Syslog Source Multi-Destination

Example
yaml
sources:
  syslog_input:
   type: syslog
   port: 514
   mode: udp  
   sink: distributor
  route_to_destination1:
   type: internal
   from: distributor  
   sink: destination1 
   transforms:
    - type: regex_filter  
     pattern: "^ERROR"
     mode: include
  route_to_destination2:
   type: internal
   from: distributor
   sink: destination2
   transforms:
    - type: regex_filter
     pattern: "^INFO"
     mode: include
sinks:
  distributor:
   type: loopback
  destination1:
   type: logscale 
   token: your-token-1
   url: https://cloud.logscale.com
  destination2:
   type: logscale
   token: your-token-2
   url: https://cloud.logscale.com
Introduction

This configuration illustrates how to route syslog data to multiple destinations by introducing a loopback distributor. Instead of sending logs directly to a sink, the distributor acts as a hub, allowing internal routes to filter and forward specific log types to different outputs.

Step-by-Step
  1. yaml
    sources:
  syslog_input:
   type: syslog
   port: 514
   mode: udp  
   sink: distributor

    This fragment shows that syslog_input source configuration forwards logs to a distributor.

  2. yaml
    route_to_destination1:
   type: internal
   from: distributor  
   sink: destination1 
   transforms:
    - type: regex_filter  
     pattern: "^ERROR"
     mode: include

    This fragment defines internal route from distributor to destination1 (includes only ERROR logs).

  3. yaml
    route_to_destination2:
   type: internal
   from: distributor
   sink: destination2
   transforms:
    - type: regex_filter
     pattern: "^INFO"
     mode: include

    This fragment defines internal route from distributor to destination2 (INFO only).

  4. yaml
    sinks:
  distributor:
   type: loopback

    Here, we defined loopback sink as a distributor to route to route incoming logs to multiple internal destinations.

  5. yaml
    destination1:
   type: logscale 
   token: your-token-1
   url: https://cloud.logscale.com

    Here, we defined logscale sink for destination1, receiving ERROR logs from internal route.

  6. yaml
    destination2:
   type: logscale
   token: your-token-2
   url: https://cloud.logscale.com

    Here, we defined logscale sink for destination2, receiving INFO logs from internal route.

  7. Event Result set.

Summary and Results

A syslog source forwards logs to a loopback distributor, which splits them into multiple routes. ERROR events go to destination1 and INFO events go to destination2, each defined as separate LogScale sinks. This setup enables flexible multi-destination routing.