Hello, Without knowing your logs, it is hard to say anything more. But I would be really surprised if the issue is with *filter* not working. You could always run syslog-ng at debug/trace level in order to track which filter/destination is triggered with a message. I don't want to push anything here, the only reason I write this note is that I started sensing a mismatch of what the community can provide and what you actually expect. If you disagree, just ignore the rest of this email. If this is needed for a critical production deployment, I would consider the paid for syslog-ng Premium Edition offered by One Identity. The Open Source version of syslog-ng is not supported by a professional support team, community (that includes some of syslog-ng's developers) is usually helping on a best effort basis. If you require faster answers (with SLAs), patched binary packages, or more in-depth guidance, One Identity offers paid support and/or consultancy services for syslog-ng. See https://www.syslog-ng.com/register/115497/ Disclaimer: I am employed by One Identity (being a software engineer there). -- Kokan On Sat, Mar 23, 2019 at 4:38 PM Lin, Victor <victor.lin@rbc.com> wrote:

Dear All,

I am trying to forwarding all cisco IOS and Nexus to remote server Here is from my syslog-ng.conf

********************* # Syslog collection for all devices source s_network { network( transport("udp") port(514) flags(syslog_protocol) keep_hostname(yes) keep_timestamp(yes) use_dns(no) use_fqdn(no) ); };

destination d_all_logs { file("/app/syslog-ng/My_custom/My_output/all_devices.log"); }; #All syslogs log { source(s_network); destination(d_all_logs); };

***************************** #Cisco to elastic Mar.22.2019 destination d_cisco_logs { file("/app/syslog-ng/My_custom/My_output/cisco.log"); network("10.20.30.44" port(2514) transport(udp) spoof_source(yes)); }; ***************************************** #Cisco logs to elastic Mar.22.2019

log { source(s_network); filter(f_cisco_message); destination(d_cisco_logs); }; *********************************** #Cisco to elastic Mar.22.2019 filter f_cisco_message { match ("Cisco IOS", value ("MESSAGE")); or match ("Cisco Nexus", value ("MESSAGE")); };

But looks like cisco.log is never have any data inside. Below is from

Could you please review my config and advice ?

Thank you so much for your reply in advance!

VL

_______________________________________________________________________

If you received this email in error, please advise the sender (by return email or otherwise) immediately. You have consented to receive the attached electronically at the above-noted email address; please retain a copy of this confirmation for future reference.

Si vous recevez ce courriel par erreur, veuillez en aviser l'expéditeur immédiatement, par retour de courriel ou par un autre moyen. Vous avez accepté de recevoir le(s) document(s) ci-joint(s) par voie électronique à l'adresse courriel indiquée ci-dessus; veuillez conserver une copie de cette confirmation pour les fins de reference future.

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq