This is perfect.  It works exactly as we need.  Thank you very much for the prompt answer.

If I may, now that this is working, let me take the question one step further.  What if we need to ...

syslog entries that match pattern xxx = export to syslog server A

syslog entries that match pattern yyy = export to syslog server B

syslog entries that match pattern xxx OR yyy = export to syslog server C

That possible in one filter?  Or would we need to write multiple filters?

Daniel

You can create another stream ID for syslog server C and add the dual check above the other two.  If both max, set the appropriate stream ID and return the message.

Thanks, Joseph.  You answered the question asked...but unfortunately I think that I did not phrase the question correctly.

Our match criteria will always be mutually exclusive, so it will never match both.  Always one or the other.

So now that we have this working in it's basic form, now we want to take it a step further and do the following....

(working) Match criteria A, set Stream 10

(working) Match criteria B, set Stream 20

(working) Send stream 10 to syslog Host A

(working) Send stream 20 to syslog Host B

(NEW) Send stream 10 AND 20 to syslog Host C

Unless we have the syntax incorrect, it appears as though we can only send one stream to a given host.  We can configure 'logging host SyslogC filtered stream 10'.  But if we then configure 'logging host SyslogC filtered stream 20', it appears to overwrite the previous configuration, so that we only send Stream 20 to SyslogC, and not Stream 10.

Is it possible to send multiple streams to a single syslog host?

Thank you!

Great!  So just to be clear...If I understand you correctly, then our final configuration would look something like...

logging host ServerA filtered stream 10

logging host ServerB filtered stream 20

logging host ServerC filtered stream 30

!---flash:/security.tcl---

if { [regexp {xxx} $::orig_msg] } {

   set ::stream 10

   errmsg $::severity 30 $::orig_msg

   return $orig_msg

}

if { [regexp {yyy} $::orig_msg] } {

   set ::stream 20

   errmsg $::severity 30 $::orig_msg

   return $orig_msg

}

-------------------------------------------------

logging filter flash:/security.tcl

This would send both sets of messages to ServerC?  Do I understand this correctly?

Thank you so much for you excellent help.  It is much appreciated.

Yes, that should work.

Tested and confirmed.  Thank you!!

Is there a way to do similarly with IOS-XR.

The ESM feature was never ported to XR as far as I know.  I also do not know if XR has any comparable filtering.  The only other IOS feature that could achieve similar results is the logging discriminator.