On 5/19/08, Alexander Clouter <ac56@soas.ac.uk> wrote:
Mladen Tsvetkov <mladen.tsvetkov@telelink.com> [20080515 09:13:32 +0300]:
I am new to syslog-ng. I have successfully installed it and integrated with mysql and php. My question is how can I make syslog-ng to start rancid when a syslog configuration message is received from a cisco device:
112578: 1564643: May 15 09:05:19.141 EEST: %SYS-5-CONFIG_I: Configured from console by ******** on vty0 (10.10.10.10).
So far I know that I have to use the program() directive. But how can I pass the hostname and other parameters to rancid?
I probably would have thought an SNMP trap for ciscoConfigManEvent[1] would have been the 'correct' way to do this?
If you plan on using the syslog messages, you probably need to seperately run swatch[2] to deal with this as it's outside of syslog-ng's remit (I think).
I have a slightly different kludge to accomplish this goal. I use syslog-ng with match() to detect these events, write each to a destination of /var/spool/rancid/$HOUR.$HOST An hourly cron job looks in /var/spool/rancid and calls rancid for just the known hostnames found (named for the previous hour), then deletes the old files. We realized that many analysts have a habit of going in and out of config mode to make several changes in a row, this aggregates all the changes, only calls rancid at most once an hour. Kevin