[syslog-ng] One source multiple destinations ?

Scot scotrn at gmail.com
Mon Jan 22 02:41:14 UTC 2018 

Evan,
Thats very helpful, is there somewhere these performance considerations are
outlined?
Only think I see related is 2.2.1 in the manual.

I'll try tying combining the destinations under on log statement in the
morning.


On Sat, Jan 20, 2018 at 11:02 AM, Evan Rempel <erempel at uvic.ca> wrote:

> I would favour a config like
>
> log {
>     source(s_net_tcp);
>     channel { filter(f_pci); destination (d_splunk_PCI); };
>     channel { filter(f_pci); destination (d_sumo_PCI); };
>     channel { filter(f_pci); destination (d_secureworks); };
> };
>
> Although I think your config should work I don't like the idea of
> "re-sourcing" the stream.
>
> Now that I look closer at what you have done you are using the same
> filter, so it could be
>
> log {
>     source(s_net_tcp);
>     filter(f_pci);
>     destination (d_splunk_PCI);
>     destination (d_sumo_PCI);
>     destination (d_secureworks);
> };
>
>
> which takes the source, filters it and sends to all three destinations.
>
> Evan.
>
>
> On 01/20/2018 07:28 AM, Scot wrote:
>
> Thanks Jim,
> I have 4 configs
> sources.conf
> destinations.conf
> filters.conf
> log.conf
>
> Can't post them without revealing sensitive network info but wanted to
> make sure I wasn't assuming something should just work.
> I'll post more after I dig into it but seems to favor the first matching
> log destination when I switch the order and reload with syslog-ng-ctl.
>
> log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI);};
> log { source(s_net_tcp); filter(f_pci); destination (d_sumo_PCI);};
> log { source(s_net_tcp); filter(f_pci); destination (d_secureworks);};
>
>
>
> On Fri, Jan 19, 2018 at 6:41 PM, james.r.hendrick <
> james.r.hendrick at gmail.com> wrote:
>
>> It should work. Would you share the config?
>> Jim
>>
>>
>>
>> Sent from my Verizon, Samsung Galaxy smartphone
>>
>> -------- Original message --------
>> From: Scot <scotrn at gmail.com>
>> Date: 1/19/18 4:23 PM (GMT-05:00)
>> To: Syslog-ng users' and developers' mailing list <
>> syslog-ng at lists.balabit.hu>
>> Subject: [syslog-ng] One source multiple destinations ?
>>
>> I'm having a problem where I am trying to take  input source(s) and write
>> them out to multiple destinations.
>>
>> Before I go barking up the wrong tree I just wanted to make sure I wasn't
>> missing something.
>>
>> We should be able to take a source and send it to file, elastic-search
>> and SPLUNK and sumologic all at the same time right ?
>>
>> Troubleshooting an odd behavior where only one network destination will
>> work but then I switch the order the other starts working.
>>
>> I know it's vague but has anyone seen this behavior?
>>
>> Thanks
>> Scot
>>
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180121/8ef447aa/attachment.html>

More information about the syslog-ng mailing list