[syslog-ng] One source multiple destinations ?

Nagy, Gábor gabor.nagy at balabit.com
Sat Mar 10 09:21:30 UTC 2018 

My understanding is that your receive logs from UDP in *d_sumo_514* even if
you remove the embedded log path forwarding to *d_sumo_514*?

It's hard to guess with this much information.
You've highlighted another log path with TCP source which has the same
filter and destination as with the UDP source.
Do you still receive logs if you comment out the other log path too?

Gabor

On Fri, Mar 9, 2018 at 4:17 PM, Scot <scotrn at gmail.com> wrote:

> Thanks for the feedback.
>
> While looking at this i'm scratching my head.
> If I am only getting UDP Syslog from ASA's then why does the sumo_asa
> filter still send data with this config ?
>
>
> source s_net_tcp        {tcp(ip(0.0.0.0) port(514) max-connections(300)
> keep_hostname(yes) so_rcvbuf(262142) log_iw_size(25000)); };
> source s_net_udp       {syslog(ip(0.0.0.0) keep_hostname(yes)  port(514)
> transport("udp") flags(no-hostname) so_rcvbuf(262142));};
>
> filter          f_sumo_asa {
>                         host("192.168.1.101") or
>                         host("192.168.1.102") or
>                         host("192.168.1.103") or
>                         host("192.168.1.104") or
>                         host("192.168.1.105");};
>
>
> log { source(s_net_udp);
>         channel {destination (d_file); };
>         #channel {filter(f_sumo_asa); destination (d_sumo_514);};
>         channel {filter(f_sumo_palto); destination (d_sumo_palto);};
>         channel {parser(pattern_db); destination (d_es);};
> };
>
> log { source(s_net_tcp);
>         channel {destination (d_file); };
> *        channel {filter(f_sumo_asa); destination (d_sumo_514:);};*
>         channel {filter(f_sumo_palto); destination (d_sumo_palto);};
>         channel {parser(pattern_db); destination (d_es);};
> };
>
>
>
>
> On Fri, Mar 9, 2018 at 4:50 AM, Nagy, Gábor <gabor.nagy at balabit.com>
> wrote:
>
>> Hi again!
>>
>> What I left out is that if you need embedded log paths I would recommend
>> using the `log` keyword explicitly rather than the `channel` keyword for
>> clarity.
>>
>> Regards,
>> Gabor
>>
>> On Fri, Mar 9, 2018 at 10:48 AM, Nagy, Gábor <gabor.nagy at balabit.com>
>> wrote:
>>
>>> rHi Scot!
>>>
>>> Yes messages are copied because you wrote embedded log paths above.
>>> The `channel` keyword is an alias (in some contexts) for the `log`
>>> keyword.
>>> There are some rules that apply to embedded log paths:
>>> https://syslog-ng.com/documents/html/syslog-ng-ose-latest-gu
>>> ides/en/syslog-ng-ose-guide-admin/html/concepts-embedded-logpaths.html
>>> https://syslog-ng.com/documents/html/syslog-ng-ose-latest-gu
>>> ides/en/syslog-ng-ose-guide-admin/html/configuring-embedded-
>>> logpaths.html
>>>
>>> If you need different processing on messages that are coming from the
>>> same source but they format could be different, you can use junctions and
>>> handle the messages differently.
>>> One of the main differences between embedded log paths and junctions is
>>> that with junctions the different branches will be merged, therefore it is
>>> possible to have your messages duplicated.
>>> Also after a junction statement you can invoke any configuration blocks
>>> that could be otherwise applied (well it's still context dependent, you
>>> still can't put a source after a destination block).
>>>
>>> BR,
>>> Gabor
>>>
>>>
>>> On Fri, Mar 9, 2018 at 6:12 AM, Scot <scotrn at gmail.com> wrote:
>>>
>>>> T/F
>>>>
>>>> On a log statement with 3 or more channels would a *copy* of each
>>>> message matching the filter would be sent to that destination.
>>>>
>>>> log {
>>>>     source(s_net_tcp);
>>>>     channel { filter(f_allpci); destination (d_splunk_PCI); };
>>>>     channel { filter(f_allpci); destination (d_sumo_PCI); };
>>>>     channel { filter(f_swpci); destination (d_secureworks); };
>>>> };
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, Jan 22, 2018 at 2:04 PM, Scot <scotrn at gmail.com> wrote:
>>>>
>>>>> That was a bad example on my part. I will need unique filters for each
>>>>> destination.
>>>>>
>>>>> log {
>>>>>     source(s_net_tcp);
>>>>>     channel { filter(f_allpci); destination (d_splunk_PCI); };
>>>>>     channel { filter(f_allpci); destination (d_sumo_PCI); };
