I would favour a config like log { source(s_net_tcp); channel { filter(f_pci); destination (d_splunk_PCI); }; channel { filter(f_pci); destination (d_sumo_PCI); }; channel { filter(f_pci); destination (d_secureworks); }; }; Although I think your config should work I don't like the idea of "re-sourcing" the stream. Now that I look closer at what you have done you are using the same filter, so it could be log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI); destination (d_sumo_PCI); destination (d_secureworks); }; which takes the source, filters it and sends to all three destinations. Evan. On 01/20/2018 07:28 AM, Scot wrote:
Thanks Jim, I have 4 configs sources.conf destinations.conf filters.conf log.conf
Can't post them without revealing sensitive network info but wanted to make sure I wasn't assuming something should just work. I'll post more after I dig into it but seems to favor the first matching log destination when I switch the order and reload with syslog-ng-ctl.
log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI);}; log { source(s_net_tcp); filter(f_pci); destination (d_sumo_PCI);}; log { source(s_net_tcp); filter(f_pci); destination (d_secureworks);};
On Fri, Jan 19, 2018 at 6:41 PM, james.r.hendrick <james.r.hendrick@gmail.com <mailto:james.r.hendrick@gmail.com>> wrote:
It should work. Would you share the config? Jim
Sent from my Verizon, Samsung Galaxy smartphone
-------- Original message -------- From: Scot <scotrn@gmail.com <mailto:scotrn@gmail.com>> Date: 1/19/18 4:23 PM (GMT-05:00) To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu <mailto:syslog-ng@lists.balabit.hu>> Subject: [syslog-ng] One source multiple destinations ?
I'm having a problem where I am trying to take input source(s) and write them out to multiple destinations.
Before I go barking up the wrong tree I just wanted to make sure I wasn't missing something.
We should be able to take a source and send it to file, elastic-search and SPLUNK and sumologic all at the same time right ?
Troubleshooting an odd behavior where only one network destination will work but then I switch the order the other starts working.
I know it's vague but has anyone seen this behavior?
Thanks Scot