Hi again!

What I left out is that if you need embedded log paths I would recommend using the `log` keyword explicitly rather than the `channel` keyword for clarity.

Regards,
Gabor

On Fri, Mar 9, 2018 at 10:48 AM, Nagy, Gábor <gabor.nagy@balabit.com> wrote:
rHi Scot!

Yes messages are copied because you wrote embedded log paths above.
The `channel` keyword is an alias (in some contexts) for the `log` keyword.
There are some rules that apply to embedded log paths:
https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/concepts-embedded-logpaths.html
https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/configuring-embedded-logpaths.html

If you need different processing on messages that are coming from the same source but they format could be different, you can use junctions and handle the messages differently.
One of the main differences between embedded log paths and junctions is that with junctions the different branches will be merged, therefore it is possible to have your messages duplicated.
Also after a junction statement you can invoke any configuration blocks that could be otherwise applied (well it's still context dependent, you still can't put a source after a destination block).

BR,
Gabor


On Fri, Mar 9, 2018 at 6:12 AM, Scot <scotrn@gmail.com> wrote:
T/F 

On a log statement with 3 or more channels would a copy of each message matching the filter would be sent to that destination. 

log {
    source(s_net_tcp); 
    channel { filter(f_allpci); destination (d_splunk_PCI); };
    channel { filter(f_allpci); destination (d_sumo_PCI); };
    channel { filter(f_swpci); destination (d_secureworks); };
}; 


 

On Mon, Jan 22, 2018 at 2:04 PM, Scot <scotrn@gmail.com> wrote:
That was a bad example on my part. I will need unique filters for each destination.  

log {
    source(s_net_tcp); 
    channel { filter(f_allpci); destination (d_splunk_PCI); };
    channel { filter(f_allpci); destination (d_sumo_PCI); };
    channel { filter(f_swpci); destination (d_secureworks); };
}; 

On Sun, Jan 21, 2018 at 9:41 PM, Scot <scotrn@gmail.com> wrote:
Evan, 
Thats very helpful, is there somewhere these performance considerations are outlined? 
Only think I see related is 2.2.1 in the manual. 

I'll try tying combining the destinations under on log statement in the morning. 


On Sat, Jan 20, 2018 at 11:02 AM, Evan Rempel <erempel@uvic.ca> wrote:
I would favour a config like

log {
    source(s_net_tcp);
    channel { filter(f_pci); destination (d_splunk_PCI); };
    channel { filter(f_pci); destination (d_sumo_PCI); };
    channel { filter(f_pci); destination (d_secureworks); };
};

Although I think your config should work I don't like the idea of "re-sourcing" the stream.

Now that I look closer at what you have done you are using the same filter, so it could be

log {
    source(s_net_tcp);
    filter(f_pci);
    destination (d_splunk_PCI);
     destination (d_sumo_PCI);
    destination (d_secureworks);
};


which takes the source, filters it and sends to all three destinations.

Evan.


On 01/20/2018 07:28 AM, Scot wrote:
Thanks Jim, 
I have 4 configs
sources.conf
destinations.conf 
filters.conf
log.conf 

Can't post them without revealing sensitive network info but wanted to make sure I wasn't assuming something should just work. 
I'll post more after I dig into it but seems to favor the first matching log destination when I switch the order and reload with syslog-ng-ctl. 

log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI);};
log { source(s_net_tcp); filter(f_pci); destination (d_sumo_PCI);};
log { source(s_net_tcp); filter(f_pci); destination (d_secureworks);};



On Fri, Jan 19, 2018 at 6:41 PM, james.r.hendrick <james.r.hendrick@gmail.com> wrote:
It should work. Would you share the config?
Jim



Sent from my Verizon, Samsung Galaxy smartphone

-------- Original message --------
From: Scot <scotrn@gmail.com>
Date: 1/19/18 4:23 PM (GMT-05:00)
To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Subject: [syslog-ng] One source multiple destinations ?

I'm having a problem where I am trying to take  input source(s) and write them out to multiple destinations.  

Before I go barking up the wrong tree I just wanted to make sure I wasn't missing something. 

We should be able to take a source and send it to file, elastic-search and SPLUNK and sumologic all at the same time right ? 

Troubleshooting an odd behavior where only one network destination will work but then I switch the order the other starts working.

I know it's vague but has anyone seen this behavior? 

Thanks 
Scot 


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq






______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq