One source multiple destinations ?
I'm having a problem where I am trying to take input source(s) and write them out to multiple destinations. Before I go barking up the wrong tree I just wanted to make sure I wasn't missing something. We should be able to take a source and send it to file, elastic-search and SPLUNK and sumologic all at the same time right ? Troubleshooting an odd behavior where only one network destination will work but then I switch the order the other starts working. I know it's vague but has anyone seen this behavior? Thanks Scot
It should work. Would you share the config?Jim Sent from my Verizon, Samsung Galaxy smartphone -------- Original message --------From: Scot <scotrn@gmail.com> Date: 1/19/18 4:23 PM (GMT-05:00) To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] One source multiple destinations ? I'm having a problem where I am trying to take input source(s) and write them out to multiple destinations. Before I go barking up the wrong tree I just wanted to make sure I wasn't missing something. We should be able to take a source and send it to file, elastic-search and SPLUNK and sumologic all at the same time right ? Troubleshooting an odd behavior where only one network destination will work but then I switch the order the other starts working. I know it's vague but has anyone seen this behavior? Thanks Scot
Thanks Jim, I have 4 configs sources.conf destinations.conf filters.conf log.conf Can't post them without revealing sensitive network info but wanted to make sure I wasn't assuming something should just work. I'll post more after I dig into it but seems to favor the first matching log destination when I switch the order and reload with syslog-ng-ctl. log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI);}; log { source(s_net_tcp); filter(f_pci); destination (d_sumo_PCI);}; log { source(s_net_tcp); filter(f_pci); destination (d_secureworks);}; On Fri, Jan 19, 2018 at 6:41 PM, james.r.hendrick < james.r.hendrick@gmail.com> wrote:
It should work. Would you share the config? Jim
Sent from my Verizon, Samsung Galaxy smartphone
-------- Original message -------- From: Scot <scotrn@gmail.com> Date: 1/19/18 4:23 PM (GMT-05:00) To: Syslog-ng users' and developers' mailing list < syslog-ng@lists.balabit.hu> Subject: [syslog-ng] One source multiple destinations ?
I'm having a problem where I am trying to take input source(s) and write them out to multiple destinations.
Before I go barking up the wrong tree I just wanted to make sure I wasn't missing something.
We should be able to take a source and send it to file, elastic-search and SPLUNK and sumologic all at the same time right ?
Troubleshooting an odd behavior where only one network destination will work but then I switch the order the other starts working.
I know it's vague but has anyone seen this behavior?
Thanks Scot
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
I would favour a config like log { source(s_net_tcp); channel { filter(f_pci); destination (d_splunk_PCI); }; channel { filter(f_pci); destination (d_sumo_PCI); }; channel { filter(f_pci); destination (d_secureworks); }; }; Although I think your config should work I don't like the idea of "re-sourcing" the stream. Now that I look closer at what you have done you are using the same filter, so it could be log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI); destination (d_sumo_PCI); destination (d_secureworks); }; which takes the source, filters it and sends to all three destinations. Evan. On 01/20/2018 07:28 AM, Scot wrote:
Thanks Jim, I have 4 configs sources.conf destinations.conf filters.conf log.conf
Can't post them without revealing sensitive network info but wanted to make sure I wasn't assuming something should just work. I'll post more after I dig into it but seems to favor the first matching log destination when I switch the order and reload with syslog-ng-ctl.
log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI);}; log { source(s_net_tcp); filter(f_pci); destination (d_sumo_PCI);}; log { source(s_net_tcp); filter(f_pci); destination (d_secureworks);};
On Fri, Jan 19, 2018 at 6:41 PM, james.r.hendrick <james.r.hendrick@gmail.com <mailto:james.r.hendrick@gmail.com>> wrote:
It should work. Would you share the config? Jim
Sent from my Verizon, Samsung Galaxy smartphone
-------- Original message -------- From: Scot <scotrn@gmail.com <mailto:scotrn@gmail.com>> Date: 1/19/18 4:23 PM (GMT-05:00) To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu <mailto:syslog-ng@lists.balabit.hu>> Subject: [syslog-ng] One source multiple destinations ?
I'm having a problem where I am trying to take input source(s) and write them out to multiple destinations.
