I am attempting to mail log alerts for failed attempts by root through sshd.

I have various boxes logging remotely (through their native syslogd) to a central log server running syslog-ng 1.6.6 (on redhat ES3.0).

I have the following in my syslog-ng conf specific to ssh:

# i know this catches all, and not just root
filter f_ssh_login_attempt {
program("sshd.*")
and match("(Failed)")
and not match("Accepted");
};

destination d_mail-alert { program("/usr/local/bin/syslog-mail $HOST $PROGRAM"); };

log {
source (s_udp);
filter(f_ssh_login_attempt);
destination(d_mail-alert);
};

I was hoping to be able to pass the $HOST (or other macros) to the script, but this doesn't seem to work?

the script is nothing more then a shell script which attempts to use $1 $2 in the subject line of the mail message.

the script does generate an email with the syslog message in the body, but $1 and $2 are empty.

how do I pass a value from an expanded macro to an external program?

I will be installing swatch at some point, but since I already had syslog-ng running...

thanks