[syslog-ng] One source multiple destinations ?
Scot
scotrn at gmail.com
Fri Mar 9 15:17:20 UTC 2018
Thanks for the feedback.
While looking at this i'm scratching my head.
If I am only getting UDP Syslog from ASA's then why does the sumo_asa
filter still send data with this config ?
source s_net_tcp {tcp(ip(0.0.0.0) port(514) max-connections(300)
keep_hostname(yes) so_rcvbuf(262142) log_iw_size(25000)); };
source s_net_udp {syslog(ip(0.0.0.0) keep_hostname(yes) port(514)
transport("udp") flags(no-hostname) so_rcvbuf(262142));};
filter f_sumo_asa {
host("192.168.1.101") or
host("192.168.1.102") or
host("192.168.1.103") or
host("192.168.1.104") or
host("192.168.1.105");};
log { source(s_net_udp);
channel {destination (d_file); };
#channel {filter(f_sumo_asa); destination (d_sumo_514);};
channel {filter(f_sumo_palto); destination (d_sumo_palto);};
channel {parser(pattern_db); destination (d_es);};
};
log { source(s_net_tcp);
channel {destination (d_file); };
* channel {filter(f_sumo_asa); destination (d_sumo_514:);};*
channel {filter(f_sumo_palto); destination (d_sumo_palto);};
channel {parser(pattern_db); destination (d_es);};
};
On Fri, Mar 9, 2018 at 4:50 AM, Nagy, Gábor <gabor.nagy at balabit.com> wrote:
> Hi again!
>
> What I left out is that if you need embedded log paths I would recommend
> using the `log` keyword explicitly rather than the `channel` keyword for
> clarity.
>
> Regards,
> Gabor
>
> On Fri, Mar 9, 2018 at 10:48 AM, Nagy, Gábor <gabor.nagy at balabit.com>
> wrote:
>
>> rHi Scot!
>>
>> Yes messages are copied because you wrote embedded log paths above.
>> The `channel` keyword is an alias (in some contexts) for the `log`
>> keyword.
>> There are some rules that apply to embedded log paths:
>> https://syslog-ng.com/documents/html/syslog-ng-ose-latest-
>> guides/en/syslog-ng-ose-guide-admin/html/concepts-embedded-logpaths.html
>> https://syslog-ng.com/documents/html/syslog-ng-ose-latest-
>> guides/en/syslog-ng-ose-guide-admin/html/configuring-
>> embedded-logpaths.html
>>
>> If you need different processing on messages that are coming from the
>> same source but they format could be different, you can use junctions and
>> handle the messages differently.
>> One of the main differences between embedded log paths and junctions is
>> that with junctions the different branches will be merged, therefore it is
>> possible to have your messages duplicated.
>> Also after a junction statement you can invoke any configuration blocks
>> that could be otherwise applied (well it's still context dependent, you
>> still can't put a source after a destination block).
>>
>> BR,
>> Gabor
>>
>>
>> On Fri, Mar 9, 2018 at 6:12 AM, Scot <scotrn at gmail.com> wrote:
>>
>>> T/F
>>>
>>> On a log statement with 3 or more channels would a *copy* of each
>>> message matching the filter would be sent to that destination.
>>>
>>> log {
>>> source(s_net_tcp);
>>> channel { filter(f_allpci); destination (d_splunk_PCI); };
>>> channel { filter(f_allpci); destination (d_sumo_PCI); };
>>> channel { filter(f_swpci); destination (d_secureworks); };
>>> };
>>>
>>>
>>>
>>>
>>> On Mon, Jan 22, 2018 at 2:04 PM, Scot <scotrn at gmail.com> wrote:
>>>
>>>> That was a bad example on my part. I will need unique filters for each
>>>> destination.
>>>>
>>>> log {
>>>> source(s_net_tcp);
>>>> channel { filter(f_allpci); destination (d_splunk_PCI); };
>>>> channel { filter(f_allpci); destination (d_sumo_PCI); };
>>>> channel { filter(f_swpci); destination (d_secureworks); };
>>>> };
>>>>
>>>> On Sun, Jan 21, 2018 at 9:41 PM, Scot <scotrn at gmail.com> wrote:
>>>>
>>>>> Evan,
>>>>> Thats very helpful, is there somewhere these performance
>>>>> considerations are outlined?