Before I go barking up the wrong tree I just wanted to make sure I wasn't missing something.
We should be able to take a source and send it to file, elastic-search and SPLUNK and sumologic all at the same time right ?
Troubleshooting an odd behavior where only one network destination will work but then I switch the order the other starts working.
I know it's vague but has anyone seen this behavior?
Thanks Scot
Evan, Thats very helpful, is there somewhere these performance considerations are outlined? Only think I see related is 2.2.1 in the manual. I'll try tying combining the destinations under on log statement in the morning. On Sat, Jan 20, 2018 at 11:02 AM, Evan Rempel <erempel@uvic.ca> wrote:
I would favour a config like
log { source(s_net_tcp); channel { filter(f_pci); destination (d_splunk_PCI); }; channel { filter(f_pci); destination (d_sumo_PCI); }; channel { filter(f_pci); destination (d_secureworks); }; };
Although I think your config should work I don't like the idea of "re-sourcing" the stream.
Now that I look closer at what you have done you are using the same filter, so it could be
log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI); destination (d_sumo_PCI); destination (d_secureworks); };
which takes the source, filters it and sends to all three destinations.
Evan.
On 01/20/2018 07:28 AM, Scot wrote:
Thanks Jim, I have 4 configs sources.conf destinations.conf filters.conf log.conf
Can't post them without revealing sensitive network info but wanted to make sure I wasn't assuming something should just work. I'll post more after I dig into it but seems to favor the first matching log destination when I switch the order and reload with syslog-ng-ctl.
log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI);}; log { source(s_net_tcp); filter(f_pci); destination (d_sumo_PCI);}; log { source(s_net_tcp); filter(f_pci); destination (d_secureworks);};
On Fri, Jan 19, 2018 at 6:41 PM, james.r.hendrick < james.r.hendrick@gmail.com> wrote:
It should work. Would you share the config? Jim
Sent from my Verizon, Samsung Galaxy smartphone
-------- Original message -------- From: Scot <scotrn@gmail.com> Date: 1/19/18 4:23 PM (GMT-05:00) To: Syslog-ng users' and developers' mailing list < syslog-ng@lists.balabit.hu> Subject: [syslog-ng] One source multiple destinations ?
I'm having a problem where I am trying to take input source(s) and write them out to multiple destinations.
Before I go barking up the wrong tree I just wanted to make sure I wasn't missing something.
We should be able to take a source and send it to file, elastic-search and SPLUNK and sumologic all at the same time right ?
Troubleshooting an odd behavior where only one network destination will work but then I switch the order the other starts working.
I know it's vague but has anyone seen this behavior?
Thanks Scot
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
That was a bad example on my part. I will need unique filters for each destination. log { source(s_net_tcp); channel { filter(f_allpci); destination (d_splunk_PCI); }; channel { filter(f_allpci); destination (d_sumo_PCI); }; channel { filter(f_swpci); destination (d_secureworks); }; }; On Sun, Jan 21, 2018 at 9:41 PM, Scot <scotrn@gmail.com> wrote:
Evan, Thats very helpful, is there somewhere these performance considerations are outlined? Only think I see related is 2.2.1 in the manual.
I'll try tying combining the destinations under on log statement in the morning.
On Sat, Jan 20, 2018 at 11:02 AM, Evan Rempel <erempel@uvic.ca> wrote:
I would favour a config like
log { source(s_net_tcp); channel { filter(f_pci); destination (d_splunk_PCI); }; channel { filter(f_pci); destination (d_sumo_PCI); }; channel { filter(f_pci); destination (d_secureworks); }; };
Although I think your config should work I don't like the idea of "re-sourcing" the stream.
Now that I look closer at what you have done you are using the same filter, so it could be
log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI); destination (d_sumo_PCI); destination (d_secureworks); };
which takes the source, filters it and sends to all three destinations.
Evan.
