<div dir="ltr"><div><div><div>You really want a command executed or just want to echo the value of the fields extracted into a file?<br><br></div>I really wouldn't recomment trying to run a command that can be triggered for every incoming message, it can easily lead to a DoS, simply by flooding the syslog server with a lot of logs.<br><br></div>Hmm... db-parser() is able to rate-limit actions though, the only needed thing is a command execution. Too bad it's too easy to inject badly formatted values into the command line, which is a security issue.<br><br><br></div><div>In your example: cat $user, what if $user contains the the string "'; rm -rf /"? it would get executed in an innocent looking configuration.<br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 5, 2014 at 2:47 PM, C. L. Martinez <span dir="ltr"><<a href="mailto:carlopmart@gmail.com" target="_blank">carlopmart@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br>
<br>
Is it possible to trigger a command after extracting a field using<br>
patterndb? For example I have the following log:<br>
<br>
Nov 4 15:18:10 myserver01 info ftps[876]: Rule Allow <ALLOW>: - MAP<br>
user:mytest IP:1.1.1.1<br>
<br>
<br>
With patterndb, I can extract field user with for example, a value of<br>
$user. Can I trigger a command like "cat $user >> /tmp/users.log"<br>
without calling a script??<br>
<br>
Thanks.<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature">Bazsi</div>
</div>