You can indeed by adding a second line! But....

You might also want to consider sending specifically formatted messages to specific destinations.

Say you have a McAfee ESM and a splunk. The ESM logline uses the Nitro format, and the Splunk format uses CEF (for example).

To send a message to the syslog daemon we have this rule in the logging cycle, 6 = Info:

ESM is already configured as:

daemon.info @esm

OR possibly:

*.* @esm

If you do the following for splunk:

daemon.info @splunk

This would mean that esm and splunk receive both messages (the nitro format, and the splunk format).

1. McAfeeWG|time_stamp=[01/Jan/2015:02:12:31 +0800]|auth_user=jsmith|src_ip=10.10.69.1|server_ip=172.224.247.54|host=www.mcafee.com|url_port=80|status_code=301|bytes_from_client=279|bytes_to_client=1149|categories=Business, Software/Hardware|rep_level=Minimal Risk|method=GET|url=http://www.mcafee.com/|media_type=text/html|application_name=|user_agent=Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)|block_res=0|block_reason=|virus_name=|hash=|filename=|filesize=753| 
2. CEF:0|McAfee|Web Gateway|7.3.2|301|Proxy--|2|rt=Sep 02 2013 16:55:57 cat=Access Log dst=12.234.121.129 dhost=www.mcafee.com suser=jsmith src=10.10.69.1 requestMethod=GET request=http://www.mcafee.com/ app=HTTP cs3=HTTP/1.1 cs3Label=Protocol/Version cs4=Business, Software/Hardware cs4Label=URL Categories cs6=Minimal Risk cs6Label=Reputation fileType=text/html out=1182 requestClientApplication=Mozilla/5.0 Firefox/23.0 cs1= cs1Label=Virus Name cn1=0 cn1Label=Block Reason cs5=Default cs5Label=Policy 

If we want ESM to only get #1, and splunk to only get #2, we would modify the logging rule to use 7 (debug) instead of 6 (info). In the rsyslog conf we would have a line like:

daemon.=debug @splunk

This would ensure only daemon.debug events are sent to the second syslog server (splunk).

Hope this helps. If it doesnt matter what message is sent where, then adding a second line would be fine.

Best Regards.

Jon