On 01/20/2018 07:28 AM, Scot wrote:
Thanks Jim, I have 4 configs sources.conf destinations.conf filters.conf log.conf
Can't post them without revealing sensitive network info but wanted to make sure I wasn't assuming something should just work. I'll post more after I dig into it but seems to favor the first matching log destination when I switch the order and reload with syslog-ng-ctl.
log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI);}; log { source(s_net_tcp); filter(f_pci); destination (d_sumo_PCI);}; log { source(s_net_tcp); filter(f_pci); destination (d_secureworks);};
On Fri, Jan 19, 2018 at 6:41 PM, james.r.hendrick < james.r.hendrick@gmail.com> wrote:
It should work. Would you share the config? Jim
Sent from my Verizon, Samsung Galaxy smartphone
-------- Original message -------- From: Scot <scotrn@gmail.com> Date: 1/19/18 4:23 PM (GMT-05:00) To: Syslog-ng users' and developers' mailing list < syslog-ng@lists.balabit.hu> Subject: [syslog-ng] One source multiple destinations ?
I'm having a problem where I am trying to take input source(s) and write them out to multiple destinations.
Before I go barking up the wrong tree I just wanted to make sure I wasn't missing something.
We should be able to take a source and send it to file, elastic-search and SPLUNK and sumologic all at the same time right ?
Troubleshooting an odd behavior where only one network destination will work but then I switch the order the other starts working.
I know it's vague but has anyone seen this behavior?
Thanks Scot
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product= syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
T/F On a log statement with 3 or more channels would a *copy* of each message matching the filter would be sent to that destination. log { source(s_net_tcp); channel { filter(f_allpci); destination (d_splunk_PCI); }; channel { filter(f_allpci); destination (d_sumo_PCI); }; channel { filter(f_swpci); destination (d_secureworks); }; }; On Mon, Jan 22, 2018 at 2:04 PM, Scot <scotrn@gmail.com> wrote:
That was a bad example on my part. I will need unique filters for each destination.
log { source(s_net_tcp); channel { filter(f_allpci); destination (d_splunk_PCI); }; channel { filter(f_allpci); destination (d_sumo_PCI); }; channel { filter(f_swpci); destination (d_secureworks); }; };
On Sun, Jan 21, 2018 at 9:41 PM, Scot <scotrn@gmail.com> wrote:
Evan, Thats very helpful, is there somewhere these performance considerations are outlined? Only think I see related is 2.2.1 in the manual.
I'll try tying combining the destinations under on log statement in the morning.
On Sat, Jan 20, 2018 at 11:02 AM, Evan Rempel <erempel@uvic.ca> wrote:
I would favour a config like
log { source(s_net_tcp); channel { filter(f_pci); destination (d_splunk_PCI); }; channel { filter(f_pci); destination (d_sumo_PCI); }; channel { filter(f_pci); destination (d_secureworks); }; };
Although I think your config should work I don't like the idea of "re-sourcing" the stream.
Now that I look closer at what you have done you are using the same filter, so it could be
log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI); destination (d_sumo_PCI); destination (d_secureworks); };
which takes the source, filters it and sends to all three destinations.
Evan.
On 01/20/2018 07:28 AM, Scot wrote:
Thanks Jim, I have 4 configs sources.conf destinations.conf filters.conf log.conf
Can't post them without revealing sensitive network info but wanted to make sure I wasn't assuming something should just work. I'll post more after I dig into it but seems to favor the first matching log destination when I switch the order and reload with syslog-ng-ctl.
log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI);}; log { source(s_net_tcp); filter(f_pci); destination (d_sumo_PCI);}; log { source(s_net_tcp); filter(f_pci); destination (d_secureworks);};
On Fri, Jan 19, 2018 at 6:41 PM, james.r.hendrick < james.r.hendrick@gmail.com> wrote:
It should work. Would you share the config? Jim
Sent from my Verizon, Samsung Galaxy smartphone
-------- Original message -------- From: Scot <scotrn@gmail.com> Date: 1/19/18 4:23 PM (GMT-05:00) To: Syslog-ng users' and developers' mailing list < syslog-ng@lists.balabit.hu> Subject: [syslog-ng] One source multiple destinations ?
I'm having a problem where I am trying to take input source(s) and write them out to multiple destinations.
Before I go barking up the wrong tree I just wanted to make sure I wasn't missing something.
We should be able to take a source and send it to file, elastic-search and SPLUNK and sumologic all at the same time right ?
Troubleshooting an odd behavior where only one network destination will work but then I switch the order the other starts working.
I know it's vague but has anyone seen this behavior?
