Hi Peter,

If the decision can be made with the source IP or hostname, it is pretty easy to do.

You can create multiple filters, each corresponding to one known source IP: netmask(), or hostname: host().
Then you can create embedded log statements. Don't forget to add flags(final), or it will flow through that branch.

An example configuration:
@version: 3.30

# One network source, which collects logs from various hosts
source s_network {
    network(port(12345));
};

# One known host, with the IP 127.0.0.1
filter f_host1 {
    netmask("127.0.0.1");
};

# Another known host with the IP 127.0.0.2
filter f_host2 {
    netmask("127.0.0.2");
};

# The destination, where host1's logs will be forwarded to
destination d_network1 {
    network("localhost" port(23456));
};

# The destination, where host2's logs will be forwarded to
destination d_network2 {
    network("localhost" port(23457));
};

log {
    source(s_network);

    # First branch, for host1 -> destination1
    log {
        filter(f_host1);
        destination(d_network1);
        flags(final); # Don't forget to stop processing
    };

    # Second branch, for host2 -> destination2
    log {
        filter(f_host2);
        destination(d_network2);
        flags(final)# Don't forget to stop processing
    };
};

You can use inline filters too, if it is more convenient. With this, you do not need to define f_host1 and f_host2:
log {
    source(s_network);

    # First branch, for 127.0.0.1 -> destination1
    log {
        filter { netmask("127.0.0.1"); };
        destination(d_network1);
        flags(final); # Don't forget to stop processing
    };

    # Second branch, for 127.0.0.2 -> destination2
    log {
        filter { netmask("127.0.0.2"); };
        destination(d_network2);
        flags(final); # Don't forget to stop processing
    };
};

Cheers,
Attila
From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Peter Griggs <peter@petergriggs.co.uk>
Sent: Tuesday, January 12, 2021 2:31 PM
To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Subject: [syslog-ng] Filtering Destination by Source
 
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hello,

 

We have a lot of network logs all being pointed to a central syslog however this is a mix of vendors (Cisco / Juniper / Checkpoint) etc. is there a way of splitting the destination file by vendor type / or source IP address? We ingest this data into Splunk so want to get the source typing right however I am unable to get the sources to point to various listeners and I would prefer.

 

Thanks

Peter.