<div dir="ltr">Hi, <div><br></div><div>Can you try to put the @module... declaration outside the log statement, and use the name of the source (s_nginx...) in the log statement?</div><div><br></div><div>Robert</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Aug 12, 2016 at 8:15 AM, Jorge Pereira <span dir="ltr"><<a href="mailto:jpereiran@gmail.com" target="_blank">jpereiran@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hi guys!</div><div><br></div><div>Following the sample described in <a href="https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/generating-configuration-blocks.html" target="_blank">https://www.balabit.com/<wbr>documents/syslog-ng-ose-<wbr>latest-guides/en/syslog-ng-<wbr>ose-guide-admin/html/<wbr>generating-configuration-<wbr>blocks.html</a></div><div><br></div><div>1) I have my 'confgen' script that prints the below <b>file()</b> entries. (p.s: these files has content.)</div><div><br></div><div><div># /etc/syslog-ng/scripts/<wbr>confgen-modsec-skeleton.sh</div><div>file("/opt/nginx/logs/waf/<a href="http://www.cocada.com" target="_blank">www.<wbr>cocada.com</a>" program_override("ng_modsec") flags(no-parse));</div><div>file("/opt/nginx/logs/waf/<a href="http://www.caipirinha.com" target="_blank">www.<wbr>caipirinha.com</a>" program_override("ng_modsec") flags(no-parse));</div><div># </div></div><div><br></div><div>2) My config set:</div><div><br></div><div># cat /etc/syslog-ng/conf.d/nginx_<wbr>modsec.conf <br></div><div><div>options {<br></div><div> threaded(yes);</div><div> flush_lines(0);</div><div> use-dns(no);</div><div> normalize-hostnames(yes);</div><div> keep-hostname(yes);</div><div>};</div><div><br></div><div>destination d_collector {<br></div><div> tcp("192.168.1.248" port(514) keep-alive(on) );</div><div>};</div><div><br></div><div>log {</div><div>@module confgen context(source) name(s_nginx_modsec_log) exec("/etc/syslog-ng/scripts/<wbr>confgen-modsec-skeleton.sh")</div><div> destination(d_collector);</div><div>};</div><div><br></div><div># </div></div><div><br></div><div>Conclusion: The syslog-ng doesn't call the script at any time.</div><div><br></div><div># strace -fff /usr/sbin/syslog-ng -dvte 2>&1 | grep "confgen-modsec"<br></div><div><br></div><div>p.s: I have 'confgen' support.</div><div><br></div><div><div># syslog-ng --version | grep confgen</div><div>Available-Modules: syslogformat,kvformat,afamqp,<wbr>sdjournal,system-source,<wbr>afuser,json-plugin,dbparser,<wbr>affile,afsocket,linux-kmsg-<wbr>format,afmongodb,mod-python,<b>co<wbr>nfgen</b>,csvparser,pseudofile,<wbr>afsql,afprog,afstomp,<wbr>cryptofuncs,graphite,<wbr>basicfuncs</div></div><div>#</div><div><br></div><div>I appreciate any help.</div><div><br></div><div>Best,</div><div>Jorge Pereira</div></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>