Thanks Scot
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support /documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
rHi Scot! Yes messages are copied because you wrote embedded log paths above. The `channel` keyword is an alias (in some contexts) for the `log` keyword. There are some rules that apply to embedded log paths: https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-n... https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-n... If you need different processing on messages that are coming from the same source but they format could be different, you can use junctions and handle the messages differently. One of the main differences between embedded log paths and junctions is that with junctions the different branches will be merged, therefore it is possible to have your messages duplicated. Also after a junction statement you can invoke any configuration blocks that could be otherwise applied (well it's still context dependent, you still can't put a source after a destination block). BR, Gabor On Fri, Mar 9, 2018 at 6:12 AM, Scot <scotrn@gmail.com> wrote:
T/F
On a log statement with 3 or more channels would a *copy* of each message matching the filter would be sent to that destination.
log { source(s_net_tcp); channel { filter(f_allpci); destination (d_splunk_PCI); }; channel { filter(f_allpci); destination (d_sumo_PCI); }; channel { filter(f_swpci); destination (d_secureworks); }; };
On Mon, Jan 22, 2018 at 2:04 PM, Scot <scotrn@gmail.com> wrote:
That was a bad example on my part. I will need unique filters for each destination.
log { source(s_net_tcp); channel { filter(f_allpci); destination (d_splunk_PCI); }; channel { filter(f_allpci); destination (d_sumo_PCI); }; channel { filter(f_swpci); destination (d_secureworks); }; };
On Sun, Jan 21, 2018 at 9:41 PM, Scot <scotrn@gmail.com> wrote:
Evan, Thats very helpful, is there somewhere these performance considerations are outlined? Only think I see related is 2.2.1 in the manual.
I'll try tying combining the destinations under on log statement in the morning.
On Sat, Jan 20, 2018 at 11:02 AM, Evan Rempel <erempel@uvic.ca> wrote:
I would favour a config like
log { source(s_net_tcp); channel { filter(f_pci); destination (d_splunk_PCI); }; channel { filter(f_pci); destination (d_sumo_PCI); }; channel { filter(f_pci); destination (d_secureworks); }; };
Although I think your config should work I don't like the idea of "re-sourcing" the stream.
Now that I look closer at what you have done you are using the same filter, so it could be
log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI); destination (d_sumo_PCI); destination (d_secureworks); };
which takes the source, filters it and sends to all three destinations.
Evan.
On 01/20/2018 07:28 AM, Scot wrote:
Thanks Jim, I have 4 configs sources.conf destinations.conf filters.conf log.conf
Can't post them without revealing sensitive network info but wanted to make sure I wasn't assuming something should just work. I'll post more after I dig into it but seems to favor the first matching log destination when I switch the order and reload with syslog-ng-ctl.
log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI);}; log { source(s_net_tcp); filter(f_pci); destination (d_sumo_PCI);}; log { source(s_net_tcp); filter(f_pci); destination (d_secureworks);};
On Fri, Jan 19, 2018 at 6:41 PM, james.r.hendrick < james.r.hendrick@gmail.com> wrote:
It should work. Would you share the config? Jim
Sent from my Verizon, Samsung Galaxy smartphone
-------- Original message -------- From: Scot <scotrn@gmail.com> Date: 1/19/18 4:23 PM (GMT-05:00) To: Syslog-ng users' and developers' mailing list < syslog-ng@lists.balabit.hu> Subject: [syslog-ng] One source multiple destinations ?
I'm having a problem where I am trying to take input source(s) and write them out to multiple destinations.
Before I go barking up the wrong tree I just wanted to make sure I wasn't missing something.
We should be able to take a source and send it to file, elastic-search and SPLUNK and sumologic all at the same time right ?
Troubleshooting an odd behavior where only one network destination will work but then I switch the order the other starts working.
I know it's vague but has anyone seen this behavior?
Thanks Scot
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support /documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi again! What I left out is that if you need embedded log paths I would recommend using the `log` keyword explicitly rather than the `channel` keyword for clarity. Regards, Gabor On Fri, Mar 9, 2018 at 10:48 AM, Nagy, Gábor <gabor.nagy@balabit.com> wrote:
rHi Scot!
