1
response

I've been trying to figure out the best way to ingest logs from 2 different data streams and have them go to separate log files.

Heres the copy of my configuration. For my first input i have a bunch of firewall logs coming in to /syslog/firewalls.log. I now want to ingest syslog data from my isilon to a different log file. It only seems to work if I have host 0.0.0.0 setup. I'm getting the data but everything is being written to firewalls.log and not my isilon.log

Any help would be greatly appreciated.

<Extension _syslog>
Module xm_syslog
</Extension>

<Extension _json>
Module xm_json
</Extension>

<Input udp1>
Module im_udp
Host 0.0.0.0
Port 514
Exec parse_syslog();
</Input>

<Output fwlog>
Module om_file
File "/syslog/firewalls.log"
Exec to_json();
</Output>

<Input udp2>
Module im_udp
Host 0.0.0.0
Port 514
InputType Syslog_TLS
Exec parse_syslog();
</Input>

<Output isilog>
Module om_file
File "/syslog/isilon.log"
Exec to_json();
</Output>

########################################
# Routes #
########################################

<Route udp_to_file1>
Path udp1 => fwlog
</Route>

<Route udp_to_file2>
Path udp2 => isilog
</Route>

AskedMarch 4, 2022 - 2:07am

Answer (1)

Hi Adam,

it appears you are collecting logs from the same source 0.0.0.0:514. is that is the case, you can send it to two different outputs, with one route, thus eliminating the need for udp2 thus.

<Route udp_to_file1>
    Path udp1 => fwlog, isilog
</Route>

Alternatively, if you are collecting logs from different sources, please specify the correct port for the second input. eg 0.0.0.0:515

I hope this helps.

Regards,

Jeffron