[syslog-ng] One source multiple destinations ?

Scot scotrn at gmail.com
Fri Mar 9 05:12:46 UTC 2018 

T/F

On a log statement with 3 or more channels would a *copy* of each message
matching the filter would be sent to that destination.

log {
    source(s_net_tcp);
    channel { filter(f_allpci); destination (d_splunk_PCI); };
    channel { filter(f_allpci); destination (d_sumo_PCI); };
    channel { filter(f_swpci); destination (d_secureworks); };
};




On Mon, Jan 22, 2018 at 2:04 PM, Scot <scotrn at gmail.com> wrote:

> That was a bad example on my part. I will need unique filters for each
> destination.
>
> log {
>     source(s_net_tcp);
>     channel { filter(f_allpci); destination (d_splunk_PCI); };
>     channel { filter(f_allpci); destination (d_sumo_PCI); };
>     channel { filter(f_swpci); destination (d_secureworks); };
> };
>
> On Sun, Jan 21, 2018 at 9:41 PM, Scot <scotrn at gmail.com> wrote:
>
>> Evan,
>> Thats very helpful, is there somewhere these performance considerations
>> are outlined?
>> Only think I see related is 2.2.1 in the manual.
>>
>> I'll try tying combining the destinations under on log statement in the
>> morning.
>>
>>
>> On Sat, Jan 20, 2018 at 11:02 AM, Evan Rempel <erempel at uvic.ca> wrote:
>>
>>> I would favour a config like
>>>
>>> log {
>>>     source(s_net_tcp);
>>>     channel { filter(f_pci); destination (d_splunk_PCI); };
>>>     channel { filter(f_pci); destination (d_sumo_PCI); };
>>>     channel { filter(f_pci); destination (d_secureworks); };
>>> };
>>>
>>> Although I think your config should work I don't like the idea of
>>> "re-sourcing" the stream.
>>>
>>> Now that I look closer at what you have done you are using the same
>>> filter, so it could be
>>>
>>> log {
>>>     source(s_net_tcp);
>>>     filter(f_pci);
>>>     destination (d_splunk_PCI);
>>>     destination (d_sumo_PCI);
>>>     destination (d_secureworks);
>>> };
>>>
>>>
>>> which takes the source, filters it and sends to all three destinations.
>>>
>>> Evan.
>>>
>>>
>>> On 01/20/2018 07:28 AM, Scot wrote:
>>>
>>> Thanks Jim,
>>> I have 4 configs
>>> sources.conf
>>> destinations.conf
>>> filters.conf
>>> log.conf
>>>
>>> Can't post them without revealing sensitive network info but wanted to
>>> make sure I wasn't assuming something should just work.
>>> I'll post more after I dig into it but seems to favor the first matching
>>> log destination when I switch the order and reload with syslog-ng-ctl.
>>>
>>> log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI);};
>>> log { source(s_net_tcp); filter(f_pci); destination (d_sumo_PCI);};
>>> log { source(s_net_tcp); filter(f_pci); destination (d_secureworks);};
>>>
>>>
>>>
>>> On Fri, Jan 19, 2018 at 6:41 PM, james.r.hendrick <
>>> james.r.hendrick at gmail.com> wrote:
>>>
>>>> It should work. Would you share the config?
>>>> Jim
>>>>
>>>>
>>>>
>>>> Sent from my Verizon, Samsung Galaxy smartphone
>>>>
>>>> -------- Original message --------
>>>> From: Scot <scotrn at gmail.com>
>>>> Date: 1/19/18 4:23 PM (GMT-05:00)
>>>> To: Syslog-ng users' and developers' mailing list <
>>>> syslog-ng at lists.balabit.hu>
>>>> Subject: [syslog-ng] One source multiple destinations ?
>>>>
>>>> I'm having a problem where I am trying to take  input source(s) and
>>>> write them out to multiple destinations.
>>>>
>>>> Before I go barking up the wrong tree I just wanted to make sure I
>>>> wasn't missing something.
>>>>
>>>> We should be able to take a source and send it to file, elastic-search
>>>> and SPLUNK and sumologic all at the same time right ?
>>>>
>>>> Troubleshooting an odd behavior where only one network destination will
>>>> work but then I switch the order the other starts working.
>>>>
>>>> I know it's vague but has anyone seen this behavior?
>>>>
>>>> Thanks
>>>> Scot
>>>>
>>>
>>>
>>> ____________________________________________________________
>>> __________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support
>>> /documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180309/6cc3bc0d/attachment.html>

More information about the syslog-ng mailing list