Yes messages are copied because you wrote embedded log paths above. The `channel` keyword is an alias (in some contexts) for the `log` keyword. There are some rules that apply to embedded log paths: https://syslog-ng.com/documents/html/syslog-ng-ose- latest-guides/en/syslog-ng-ose-guide-admin/html/concepts- embedded-logpaths.html https://syslog-ng.com/documents/html/syslog-ng-ose- latest-guides/en/syslog-ng-ose-guide-admin/html/ configuring-embedded-logpaths.html
If you need different processing on messages that are coming from the same source but they format could be different, you can use junctions and handle the messages differently. One of the main differences between embedded log paths and junctions is that with junctions the different branches will be merged, therefore it is possible to have your messages duplicated. Also after a junction statement you can invoke any configuration blocks that could be otherwise applied (well it's still context dependent, you still can't put a source after a destination block).
BR, Gabor
On Fri, Mar 9, 2018 at 6:12 AM, Scot <scotrn@gmail.com> wrote:
T/F
On a log statement with 3 or more channels would a *copy* of each message matching the filter would be sent to that destination.
log { source(s_net_tcp); channel { filter(f_allpci); destination (d_splunk_PCI); }; channel { filter(f_allpci); destination (d_sumo_PCI); }; channel { filter(f_swpci); destination (d_secureworks); }; };
On Mon, Jan 22, 2018 at 2:04 PM, Scot <scotrn@gmail.com> wrote:
That was a bad example on my part. I will need unique filters for each destination.
log { source(s_net_tcp); channel { filter(f_allpci); destination (d_splunk_PCI); }; channel { filter(f_allpci); destination (d_sumo_PCI); }; channel { filter(f_swpci); destination (d_secureworks); }; };
On Sun, Jan 21, 2018 at 9:41 PM, Scot <scotrn@gmail.com> wrote:
Evan, Thats very helpful, is there somewhere these performance considerations are outlined? Only think I see related is 2.2.1 in the manual.
I'll try tying combining the destinations under on log statement in the morning.
On Sat, Jan 20, 2018 at 11:02 AM, Evan Rempel <erempel@uvic.ca> wrote:
I would favour a config like
log { source(s_net_tcp); channel { filter(f_pci); destination (d_splunk_PCI); }; channel { filter(f_pci); destination (d_sumo_PCI); }; channel { filter(f_pci); destination (d_secureworks); }; };
Although I think your config should work I don't like the idea of "re-sourcing" the stream.
Now that I look closer at what you have done you are using the same filter, so it could be
log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI); destination (d_sumo_PCI); destination (d_secureworks); };
which takes the source, filters it and sends to all three destinations.
Evan.
On 01/20/2018 07:28 AM, Scot wrote:
Thanks Jim, I have 4 configs sources.conf destinations.conf filters.conf log.conf
Can't post them without revealing sensitive network info but wanted to make sure I wasn't assuming something should just work. I'll post more after I dig into it but seems to favor the first matching log destination when I switch the order and reload with syslog-ng-ctl.
log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI);}; log { source(s_net_tcp); filter(f_pci); destination (d_sumo_PCI);}; log { source(s_net_tcp); filter(f_pci); destination (d_secureworks);};
On Fri, Jan 19, 2018 at 6:41 PM, james.r.hendrick < james.r.hendrick@gmail.com> wrote:
It should work. Would you share the config? Jim
Sent from my Verizon, Samsung Galaxy smartphone
-------- Original message -------- From: Scot <scotrn@gmail.com> Date: 1/19/18 4:23 PM (GMT-05:00) To: Syslog-ng users' and developers' mailing list < syslog-ng@lists.balabit.hu> Subject: [syslog-ng] One source multiple destinations ?
I'm having a problem where I am trying to take input source(s) and write them out to multiple destinations.
Before I go barking up the wrong tree I just wanted to make sure I wasn't missing something.
We should be able to take a source and send it to file, elastic-search and SPLUNK and sumologic all at the same time right ?
Troubleshooting an odd behavior where only one network destination will work but then I switch the order the other starts working.
I know it's vague but has anyone seen this behavior?
