[syslog-ng] One source multiple destinations ?
Scot
scotrn at gmail.com
Mon Jan 22 19:04:57 UTC 2018
That was a bad example on my part. I will need unique filters for each
destination.
log {
source(s_net_tcp);
channel { filter(f_allpci); destination (d_splunk_PCI); };
channel { filter(f_allpci); destination (d_sumo_PCI); };
channel { filter(f_swpci); destination (d_secureworks); };
};
On Sun, Jan 21, 2018 at 9:41 PM, Scot <scotrn at gmail.com> wrote:
> Evan,
> Thats very helpful, is there somewhere these performance considerations
> are outlined?
> Only think I see related is 2.2.1 in the manual.
>
> I'll try tying combining the destinations under on log statement in the
> morning.
>
>
> On Sat, Jan 20, 2018 at 11:02 AM, Evan Rempel <erempel at uvic.ca> wrote:
>
>> I would favour a config like
>>
>> log {
>> source(s_net_tcp);
>> channel { filter(f_pci); destination (d_splunk_PCI); };
>> channel { filter(f_pci); destination (d_sumo_PCI); };
>> channel { filter(f_pci); destination (d_secureworks); };
>> };
>>
>> Although I think your config should work I don't like the idea of
>> "re-sourcing" the stream.
>>
>> Now that I look closer at what you have done you are using the same
>> filter, so it could be
>>
>> log {
>> source(s_net_tcp);
>> filter(f_pci);
>> destination (d_splunk_PCI);
>> destination (d_sumo_PCI);
>> destination (d_secureworks);
>> };
>>
>>
>> which takes the source, filters it and sends to all three destinations.
>>
>> Evan.
>>
>>
>> On 01/20/2018 07:28 AM, Scot wrote:
>>
>> Thanks Jim,
>> I have 4 configs
>> sources.conf
>> destinations.conf
>> filters.conf
>> log.conf
>>
>> Can't post them without revealing sensitive network info but wanted to
>> make sure I wasn't assuming something should just work.
>> I'll post more after I dig into it but seems to favor the first matching
>> log destination when I switch the order and reload with syslog-ng-ctl.
>>
>> log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI);};
>> log { source(s_net_tcp); filter(f_pci); destination (d_sumo_PCI);};
>> log { source(s_net_tcp); filter(f_pci); destination (d_secureworks);};
>>
>>
>>
>> On Fri, Jan 19, 2018 at 6:41 PM, james.r.hendrick <
>> james.r.hendrick at gmail.com> wrote:
>>
>>> It should work. Would you share the config?
>>> Jim
>>>
>>>
>>>
>>> Sent from my Verizon, Samsung Galaxy smartphone
>>>
>>> -------- Original message --------
>>> From: Scot <scotrn at gmail.com>
>>> Date: 1/19/18 4:23 PM (GMT-05:00)
>>> To: Syslog-ng users' and developers' mailing list <
>>> syslog-ng at lists.balabit.hu>
>>> Subject: [syslog-ng] One source multiple destinations ?
>>>
>>> I'm having a problem where I am trying to take input source(s) and
>>> write them out to multiple destinations.
>>>
>>> Before I go barking up the wrong tree I just wanted to make sure I
>>> wasn't missing something.
>>>
>>> We should be able to take a source and send it to file, elastic-search
>>> and SPLUNK and sumologic all at the same time right ?
>>>
>>> Troubleshooting an odd behavior where only one network destination will
>>> work but then I switch the order the other starts working.
>>>
>>> I know it's vague but has anyone seen this behavior?
>>>
>>> Thanks
>>> Scot
>>>
>>
>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=
>> syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180122/8966acb1/attachment.html>
More information about the syslog-ng
mailing list