greetings list, i will (breifly) describe what i would like to do, what i have tried in order to accomplish that, and what i think is going wrong. i would very much appreciate any help. at the university that i work at we have a cisco vpn box that is configured to send syslog messages to a debian box running syslog-ng version 2.0rc1-2 (version in 'testing'). the types of messages that are sent from the vpn box are like 'user logging in using ip <ip>' and 'user logging out'. as these messages are coming in, i would like to spawn a process, extract the useful bits of info from the syslog message and update a database with the connection window for the user, local and remote ip address. what i have tried: excerpts from /etc/syslog-ng/syslog-ng.conf source s_remote { udp(); }; destination dp_process_vpn { program("/usr/local/sbin/process_vpn_syslog"); }; filter f_vpn { netmask("131.212.4.2/255.255.255.255"); }; log { source(s_remote); filter(f_vpn); destination(dp_process_vpn); }; end of excerpt from /etc/syslog-ng/syslog-ng.conf # cat /usr/local/sbin/process_vpn_syslog #!/usr/bin/perl # eventually this program will parse the data in the syslog entry # and update a database, but for now, it is just appending the # info to a file in /tmp use strict; $| = 1; my $file = '/tmp/vpn_info'; open FILE, '>>'.$file; while (<>) { print FILE $_; } end of cat /usr/local/sbin/process_vpn_syslog i do the following commands to test and confirm that the program process_vpn_syslog is working ok and expected. $ tail -f /tmp/vpn_info $ tail -f /storage/syslog/hosts/131.212.4.2/2006/08/28/local4 i get instant data from the file destination driver syslogs going to /storage/syslog/hosts/131.212.4.2/2006/08/28/local4. i get *very* latent data in the file /tmp/vpn_info. possibilities of what i think is going wrong: 1) data is not being flushed from syslog-ng to the program. i have tried adding flush_lines(1) to the program directive above, to no avail. 2) the syslog-ng documentation says: that it starts the program once and restarts it if it exits. i think i am looking for a program that is executed once for every *line* entry from syslog-ng, however i am not sure where to go from here. thanks again for taking time to look at this. sincerely, -- Matt Zagrabelny - mzagrabe@d.umn.edu - (218) 726 8844 University of Minnesota Duluth Information Technology Systems & Services PGP key 1024D/84E22DA2 2005-11-07 Fingerprint: 78F9 18B3 EF58 56F5 FC85 C5CA 53E7 887F 84E2 2DA2 He is not a fool who gives up what he cannot keep to gain what he cannot lose. -Jim Elliot