Thanks Scot
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support /documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product= syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Thanks for the feedback. While looking at this i'm scratching my head. If I am only getting UDP Syslog from ASA's then why does the sumo_asa filter still send data with this config ? source s_net_tcp {tcp(ip(0.0.0.0) port(514) max-connections(300) keep_hostname(yes) so_rcvbuf(262142) log_iw_size(25000)); }; source s_net_udp {syslog(ip(0.0.0.0) keep_hostname(yes) port(514) transport("udp") flags(no-hostname) so_rcvbuf(262142));}; filter f_sumo_asa { host("192.168.1.101") or host("192.168.1.102") or host("192.168.1.103") or host("192.168.1.104") or host("192.168.1.105");}; log { source(s_net_udp); channel {destination (d_file); }; #channel {filter(f_sumo_asa); destination (d_sumo_514);}; channel {filter(f_sumo_palto); destination (d_sumo_palto);}; channel {parser(pattern_db); destination (d_es);}; }; log { source(s_net_tcp); channel {destination (d_file); }; * channel {filter(f_sumo_asa); destination (d_sumo_514:);};* channel {filter(f_sumo_palto); destination (d_sumo_palto);}; channel {parser(pattern_db); destination (d_es);}; }; On Fri, Mar 9, 2018 at 4:50 AM, Nagy, Gábor <gabor.nagy@balabit.com> wrote:
Hi again!
What I left out is that if you need embedded log paths I would recommend using the `log` keyword explicitly rather than the `channel` keyword for clarity.
Regards, Gabor
On Fri, Mar 9, 2018 at 10:48 AM, Nagy, Gábor <gabor.nagy@balabit.com> wrote:
rHi Scot!
Yes messages are copied because you wrote embedded log paths above. The `channel` keyword is an alias (in some contexts) for the `log` keyword. There are some rules that apply to embedded log paths: https://syslog-ng.com/documents/html/syslog-ng-ose-latest- guides/en/syslog-ng-ose-guide-admin/html/concepts-embedded-logpaths.html https://syslog-ng.com/documents/html/syslog-ng-ose-latest- guides/en/syslog-ng-ose-guide-admin/html/configuring- embedded-logpaths.html
If you need different processing on messages that are coming from the same source but they format could be different, you can use junctions and handle the messages differently. One of the main differences between embedded log paths and junctions is that with junctions the different branches will be merged, therefore it is possible to have your messages duplicated. Also after a junction statement you can invoke any configuration blocks that could be otherwise applied (well it's still context dependent, you still can't put a source after a destination block).
BR, Gabor
On Fri, Mar 9, 2018 at 6:12 AM, Scot <scotrn@gmail.com> wrote:
T/F
On a log statement with 3 or more channels would a *copy* of each message matching the filter would be sent to that destination.
log { source(s_net_tcp); channel { filter(f_allpci); destination (d_splunk_PCI); }; channel { filter(f_allpci); destination (d_sumo_PCI); }; channel { filter(f_swpci); destination (d_secureworks); }; };
On Mon, Jan 22, 2018 at 2:04 PM, Scot <scotrn@gmail.com> wrote:
That was a bad example on my part. I will need unique filters for each destination.
log { source(s_net_tcp); channel { filter(f_allpci); destination (d_splunk_PCI); }; channel { filter(f_allpci); destination (d_sumo_PCI); }; channel { filter(f_swpci); destination (d_secureworks); }; };
On Sun, Jan 21, 2018 at 9:41 PM, Scot <scotrn@gmail.com> wrote:
Evan, Thats very helpful, is there somewhere these performance considerations are outlined? Only think I see related is 2.2.1 in the manual.
I'll try tying combining the destinations under on log statement in the morning.
On Sat, Jan 20, 2018 at 11:02 AM, Evan Rempel <erempel@uvic.ca> wrote:
I would favour a config like
log { source(s_net_tcp); channel { filter(f_pci); destination (d_splunk_PCI); }; channel { filter(f_pci); destination (d_sumo_PCI); }; channel { filter(f_pci); destination (d_secureworks); }; };
Although I think your config should work I don't like the idea of "re-sourcing" the stream.
Now that I look closer at what you have done you are using the same filter, so it could be
log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI); destination (d_sumo_PCI); destination (d_secureworks); };
which takes the source, filters it and sends to all three destinations.
Evan.
