thanks for the perl script... this is what I use... it probably could be cleaner, but it works for me ;) #!/bin/sh # mail su/sudo/ssh root alerts based off the syslog-ng filter while read line; do msg=`echo $line|sed 's/^<[0-9][0-9]>//;'` prog=`echo $msg|awk '{print $5}'|sed -r 's/((:$)|(\[[0-9].+\]:$)|(\([a-z_].+\[[0-9].+\]:$))//g'` echo $msg|/bin/egrep '(@)' > /dev/null 2>&1 if [ $? -ne 0 ]; then hostx=`echo $msg|awk -F"/" '{print $1}'|awk '{print $4}'` else hostx=`echo $msg|awk -F"@" '{print $2}'|awk '{print $1}'` fi echo $msg | /bin/mail -s "Log Alert - $hostx ($prog)" mailgroup@domain.com done UNIX Admin <infosec@gmail.co m> To Sent by: syslog-ng@lists.balabit.hu syslog-ng-admin@l cc ists.balabit.hu Subject Re: [syslog-ng]how to pass a value 04/07/2005 06:50 from an expanded macro to an PM external program? Please respond to syslog-ng@lists.b alabit.hu D'oh! I left off the -n on the she-bang line: #!/usr/bin/perl -n ...to make it behave correctly, but I'm sure you would have figured that out. On Apr 7, 2005 3:48 PM, UNIX Admin <infosec@gmail.com> wrote:
You could modify the example at http://www.campin.net/perl-mail.txt to do it for you, something like:
#!/usr/bin/perl use warnings; use strict;
# strip the priority s/^<[\d]{1,2}>//;
if ( /[A-Z][a-z]{2}\s{1,2}\d{1,2}\s\d{2}:\d{2}:\d{2}\s(\w+)\s/ ) { system("echo \"$_\" | /usr/bin/mailx -s \"log alert on host: $1\" user\@domain"); } else { system("echo \"$_\" | /usr/bin/mailx -s \"log alert on unknown host\" user\@domain"); }
__END__
The information is there, you just have to get it yourself.
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html ForwardSourceID:NT0001CA56
