On Wed, 2005-04-06 at 13:53 -0400, Andrew_Hilton@ElementK.com wrote:

> I am attempting to mail log alerts for failed attempts by root through

> sshd.

> 

> I have various boxes logging remotely (through their native syslogd)

> to a central log server running syslog-ng 1.6.6 (on redhat ES3.0).

> 

> I have the following in my syslog-ng conf specific to ssh:

> 

> # i know this catches all, and not just root

> filter f_ssh_login_attempt {

> program("sshd.*")

> and match("(Failed)")

> and not match("Accepted");

> };

> 

> destination d_mail-alert { program("/usr/local/bin/syslog-mail $HOST

> $PROGRAM"); };

> 

> log {

> source (s_udp);

> filter(f_ssh_login_attempt);

> destination(d_mail-alert);

> };

> 

> I was hoping to be able to pass the $HOST (or other macros) to the

> script, but this doesn't seem to work?

> 

> the script is nothing more then a shell script which attempts to use

> $1 $2 in the subject line of the mail message.

> 

> the script does generate an email with the syslog message in the body,

> but $1 and $2 are empty.

> 

> how do I pass a value from an expanded macro to an external program?

Basically you can't. Syslog-ng starts the program up once during

initialization and expects it to run continously expecting messages on

stdin. It is easy to see that it is not possible to start a program

containing arguments depending on the current log message as it is

already started by that time.

-- 

Bazsi

_______________________________________________

syslog-ng maillist  -  syslog-ng@lists.balabit.hu

https://lists.balabit.hu/mailman/listinfo/syslog-ng

Frequently asked questions at 
http://www.campin.net/syslog-ng/faq.html