On 01/20/2018 07:28 AM, Scot wrote:
Thanks Jim, I have 4 configs sources.conf destinations.conf filters.conf log.conf
Can't post them without revealing sensitive network info but wanted to make sure I wasn't assuming something should just work. I'll post more after I dig into it but seems to favor the first matching log destination when I switch the order and reload with syslog-ng-ctl.
log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI);}; log { source(s_net_tcp); filter(f_pci); destination (d_sumo_PCI);}; log { source(s_net_tcp); filter(f_pci); destination (d_secureworks);};
On Fri, Jan 19, 2018 at 6:41 PM, james.r.hendrick < james.r.hendrick@gmail.com> wrote:
> It should work. Would you share the config? > Jim > > > > Sent from my Verizon, Samsung Galaxy smartphone > > -------- Original message -------- > From: Scot <scotrn@gmail.com> > Date: 1/19/18 4:23 PM (GMT-05:00) > To: Syslog-ng users' and developers' mailing list < > syslog-ng@lists.balabit.hu> > Subject: [syslog-ng] One source multiple destinations ? > > I'm having a problem where I am trying to take input source(s) and > write them out to multiple destinations. > > Before I go barking up the wrong tree I just wanted to make sure I > wasn't missing something. > > We should be able to take a source and send it to file, > elastic-search and SPLUNK and sumologic all at the same time right ? > > Troubleshooting an odd behavior where only one network destination > will work but then I switch the order the other starts working. > > I know it's vague but has anyone seen this behavior? > > Thanks > Scot >
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support /documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support /documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
My understanding is that your receive logs from UDP in *d_sumo_514* even if you remove the embedded log path forwarding to *d_sumo_514*? It's hard to guess with this much information. You've highlighted another log path with TCP source which has the same filter and destination as with the UDP source. Do you still receive logs if you comment out the other log path too? Gabor On Fri, Mar 9, 2018 at 4:17 PM, Scot <scotrn@gmail.com> wrote:
Thanks for the feedback.
While looking at this i'm scratching my head. If I am only getting UDP Syslog from ASA's then why does the sumo_asa filter still send data with this config ?
source s_net_tcp {tcp(ip(0.0.0.0) port(514) max-connections(300) keep_hostname(yes) so_rcvbuf(262142) log_iw_size(25000)); }; source s_net_udp {syslog(ip(0.0.0.0) keep_hostname(yes) port(514) transport("udp") flags(no-hostname) so_rcvbuf(262142));};
filter f_sumo_asa { host("192.168.1.101") or host("192.168.1.102") or host("192.168.1.103") or host("192.168.1.104") or host("192.168.1.105");};
log { source(s_net_udp); channel {destination (d_file); }; #channel {filter(f_sumo_asa); destination (d_sumo_514);}; channel {filter(f_sumo_palto); destination (d_sumo_palto);}; channel {parser(pattern_db); destination (d_es);}; };
log { source(s_net_tcp); channel {destination (d_file); }; * channel {filter(f_sumo_asa); destination (d_sumo_514:);};* channel {filter(f_sumo_palto); destination (d_sumo_palto);}; channel {parser(pattern_db); destination (d_es);}; };
On Fri, Mar 9, 2018 at 4:50 AM, Nagy, Gábor <gabor.nagy@balabit.com> wrote:
Hi again!
What I left out is that if you need embedded log paths I would recommend using the `log` keyword explicitly rather than the `channel` keyword for clarity.
Regards, Gabor
On Fri, Mar 9, 2018 at 10:48 AM, Nagy, Gábor <gabor.nagy@balabit.com> wrote:
rHi Scot!
Yes messages are copied because you wrote embedded log paths above. The `channel` keyword is an alias (in some contexts) for the `log` keyword. There are some rules that apply to embedded log paths: https://syslog-ng.com/documents/html/syslog-ng-ose-latest-gu ides/en/syslog-ng-ose-guide-admin/html/concepts-embedded-logpaths.html https://syslog-ng.com/documents/html/syslog-ng-ose-latest-gu ides/en/syslog-ng-ose-guide-admin/html/configuring-embedded- logpaths.html
If you need different processing on messages that are coming from the same source but they format could be different, you can use junctions and handle the messages differently. One of the main differences between embedded log paths and junctions is that with junctions the different branches will be merged, therefore it is possible to have your messages duplicated. Also after a junction statement you can invoke any configuration blocks that could be otherwise applied (well it's still context dependent, you still can't put a source after a destination block).
