I have a conf file that inputs different files and assigns them a [type] so that they can be accessed individually with the filter and output sections of the conf file.
Here is my conf file:
As you can see, I am sending the [type] = "bluecoat_proxy" to multiple outputs using different plugins.
My issue is that when I was only sending to elasticsearch, all of the logs were being delivered properly. Now that I am using several output plugins, some of the logs are going to elasticsearch, some are going to syslog, and some are going to tcp. To make this situation even odder is that this does not happen every time. These logs come in as a .log file and contain 1 hour of Symantec (Bluecoat) WSS logs. The size of this log file can range from 50 MB to several hundred MB.
I was wondering if there is something with the file queue or processing of events that may need to change in order to fix this or if there is something I am not doing properly with my output section of my conf file.
Thank you for your help