>>>>> Only think I see related is 2.2.1 in the manual.
>>>>>
>>>>> I'll try tying combining the destinations under on log statement in
>>>>> the morning.
>>>>>
>>>>>
>>>>> On Sat, Jan 20, 2018 at 11:02 AM, Evan Rempel <erempel at uvic.ca> wrote:
>>>>>
>>>>>> I would favour a config like
>>>>>>
>>>>>> log {
>>>>>> source(s_net_tcp);
>>>>>> channel { filter(f_pci); destination (d_splunk_PCI); };
>>>>>> channel { filter(f_pci); destination (d_sumo_PCI); };
>>>>>> channel { filter(f_pci); destination (d_secureworks); };
>>>>>> };
>>>>>>
>>>>>> Although I think your config should work I don't like the idea of
>>>>>> "re-sourcing" the stream.
>>>>>>
>>>>>> Now that I look closer at what you have done you are using the same
>>>>>> filter, so it could be
>>>>>>
>>>>>> log {
>>>>>> source(s_net_tcp);
>>>>>> filter(f_pci);
>>>>>> destination (d_splunk_PCI);
>>>>>> destination (d_sumo_PCI);
>>>>>> destination (d_secureworks);
>>>>>> };
>>>>>>
>>>>>>
>>>>>> which takes the source, filters it and sends to all three
>>>>>> destinations.
>>>>>>
>>>>>> Evan.
>>>>>>
>>>>>>
>>>>>> On 01/20/2018 07:28 AM, Scot wrote:
>>>>>>
>>>>>> Thanks Jim,
>>>>>> I have 4 configs
>>>>>> sources.conf
>>>>>> destinations.conf
>>>>>> filters.conf
>>>>>> log.conf
>>>>>>
>>>>>> Can't post them without revealing sensitive network info but wanted
>>>>>> to make sure I wasn't assuming something should just work.
>>>>>> I'll post more after I dig into it but seems to favor the first
>>>>>> matching log destination when I switch the order and reload with
>>>>>> syslog-ng-ctl.
>>>>>>
>>>>>> log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI);};
>>>>>> log { source(s_net_tcp); filter(f_pci); destination (d_sumo_PCI);};
>>>>>> log { source(s_net_tcp); filter(f_pci); destination (d_secureworks);};
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Jan 19, 2018 at 6:41 PM, james.r.hendrick <
>>>>>> james.r.hendrick at gmail.com> wrote:
>>>>>>
>>>>>>> It should work. Would you share the config?
>>>>>>> Jim
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Sent from my Verizon, Samsung Galaxy smartphone
>>>>>>>
>>>>>>> -------- Original message --------
>>>>>>> From: Scot <scotrn at gmail.com>
>>>>>>> Date: 1/19/18 4:23 PM (GMT-05:00)
>>>>>>> To: Syslog-ng users' and developers' mailing list <
>>>>>>> syslog-ng at lists.balabit.hu>
>>>>>>> Subject: [syslog-ng] One source multiple destinations ?
>>>>>>>
>>>>>>> I'm having a problem where I am trying to take input source(s) and
>>>>>>> write them out to multiple destinations.
>>>>>>>
>>>>>>> Before I go barking up the wrong tree I just wanted to make sure I
>>>>>>> wasn't missing something.
>>>>>>>
>>>>>>> We should be able to take a source and send it to file,
>>>>>>> elastic-search and SPLUNK and sumologic all at the same time right ?
>>>>>>>
>>>>>>> Troubleshooting an odd behavior where only one network destination
>>>>>>> will work but then I switch the order the other starts working.
>>>>>>>
>>>>>>> I know it's vague but has anyone seen this behavior?
>>>>>>>
>>>>>>> Thanks
>>>>>>> Scot
>>>>>>>
>>>>>>
>>>>>>
>>>>>> ____________________________________________________________
>>>>>> __________________
>>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>>> Documentation: http://www.balabit.com/support
>>>>>> /documentation/?product=syslog-ng
>>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>> ____________________________________________________________
>>> __________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support
>>> /documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180309/5f0ad21d/attachment-0001.html>
More information about the syslog-ng
mailing list