[syslog-ng] One source multiple destinations ?
Nagy, Gábor
gabor.nagy at balabit.com
Fri Mar 9 09:48:39 UTC 2018
rHi Scot!
Yes messages are copied because you wrote embedded log paths above.
The `channel` keyword is an alias (in some contexts) for the `log` keyword.
There are some rules that apply to embedded log paths:
https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/concepts-embedded-logpaths.html
https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/configuring-embedded-logpaths.html
If you need different processing on messages that are coming from the same
source but they format could be different, you can use junctions and handle
the messages differently.
One of the main differences between embedded log paths and junctions is
that with junctions the different branches will be merged, therefore it is
possible to have your messages duplicated.
Also after a junction statement you can invoke any configuration blocks
that could be otherwise applied (well it's still context dependent, you
still can't put a source after a destination block).
BR,
Gabor
On Fri, Mar 9, 2018 at 6:12 AM, Scot <scotrn at gmail.com> wrote:
> T/F
>
> On a log statement with 3 or more channels would a *copy* of each message
> matching the filter would be sent to that destination.
>
> log {
> source(s_net_tcp);
> channel { filter(f_allpci); destination (d_splunk_PCI); };
> channel { filter(f_allpci); destination (d_sumo_PCI); };
> channel { filter(f_swpci); destination (d_secureworks); };
> };
>
>
>
>
> On Mon, Jan 22, 2018 at 2:04 PM, Scot <scotrn at gmail.com> wrote:
>
>> That was a bad example on my part. I will need unique filters for each
>> destination.
>>
>> log {
>> source(s_net_tcp);
>> channel { filter(f_allpci); destination (d_splunk_PCI); };
>> channel { filter(f_allpci); destination (d_sumo_PCI); };
>> channel { filter(f_swpci); destination (d_secureworks); };
>> };
>>
>> On Sun, Jan 21, 2018 at 9:41 PM, Scot <scotrn at gmail.com> wrote:
>>
>>> Evan,
>>> Thats very helpful, is there somewhere these performance considerations
>>> are outlined?
>>> Only think I see related is 2.2.1 in the manual.
>>>
>>> I'll try tying combining the destinations under on log statement in the
>>> morning.
>>>
>>>
>>> On Sat, Jan 20, 2018 at 11:02 AM, Evan Rempel <erempel at uvic.ca> wrote:
>>>
>>>> I would favour a config like
>>>>
>>>> log {
>>>> source(s_net_tcp);
>>>> channel { filter(f_pci); destination (d_splunk_PCI); };
>>>> channel { filter(f_pci); destination (d_sumo_PCI); };
>>>> channel { filter(f_pci); destination (d_secureworks); };
>>>> };
>>>>
>>>> Although I think your config should work I don't like the idea of
>>>> "re-sourcing" the stream.
>>>>
>>>> Now that I look closer at what you have done you are using the same
>>>> filter, so it could be
>>>>
>>>> log {
>>>> source(s_net_tcp);
>>>> filter(f_pci);
>>>> destination (d_splunk_PCI);
>>>> destination (d_sumo_PCI);
>>>> destination (d_secureworks);
>>>> };
>>>>
>>>>
>>>> which takes the source, filters it and sends to all three destinations.
>>>>
>>>> Evan.
>>>>
>>>>
>>>> On 01/20/2018 07:28 AM, Scot wrote:
>>>>
>>>> Thanks Jim,
>>>> I have 4 configs
>>>> sources.conf
>>>> destinations.conf
>>>> filters.conf
>>>> log.conf
>>>>
>>>> Can't post them without revealing sensitive network info but wanted to
>>>> make sure I wasn't assuming something should just work.
>>>> I'll post more after I dig into it but seems to favor the first
>>>> matching log destination when I switch the order and reload with
>>>> syslog-ng-ctl.
>>>>
>>>> log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI);};
>>>> log { source(s_net_tcp); filter(f_pci); destination (d_sumo_PCI);};
>>>> log { source(s_net_tcp); filter(f_pci); destination (d_secureworks);};
>>>>
>>>>
>>>>
>>>> On Fri, Jan 19, 2018 at 6:41 PM, james.r.hendrick <
>>>> james.r.hendrick at gmail.com> wrote:
>>>>
>>>>> It should work. Would you share the config?
>>>>> Jim
>>>>>
>>>>>
>>>>>
>>>>> Sent from my Verizon, Samsung Galaxy smartphone
>>>>>
>>>>> -------- Original message --------
>>>>> From: Scot <scotrn at gmail.com>
>>>>> Date: 1/19/18 4:23 PM (GMT-05:00)
>>>>> To: Syslog-ng users' and developers' mailing list <
>>>>> syslog-ng at lists.balabit.hu>
>>>>> Subject: [syslog-ng] One source multiple destinations ?
>>>>>
>>>>> I'm having a problem where I am trying to take input source(s) and
>>>>> write them out to multiple destinations.
>>>>>
>>>>> Before I go barking up the wrong tree I just wanted to make sure I
>>>>> wasn't missing something.
>>>>>
>>>>> We should be able to take a source and send it to file, elastic-search
>>>>> and SPLUNK and sumologic all at the same time right ?
>>>>>
>>>>> Troubleshooting an odd behavior where only one network destination
>>>>> will work but then I switch the order the other starts working.
>>>>>
>>>>> I know it's vague but has anyone seen this behavior?
>>>>>
>>>>> Thanks
>>>>> Scot
>>>>>
>>>>
>>>>
>>>> ____________________________________________________________
>>>> __________________
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation: http://www.balabit.com/support
>>>> /documentation/?product=syslog-ng
>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>
>>>>
>>>>
>>>
>>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180309/c8f2149e/attachment-0001.html>
More information about the syslog-ng
mailing list