYYY-MM-dd}.json"
    codec => "json_lines"
    }
}
}

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq



______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq




______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq