Use this template for your script. Modify it to send email $MSG to you, instead of sending it to /tmp/schrott. That should solve your problem.
#!/bin/bash while read MSG do # Process the message $MSG. Do whatever you like with it. # Email it to someone. Whatever. Here we put it in a file.
echo $MSG >> /tmp/schrott
# We're finished with this message, wait for the next one. done # Read returned eof. This means "no more messages". Exit. exit 0
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Fegan, Joe Sent: 04 July 2008 22:00 To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] loop caused by syslog-ng filter Hi Luigi,
I have the same problem
Yes I agree. The problem and solution are explained in detail in my old emails - please read them more carefully. Your script does not follow the guidelines I gave. It must read from its stdin and process the messages that syslog-ng is sending there. Let me quote from my old email: "The script must read lines from its stdin *in a loop* until syslog-ng hangs up the connection (which will happen when syslog-ng is shutting down). Each line is an individual message. Your example scripts exit immediately. You can't do that. Syslog-ng will automatically restart any destination script that exits, so your scripts will be restarted over and over and over and over because they keep exiting. Eventually syslog-ng will go crazy doing this." Joe. -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Luigi Augello Sent: 04 July 2008 18:59 To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] loop caused by syslog-ng filter Hi I have the same problem: I need to send a mail when a user is logged in a server. I built this script that read from a file ########### script sndmailaut #!/bin/sh cat /tmp/auth|mail luigi@server.it -s "utente loggato" rm -rf /tmp/auth used in this syslog.conf #############syslog-ng.conf ...... filter f_authpriv {facility(auth, authpriv); } destination authlog { file("/tmp/auth");}; destination sndmailauth { program("/script/sndmailaut");}; log { source(src); filter(f_authpriv); destination(authlog); }; log { source(src); filter(f_authpriv); destination(sndmailauth); }; ..... I not understand how to solve the problem anyone can help me!!!! Tanks in advance Luigi I receive a lot of mail, I understand that is some problem that Adam raised ---------- Original Message ----------- From: "Fegan, Joe" <Joe.Fegan@hp.com> To: "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Sent: Thu, 20 Mar 2008 15:33:10 +0000 Subject: Re: [syslog-ng] loop caused by syslog-ng filter
The loop starts when syslog-ng recognices the first machting string [Priority: 1] and loops till I stop syslog-ng!!!
Sensor1:~# /etc/init.d/syslog-ng stop Stopping system logging: syslog-ng. Sensor1:~# tail -f /tmp/schrott AAA Do 20. Mär 14:29:12 CET 2008 AAA Do 20. Mär 14:29:12 CET 2008 AAA Do 20. Mär 14:29:12 CET 2008 AAA Do 20. Mär 14:29:12 CET 2008 AAA Do 20. Mär 14:29:12 CET 2008
Here is the explanation:
Your script appends to /tmp/schrott and exits. Syslog-ng restarts it. Your script appends to /tmp/schrott and exits. Syslog-ng restarts it. Your script appends to /tmp/schrott and exits. Syslog-ng restarts it. Your script appends to /tmp/schrott and exits. Syslog-ng restarts it. Your script appends to /tmp/schrott and exits. Syslog-ng restarts it.
... and so on, forever ...
The reason is that the script is not obeying the rules for a syslog- ng destination, as previously stated.
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng- bounces@lists.balabit.hu] On Behalf Of Fegan, Joe Sent: 20 March 2008 15:11 To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] loop caused by syslog-ng filter
Hi Adam,
Please listen to the advice you're being given. From your examples, I think you believe that syslog-ng starts a new instance of your script for each new message. This is not true. Syslog-ng starts *one* instance of your script during its own startup, and it expects that one instance to stay alive for a long time. The script must read lines from its stdin *in a loop* until syslog-ng hangs up the connection (which will happen when syslog-ng is shutting down). Each line is an individual message.
Both of your example scripts exit immediately. You can't do that. Syslog-ng will automatically restart any destination script that exits, so your scripts will be restarted over and over and over and over because they keep exiting. Eventually syslog-ng will go crazy doing this.