>>>>>     channel { filter(f_swpci); destination (d_secureworks); };
>>>>> };
>>>>>
>>>>> On Sun, Jan 21, 2018 at 9:41 PM, Scot <scotrn at gmail.com> wrote:
>>>>>
>>>>>> Evan,
>>>>>> Thats very helpful, is there somewhere these performance
>>>>>> considerations are outlined?
>>>>>> Only think I see related is 2.2.1 in the manual.
>>>>>>
>>>>>> I'll try tying combining the destinations under on log statement in
>>>>>> the morning.
>>>>>>
>>>>>>
>>>>>> On Sat, Jan 20, 2018 at 11:02 AM, Evan Rempel <erempel at uvic.ca>
>>>>>> wrote:
>>>>>>
>>>>>>> I would favour a config like
>>>>>>>
>>>>>>> log {
>>>>>>>     source(s_net_tcp);
>>>>>>>     channel { filter(f_pci); destination (d_splunk_PCI); };
>>>>>>>     channel { filter(f_pci); destination (d_sumo_PCI); };
>>>>>>>     channel { filter(f_pci); destination (d_secureworks); };
>>>>>>> };
>>>>>>>
>>>>>>> Although I think your config should work I don't like the idea of
>>>>>>> "re-sourcing" the stream.
>>>>>>>
>>>>>>> Now that I look closer at what you have done you are using the same
>>>>>>> filter, so it could be
>>>>>>>
>>>>>>> log {
>>>>>>>     source(s_net_tcp);
>>>>>>>     filter(f_pci);
>>>>>>>     destination (d_splunk_PCI);
>>>>>>>     destination (d_sumo_PCI);
>>>>>>>     destination (d_secureworks);
>>>>>>> };
>>>>>>>
>>>>>>>
>>>>>>> which takes the source, filters it and sends to all three
>>>>>>> destinations.
>>>>>>>
>>>>>>> Evan.
>>>>>>>
>>>>>>>
>>>>>>> On 01/20/2018 07:28 AM, Scot wrote:
>>>>>>>
>>>>>>> Thanks Jim,
>>>>>>> I have 4 configs
>>>>>>> sources.conf
>>>>>>> destinations.conf
>>>>>>> filters.conf
>>>>>>> log.conf
>>>>>>>
>>>>>>> Can't post them without revealing sensitive network info but wanted
>>>>>>> to make sure I wasn't assuming something should just work.
>>>>>>> I'll post more after I dig into it but seems to favor the first
>>>>>>> matching log destination when I switch the order and reload with
>>>>>>> syslog-ng-ctl.
>>>>>>>
>>>>>>> log { source(s_net_tcp); filter(f_pci); destination (d_splunk_PCI);};
>>>>>>> log { source(s_net_tcp); filter(f_pci); destination (d_sumo_PCI);};
>>>>>>> log { source(s_net_tcp); filter(f_pci); destination
>>>>>>> (d_secureworks);};
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Jan 19, 2018 at 6:41 PM, james.r.hendrick <
>>>>>>> james.r.hendrick at gmail.com> wrote:
>>>>>>>
>>>>>>>> It should work. Would you share the config?
>>>>>>>> Jim
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Sent from my Verizon, Samsung Galaxy smartphone
>>>>>>>>
>>>>>>>> -------- Original message --------
>>>>>>>> From: Scot <scotrn at gmail.com>
>>>>>>>> Date: 1/19/18 4:23 PM (GMT-05:00)
>>>>>>>> To: Syslog-ng users' and developers' mailing list <
>>>>>>>> syslog-ng at lists.balabit.hu>
>>>>>>>> Subject: [syslog-ng] One source multiple destinations ?
>>>>>>>>
>>>>>>>> I'm having a problem where I am trying to take  input source(s) and
>>>>>>>> write them out to multiple destinations.
>>>>>>>>
>>>>>>>> Before I go barking up the wrong tree I just wanted to make sure I
>>>>>>>> wasn't missing something.
>>>>>>>>
>>>>>>>> We should be able to take a source and send it to file,
>>>>>>>> elastic-search and SPLUNK and sumologic all at the same time right ?
>>>>>>>>
>>>>>>>> Troubleshooting an odd behavior where only one network destination
>>>>>>>> will work but then I switch the order the other starts working.
>>>>>>>>
>>>>>>>> I know it's vague but has anyone seen this behavior?
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>> Scot
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ____________________________________________________________
>>>>>>> __________________
>>>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>>>> Documentation: http://www.balabit.com/support
>>>>>>> /documentation/?product=syslog-ng
>>>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>> ____________________________________________________________
>>>> __________________
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation: http://www.balabit.com/support
>>>> /documentation/?product=syslog-ng
>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>
>>>>
>>>>
>>>
>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=
>> syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180310/451010ce/attachment-0001.html>

More information about the syslog-ng mailing list