On Wed, 2005-04-06 at 13:53 -0400, Andrew_Hilton@ElementK.com wrote:
I am attempting to mail log alerts for failed attempts by root through sshd.
I have various boxes logging remotely (through their native syslogd) to a central log server running syslog-ng 1.6.6 (on redhat ES3.0).
I have the following in my syslog-ng conf specific to ssh:
# i know this catches all, and not just root filter f_ssh_login_attempt { program("sshd.*") and match("(Failed)") and not match("Accepted"); };
destination d_mail-alert { program("/usr/local/bin/syslog-mail $HOST $PROGRAM"); };
log { source (s_udp); filter(f_ssh_login_attempt); destination(d_mail-alert); };
I was hoping to be able to pass the $HOST (or other macros) to the script, but this doesn't seem to work?
the script is nothing more then a shell script which attempts to use $1 $2 in the subject line of the mail message.
the script does generate an email with the syslog message in the body, but $1 and $2 are empty.
how do I pass a value from an expanded macro to an external program?
Basically you can't. Syslog-ng starts the program up once during initialization and expects it to run continously expecting messages on stdin. It is easy to see that it is not possible to start a program containing arguments depending on the current log message as it is already started by that time. -- Bazsi