[syslog-ng] Question about using multiple amqp destination
Alicia Smith
asmith at mozilla.com
Fri Nov 3 18:27:12 UTC 2017
I am trying to configure syslog-ng to send multiple json formatted logs to
a rabbitmq endpoint.
The consumer for the logs checks for a particular field to determine the
type of log it is.
However, I can't seem to figure out how to send all the different logs as
the field it checks is "source" that I add using --pair within the
format-json template
destination d_amqp_ssh {
amqp(
vhost("/")
host("mozdefqa2.private.scl3.mozilla.com")
port(5672)
exchange("eventtask")
exchange-type("direct")
routing-key("eventtask")
body("$(format-json --scope nv_pairs --pair category=\"bro\" --pair
source=\"ssh\" --pair customendpoint=\" \" --pair tags=\"bro\")")
persistent(no)
username("guest")
password("guest")
);
};
So I added another destination with the name d_amqp_conn and it's source
field value is "conn" and the amqp endpoint is the same host as the ssh log.
But syslog-ng fails to start with this particular setup. It seems to not
like having more than one amqp destination.
How would something like this typically be solved?
--
Alicia Smith
@phrozyn
Information Security Engineer
asmith at mozilla.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20171103/37acbb21/attachment.html>
More information about the syslog-ng
mailing list