As Christian said, a destination script needs a "read" loop like this example:
#!/bin/bash while read MSG do # Process the message $MSG. Do whatever you like with it. # Email it to someone. Whatever. Here we put it in a file.
echo $MSG >> /tmp/schrott
# We're finished with this message, wait for the next one. done # Read returned eof. This means "no more messages". Exit. exit 0
Christian's tips for testing destination scripts are also good. Run the script from the command line yourself. Type in messages like the ones you expect syslog-ng to send it (cut/paste them from /var/log/messages or wherever). Check that the script does what you expect with each message and that it waits for the next one, does *not* exit immediately. When it is working interactively then you can hook it up to syslog-ng.
Joe.
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng- bounces@lists.balabit.hu] On Behalf Of JUNG, Christian Sent: 20 March 2008 14:22 To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] loop caused by syslog-ng filter
Okay. Don't know if I get the things right, but:
All scripts you've mailed to the list write something to a file or send a mail if they're called and terminate directly after that action. syslog-ng will respawn (neu starten) them directly.
The program started by the program destination should not terminate itself. It has to listen on STDIN for a log message given from syslog-ng. Afterwards it can do something useful and then it has to listen for the next message.
In a shell script you can do this with a "while read LINE; do ...; done".
Try this:
---8<--- #!/bin/bash
while read LINE; do echo $(date) $LINE >> /tmp/schrott done ---8<---
Execute this script on the command line, enter some random stuff and look into /tmp/schrott:
user@box:~> ./test-script bla bla bla bla
Terminate this script by pressing CTRL-D. You should see something like this in /tmp/schrott:
Thu Mar 20 15:13:16 CET 2008 bla bla bla Thu Mar 20 15:13:18 CET 2008 bla
If not your script doesn't work :-) See for typos.
If this works, put it in your syslog-ng conf. It should do the same (only prio 1 messages should be visible with the date prepended).
If this works well, try this script first on the command line:
---8<--- #!/bin/bash
while read LINE; do mail -s "High Priority Snort Alert" Sub-Zero@xxx.de <<-EOF Alert, Priority 1 $LINE EOF done ---8<---
You should receive for every given input line exactly one mail.
If this works put it in your syslog-ng.conf. Now you should be done.
The thread you mentioned is about two running scripts where only one should run. This shouldn't be the case here. But you can have a look at the output of "ps fax". If you see multiple processes under syslog-ng then you might have the problem.
bye Chris
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu]On Behalf Of Adam Richter Sent: Thursday, March 20, 2008 2:46 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] loop caused by syslog-ng filter
Hi!
Not working! Syslog-ng filters for exactly the string: [Priority: 1] and not as it is piped by the mail script: #priority 1# note the ":" ! Anyway I used your script --> same fault!!! I have also used following script:
#!/bin/sh
echo AAA >> /tmp/schrott date >> /tmp/schrott
There is no output like [Priority: 1]!!! Then I did following: tail -f /tmp/schrott and got a loop too! The loop starts when syslog-ng recognices the first machting string [Priority: 1] and loops till I stop syslog-ng!!!
Sensor1:~# /etc/init.d/syslog-ng stop Stopping system logging: syslog-ng. Sensor1:~# tail -f /tmp/schrott AAA Do 20. Mär 14:29:12 CET 2008 AAA Do 20. Mär 14:29:12 CET 2008 AAA Do 20. Mär 14:29:12 CET 2008 AAA Do 20. Mär 14:29:12 CET 2008 AAA Do 20. Mär 14:29:12 CET 2008
I think it has something in common with this thread:
https://lists.balabit.hu/pipermail/syslog-ng/2006-October/009454.html
Any other ideas? It´s very important!
German: Es handelt sich hier um meine Abschlussprüfung, und dies ist der letzte Fehler der Auftritt, ansonsten läuft das Projekt.
bye, Adam / Sub-Zero !
-------- Original-Nachricht --------
Datum: Thu, 20 Mar 2008 10:32:31 +0100 Von: "JUNG, Christian" <christian.jung@saarstahl.com> An: "Syslog-ng users\' and developers\' mailing list" <syslog-ng@lists.balabit.hu> Betreff: Re: [syslog-ng] loop caused by syslog-ng filter
Hi Adam,
syslog-ng does the right thing :-).
It starts the program/script once and pipes on STDIN every log-message which matches the filter.
If your script is started, it will call mail and pipe "Alert, priority 1" to its STDIN and then exits. syslog-ng sees this and restarts it (version 2.0 or higher behave that way, see
<http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/ ch09s02.html#reference_destination_program>).