BR, Gabor
On Fri, Mar 9, 2018 at 6:12 AM, Scot <scotrn@gmail.com> wrote:
T/F
On a log statement with 3 or more channels would a *copy* of each message matching the filter would be sent to that destination.
log { source(s_net_tcp); channel { filter(f_allpci); destination (d_splunk_PCI); }; channel { filter(f_allpci); destination (d_sumo_PCI); }; channel { filter(f_swpci); destination (d_secureworks); }; };
On Mon, Jan 22, 2018 at 2:04 PM, Scot <scotrn@gmail.com> wrote:
That was a bad example on my part. I will need unique filters for each destination.
log { source(s_net_tcp); channel { filter(f_allpci); destination (d_splunk_PCI); }; channel { filter(f_allpci); destination (d_sumo_PCI); }; channel { filter(f_swpci); destination (d_secureworks); }; };
On Sun, Jan 21, 2018 at 9:41 PM, Scot <scotrn@gmail.com> wrote:
Evan, Thats very helpful, is there somewhere these performance considerations are outlined? Only think I see related is 2.2.1 in the manual.
I'll try tying combining the destinations under on log statement in the morning.
On Sat, Jan 20, 2018 at 11:02 AM, Evan Rempel <erempel@uvic.ca> wrote:
> I would favour a config like > > log { > source(s_net_tcp); > channel { filter(f_pci); destination (d_splunk_PCI); }; > channel { filter(f_pci); destination (d_sumo_PCI); }; > channel { filter(f_pci); destination (d_secureworks); }; > }; > > Although I think your config should work I don't like the idea of > "re-sourcing" the stream. > > Now that I look closer at what you have done you are using the same > filter, so it could be > > log { > source(s_net_tcp); > filter(f_pci); > destination (d_splunk_PCI); > destination (d_sumo_PCI); > destination (d_secureworks); > }; > > > which takes the source, filters it and sends to all three > destinations. > > Evan. > > > On 01/20/2018 07:28 AM, Scot wrote: > > Thanks Jim, > I have 4 configs > sources.conf > destinations.conf > filters.conf > log.conf > > Can't post them without revealing sensitive network info but wanted > to make sure I wasn't assuming something should just work. > I'll post more after I dig into it but seems to favor the first > matching log destination when I switch the order and reload with > syslog-ng-ctl. > > log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI);}; > log { source(s_net_tcp); filter(f_pci); destination (d_sumo_PCI);}; > log { source(s_net_tcp); filter(f_pci); destination > (d_secureworks);}; > > > > On Fri, Jan 19, 2018 at 6:41 PM, james.r.hendrick < > james.r.hendrick@gmail.com> wrote: > >> It should work. Would you share the config? >> Jim >> >> >> >> Sent from my Verizon, Samsung Galaxy smartphone >> >> -------- Original message -------- >> From: Scot <scotrn@gmail.com> >> Date: 1/19/18 4:23 PM (GMT-05:00) >> To: Syslog-ng users' and developers' mailing list < >> syslog-ng@lists.balabit.hu> >> Subject: [syslog-ng] One source multiple destinations ? >> >> I'm having a problem where I am trying to take input source(s) and >> write them out to multiple destinations. >> >> Before I go barking up the wrong tree I just wanted to make sure I >> wasn't missing something. >> >> We should be able to take a source and send it to file, >> elastic-search and SPLUNK and sumologic all at the same time right ? >> >> Troubleshooting an odd behavior where only one network destination >> will work but then I switch the order the other starts working. >> >> I know it's vague but has anyone seen this behavior? >> >> Thanks >> Scot >> > > > ____________________________________________________________ > __________________ > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng > Documentation: http://www.balabit.com/support > /documentation/?product=syslog-ng > FAQ: http://www.balabit.com/wiki/syslog-ng-faq > > >
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support /documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product= syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (4)
-
Evan Rempel
-
james.r.hendrick
-
Nagy, Gábor
-
Scot