I am trying to configure syslog-ng to send multiple json formatted logs to a rabbitmq endpoint.

The consumer for the logs checks for a particular field to determine the type of log it is.

However, I can't seem to figure out how to send all the different logs as the field it checks is "source" that I add using --pair within the format-json template

destination d_amqp_ssh {
    amqp(
        vhost("/")
        host("mozdefqa2.private.scl3.mozilla.com")
        port(5672)
        exchange("eventtask")
        exchange-type("direct")
        routing-key("eventtask")
        body("$(format-json --scope nv_pairs --pair category=\"bro\" --pair source=\"ssh\" --pair customendpoint=\" \" --pair tags=\"bro\")")
        persistent(no)
        username("guest")
        password("guest")
    );
};

So I added another destination with the name d_amqp_conn and it's source field value is "conn" and the amqp endpoint is the same host as the ssh log.

But syslog-ng fails to start with this particular setup. It seems to not like having more than one amqp destination.

How would something like this typically be solved?

--

Alicia Smith

@phrozyn
Information Security Engineer

asmith@mozilla.com