[syslog-ng] One source multiple destinations ?

Nagy, Gábor gabor.nagy at balabit.com
Fri Mar 9 09:50:57 UTC 2018


Hi again!

What I left out is that if you need embedded log paths I would recommend
using the `log` keyword explicitly rather than the `channel` keyword for
clarity.

Regards,
Gabor

On Fri, Mar 9, 2018 at 10:48 AM, Nagy, Gábor <gabor.nagy at balabit.com> wrote:

> rHi Scot!
>
> Yes messages are copied because you wrote embedded log paths above.
> The `channel` keyword is an alias (in some contexts) for the `log` keyword.
> There are some rules that apply to embedded log paths:
> https://syslog-ng.com/documents/html/syslog-ng-ose-
> latest-guides/en/syslog-ng-ose-guide-admin/html/concepts-
> embedded-logpaths.html
> https://syslog-ng.com/documents/html/syslog-ng-ose-
> latest-guides/en/syslog-ng-ose-guide-admin/html/
> configuring-embedded-logpaths.html
>
> If you need different processing on messages that are coming from the same
> source but they format could be different, you can use junctions and handle
> the messages differently.
> One of the main differences between embedded log paths and junctions is
> that with junctions the different branches will be merged, therefore it is
> possible to have your messages duplicated.
> Also after a junction statement you can invoke any configuration blocks
> that could be otherwise applied (well it's still context dependent, you
> still can't put a source after a destination block).
>
> BR,
> Gabor
>
>
> On Fri, Mar 9, 2018 at 6:12 AM, Scot <scotrn at gmail.com> wrote:
>
>> T/F
>>
>> On a log statement with 3 or more channels would a *copy* of each
>> message matching the filter would be sent to that destination.
>>
>> log {
>>     source(s_net_tcp);
>>     channel { filter(f_allpci); destination (d_splunk_PCI); };
>>     channel { filter(f_allpci); destination (d_sumo_PCI); };
>>     channel { filter(f_swpci); destination (d_secureworks); };
>> };
>>
>>
>>
>>
>> On Mon, Jan 22, 2018 at 2:04 PM, Scot <scotrn at gmail.com> wrote:
>>
>>> That was a bad example on my part. I will need unique filters for each
>>> destination.
>>>
>>> log {
>>>     source(s_net_tcp);
>>>     channel { filter(f_allpci); destination (d_splunk_PCI); };
>>>     channel { filter(f_allpci); destination (d_sumo_PCI); };
>>>     channel { filter(f_swpci); destination (d_secureworks); };
>>> };
>>>
>>> On Sun, Jan 21, 2018 at 9:41 PM, Scot <scotrn at gmail.com> wrote:
>>>
>>>> Evan,
>>>> Thats very helpful, is there somewhere these performance considerations
>>>> are outlined?
>>>> Only think I see related is 2.2.1 in the manual.
>>>>
>>>> I'll try tying combining the destinations under on log statement in the
>>>> morning.
>>>>
>>>>
>>>> On Sat, Jan 20, 2018 at 11:02 AM, Evan Rempel <erempel at uvic.ca> wrote:
>>>>
>>>>> I would favour a config like
>>>>>
>>>>> log {
>>>>>     source(s_net_tcp);
>>>>>     channel { filter(f_pci); destination (d_splunk_PCI); };
>>>>>     channel { filter(f_pci); destination (d_sumo_PCI); };
>>>>>     channel { filter(f_pci); destination (d_secureworks); };
>>>>> };
>>>>>
>>>>> Although I think your config should work I don't like the idea of
>>>>> "re-sourcing" the stream.
>>>>>
>>>>> Now that I look closer at what you have done you are using the same
>>>>> filter, so it could be
>>>>>
>>>>> log {
>>>>>     source(s_net_tcp);
>>>>>     filter(f_pci);
>>>>>     destination (d_splunk_PCI);
>>>>>     destination (d_sumo_PCI);
>>>>>     destination (d_secureworks);
>>>>> };
>>>>>
>>>>>
>>>>> which takes the source, filters it and sends to all three destinations.
>>>>>
>>>>> Evan.
>>>>>
>>>>>
>>>>> On 01/20/2018 07:28 AM, Scot wrote:
>>>>>
>>>>> Thanks Jim,
>>>>> I have 4 configs
>>>>> sources.conf
>>>>> destinations.conf
>>>>> filters.conf
>>>>> log.conf
>>>>>
>>>>> Can't post them without revealing sensitive network info but wanted to
>>>>> make sure I wasn't assuming something should just work.
>>>>> I'll post more after I dig into it but seems to favor the first
>>>>> matching log destination when I switch the order and reload with
>>>>> syslog-ng-ctl.
>>>>>
>>>>> log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI);};
>>>>> log { source(s_net_tcp); filter(f_pci); destination (d_sumo_PCI);};
>>>>> log { source(s_net_tcp); filter(f_pci); destination (d_secureworks);};
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Jan 19, 2018 at 6:41 PM, james.r.hendrick <
>>>>> james.r.hendrick at gmail.com> wrote:
>>>>>
>>>>>> It should work. Would you share the config?
>>>>>> Jim
>>>>>>
>>>>>>
>>>>>>
>>>>>> Sent from my Verizon, Samsung Galaxy smartphone
>>>>>>
>>>>>> -------- Original message --------
>>>>>> From: Scot <scotrn at gmail.com>
>>>>>> Date: 1/19/18 4:23 PM (GMT-05:00)
>>>>>> To: Syslog-ng users' and developers' mailing list <
>>>>>> syslog-ng at lists.balabit.hu>
>>>>>> Subject: [syslog-ng] One source multiple destinations ?
>>>>>>
>>>>>> I'm having a problem where I am trying to take  input source(s) and
>>>>>> write them out to multiple destinations.
>>>>>>
>>>>>> Before I go barking up the wrong tree I just wanted to make sure I
>>>>>> wasn't missing something.
>>>>>>
>>>>>> We should be able to take a source and send it to file,
>>>>>> elastic-search and SPLUNK and sumologic all at the same time right ?
>>>>>>
>>>>>> Troubleshooting an odd behavior where only one network destination
>>>>>> will work but then I switch the order the other starts working.
>>>>>>
>>>>>> I know it's vague but has anyone seen this behavior?
>>>>>>
>>>>>> Thanks
>>>>>> Scot
>>>>>>
>>>>>
>>>>>
>>>>> ____________________________________________________________
>>>>> __________________
>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>> Documentation: http://www.balabit.com/support
>>>>> /documentation/?product=syslog-ng
>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=
>> syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180309/1cd113b1/attachment.html>


More information about the syslog-ng mailing list