[syslog-ng] One source multiple destinations ?

Evan Rempel erempel at uvic.ca
Sat Jan 20 16:02:13 UTC 2018 

I would favour a config like

log {
     source(s_net_tcp);
     channel { filter(f_pci); destination (d_splunk_PCI); };
     channel { filter(f_pci); destination (d_sumo_PCI); };
     channel { filter(f_pci); destination (d_secureworks); };
};

Although I think your config should work I don't like the idea of 
"re-sourcing" the stream.

Now that I look closer at what you have done you are using the same 
filter, so it could be

log {
     source(s_net_tcp);
     filter(f_pci);
     destination (d_splunk_PCI);
     destination (d_sumo_PCI);
     destination (d_secureworks);
};


which takes the source, filters it and sends to all three destinations.

Evan.


On 01/20/2018 07:28 AM, Scot wrote:
> Thanks Jim,
> I have 4 configs
> sources.conf
> destinations.conf
> filters.conf
> log.conf
>
> Can't post them without revealing sensitive network info but wanted to 
> make sure I wasn't assuming something should just work.
> I'll post more after I dig into it but seems to favor the first 
> matching log destination when I switch the order and reload with 
> syslog-ng-ctl.
>
> log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI);};
> log { source(s_net_tcp); filter(f_pci); destination (d_sumo_PCI);};
> log { source(s_net_tcp); filter(f_pci); destination (d_secureworks);};
>
>
>
> On Fri, Jan 19, 2018 at 6:41 PM, james.r.hendrick 
> <james.r.hendrick at gmail.com <mailto:james.r.hendrick at gmail.com>> wrote:
>
>     It should work. Would you share the config?
>     Jim
>
>
>
>     Sent from my Verizon, Samsung Galaxy smartphone
>
>     -------- Original message --------
>     From: Scot <scotrn at gmail.com <mailto:scotrn at gmail.com>>
>     Date: 1/19/18 4:23 PM (GMT-05:00)
>     To: Syslog-ng users' and developers' mailing list
>     <syslog-ng at lists.balabit.hu <mailto:syslog-ng at lists.balabit.hu>>
>     Subject: [syslog-ng] One source multiple destinations ?
>
>     I'm having a problem where I am trying to take  input source(s)
>     and write them out to multiple destinations.
>
>     Before I go barking up the wrong tree I just wanted to make sure I
>     wasn't missing something.
>
>     We should be able to take a source and send it to file,
>     elastic-search and SPLUNK and sumologic all at the same time right ?
>
>     Troubleshooting an odd behavior where only one network destination
>     will work but then I switch the order the other starts working.
>
>     I know it's vague but has anyone seen this behavior?
>
>     Thanks
>     Scot
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180120/e8dc28e9/attachment.html>

More information about the syslog-ng mailing list