thanks for the perl script... this is what I use... it probably could be cleaner, but it works for me ;)

#!/bin/sh
# mail su/sudo/ssh root alerts based off the syslog-ng filter
while read line; do
msg=`echo $line|sed 's/^<[0-9][0-9]>//;'`
prog=`echo $msg|awk '{print $5}'|sed -r 's/((:$)|(\[[0-9].+\]:$)|(\([a-z_].+\[[0-9].+\]:$))//g'`
echo $msg|/bin/egrep '(@)' > /dev/null 2>&1
if [ $? -ne 0 ]; then
hostx=`echo $msg|awk -F"/" '{print $1}'|awk '{print $4}'`
else
hostx=`echo $msg|awk -F"@" '{print $2}'|awk '{print $1}'`
fi
echo $msg | /bin/mail -s "Log Alert - $hostx ($prog)" mailgroup@domain.com
done



UNIX Admin <infosec@gmail.com>

UNIX Admin <infosec@gmail.com> Sent by: syslog-ng-admin@lists.balabit.hu 04/07/2005 06:50 PM Please respond to syslog-ng@lists.balabit.hu

To syslog-ng@lists.balabit.hu cc Subject Re: [syslog-ng]how to pass a value from an expanded macro to an external program?

D'oh! I left off the -n on the she-bang line:

#!/usr/bin/perl -n

...to make it behave correctly, but I'm sure you would have figured that out.

On Apr 7, 2005 3:48 PM, UNIX Admin <infosec@gmail.com> wrote:

> You could modify the example at http://www.campin.net/perl-mail.txt to
> do it for you, something like:
>
> #!/usr/bin/perl
> use warnings;
> use strict;
>
> # strip the priority
> s/^<[\d]{1,2}>//;
>
> if ( /[A-Z][a-z]{2}\s{1,2}\d{1,2}\s\d{2}:\d{2}:\d{2}\s(\w+)\s/ ) {
>         system("echo \"$_\" | /usr/bin/mailx -s \"log alert on host:
> $1\" user\@domain");
> } else {
>         system("echo \"$_\" | /usr/bin/mailx -s \"log alert on unknown
> host\" user\@domain");
> }
>
> __END__
>
> The information is there, you just have to get it yourself.
>
_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html


ForwardSourceID:NT0001CA56