<div dir="ltr"><div><div><div><br></div>the @confgen line only registers a source driver named s_nginx_modsec_log that you'll have to use in order to expand this in your configuration file.<br><br></div>@confgen is assumed to be used at the top level, whereas the driver being declared as a normal source statement.<br><br><div><br></div><div><div>@module confgen context(source) name(s_nginx_modsec_log) exec("/etc/syslog-ng/scripts/<wbr>confgen-modsec-skeleton.sh")<br><br></div>log {<br></div><div> source { s_nginx_modsec_log(); };<br></div> destination(d_collector);<div>};</div><br></div>Your source name uses the conventions of a source drive (the s_ prefix), so you probably assumed that it is declaring a source, but it isn't. It defines a source driver.<br><div><div><div><br></div></div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">-- <br>Bazsi<br></div></div></div>
<br><div class="gmail_quote">On Wed, Aug 17, 2016 at 9:42 PM, Jorge Pereira <span dir="ltr"><<a href="mailto:jpereiran@gmail.com" target="_blank">jpereiran@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi guys,<div><br></div><div>somebody could help?</div></div><div class="gmail_extra"><br clear="all"><div><div data-smartmail="gmail_signature"><div dir="ltr">--<div>Jorge Pereira</div></div></div></div><div><div class="h5">
<br><div class="gmail_quote">On Fri, Aug 12, 2016 at 3:15 AM, Jorge Pereira <span dir="ltr"><<a href="mailto:jpereiran@gmail.com" target="_blank">jpereiran@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hi guys!</div><div><br></div><div>Following the sample described in <a href="https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/generating-configuration-blocks.html" target="_blank">https://www.balabit.com/doc<wbr>uments/syslog-ng-ose-latest-<wbr>guides/en/syslog-ng-ose-guide-<wbr>admin/html/generating-<wbr>configuration-blocks.html</a></div><div><br></div><div>1) I have my 'confgen' script that prints the below <b>file()</b> entries. (p.s: these files has content.)</div><div><br></div><div><div># /etc/syslog-ng/scripts/confgen<wbr>-modsec-skeleton.sh</div><div>file("/opt/nginx/logs/waf/<a href="http://www.cocada.com" target="_blank">www.<wbr>cocada.com</a>" program_override("ng_modsec") flags(no-parse));</div><div>file("/opt/nginx/logs/waf/<a href="http://www.caipirinha.com" target="_blank">www.<wbr>caipirinha.com</a>" program_override("ng_modsec") flags(no-parse));</div><div># </div></div><div><br></div><div>2) My config set:</div><div><br></div><div># cat /etc/syslog-ng/conf.d/nginx_mo<wbr>dsec.conf <br></div><div><div>options {<br></div><div> threaded(yes);</div><div> flush_lines(0);</div><div> use-dns(no);</div><div> normalize-hostnames(yes);</div><div> keep-hostname(yes);</div><div>};</div><div><br></div><div>destination d_collector {<br></div><div> tcp("192.168.1.248" port(514) keep-alive(on) );</div><div>};</div><div><br></div><div>log {</div><div>@module confgen context(source) name(s_nginx_modsec_log) exec("/etc/syslog-ng/scripts/c<wbr>onfgen-modsec-skeleton.sh")</div><div> destination(d_collector);</div><div>};</div><div><br></div><div># </div></div><div><br></div><div>Conclusion: The syslog-ng doesn't call the script at any time.</div><div><br></div><div># strace -fff /usr/sbin/syslog-ng -dvte 2>&1 | grep "confgen-modsec"<br></div><div><br></div><div>p.s: I have 'confgen' support.</div><div><br></div><div><div># syslog-ng --version | grep confgen</div><div>Available-Modules: syslogformat,kvformat,afamqp,s<wbr>djournal,system-source,afuser,<wbr>json-plugin,dbparser,affile,<wbr>afsocket,linux-kmsg-format,<wbr>afmongodb,mod-python,<b>confgen</b>,<wbr>csvparser,pseudofile,afsql,<wbr>afprog,afstomp,cryptofuncs,<wbr>graphite,basicfuncs</div></div><div>#</div><div><br></div><div>I appreciate any help.</div><div><br></div><div>Best,</div><div>Jorge Pereira</div></div>
</blockquote></div><br></div></div></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>