For you purpose this would be better:
---8<--- #!/bin/bash
while read LINE; do cat <<-EOF | mail -s "High Priority Snort Alert"
Sub-Zero@xxx.de
Alert, Priority 1 $LINE EOF done ---8<---
bye Chris
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu]On Behalf Of
Adam Richter
Sent: Thursday, March 20, 2008 9:23 AM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] loop caused by syslog-ng filter
Hi!
First off, sorry for my poor english! I have a problem with a loop caused by syslog-ng v. 2.0.8. I have set up Snort as an IDS System. Snort writes its messages in unified-format to /var/log/snort/snort.alert and /var/log/snort/snort.log. There are two Barnyard processes which read the unified files and convert it to messages that syslog and MySQL understand. Syslog-ng writes the messages to /var/log/auth.log. All this is working fine. Now, I want to set up a filter for Priority 1 alerts. This alert should be send to the Administrator.
I used following filter for syslog-ng:
source src {unix-stream("/dev/log"); internal();}; destination email{program("/usr/local/bin/alert_mail.sh");}; filter high {match("[Priority: 1]");}; log {source(src);filter(high); destination(email);};
The alert_mail.sh:
#!/bin/sh cat << EOF | mail -s "High Priority Snort Alert" Sub-Zero@xxx.de Alert, Priority 1 EOF
Then I use Nessus to cause some alerts with Priority 1. I can see 4 alerts with the Priority 1 with BASE and in /var/log/auth.log.
Syslog-ng recognises the alert with Priority 1 and activates the script /usr/local/bin/alert_mail.sh
All this is working, but the script is restarted by syslog-ng again an again.
Extract from /var/log/messages:
Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Child program exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', status='0' Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Starting destination program; cmdline='/usr/local/bin/alert_mail.sh ' Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Closing log writer fd; fd='11' Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Child program exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', status='0' Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Starting destination program; cmdline='/usr/local/bin/alert_mail.sh ' Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Child program exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', status='0' Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Starting destination program; cmdline='/usr/local/bin/alert_mail.sh ' ... Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Child program exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', status='256' Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Starting destination program; cmdline='/usr/local/bin/alert_mail.sh ' Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Child program exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', status='256' Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Starting destination program; cmdline='/usr/local/bin/alert_mail.sh ' Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Child program exited, restarting;
...
I get thousands of mails per minute till I stop syslog-ng.
Output of /var/log/auth.log(so y see that syslog-ng writes snort/barnyard messages correctly to auth.log):
Mar 19 13:56:54 src@Sensor1 barnyard: [1:1394:8] SHELLCODE x86 NOOP [Classification: Executable code was detected] [Priority: 1] {UDP} 172.25.1.152:4758 -> 172.28.100.10:137 Mar 19 13:57:13 src@Sensor1 barnyard: [1:1446:8] SMTP vrfy root [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.25.1.152:1085 -> 172.28.100.10:25 Mar 19 13:57:13 src@Sensor1 barnyard: [1:660:11] SMTP expn root [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.25.1.152:1085 -> 172.28.100.10:25 Mar 19 13:57:22 src@Sensor1 barnyard: [1:12626:2] Snort Alert [1:12626:0] [Classification: Decode of an RPC Query] [Priority: 2] {UDP} 172.25.1.152:1146 -> 172.28.100.10:111 Mar 19 13:57:22 src@Sensor1 barnyard: [1:585:9] RPC portmap sadmind request UDP [Classification: Decode of an RPC Query] [Priority: 2] {UDP} 172.25.1.152:1146 -> 172.28.100.10:111 Mar 19 13:57:24 src@Sensor1 barnyard: [1:566:6] POLICY PCAnywhere server response [Classification: Misc activity] [Priority: 3] {UDP} 172.25.1.152:1155 -> 172.28.100.10:5632 Mar 19 15:11:27 src@Sensor1 barnyard: [122:1:0] portscan: TCP Portscan [Classification: Unknown] [Priority: 3] {PROTO255} 172.25.1.152 -> 172.28.100.10 Mar 19 15:11:58 src@Sensor1 barnyard: [1:1420:13] SNMP trap tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.25.1.152:4482 -> 172.28.100.10:162 Mar 19 15:11:58 src@Sensor1 barnyard: [1:1418:13] SNMP request tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.25.1.152:4482 -> 172.28.100.10:161 Mar 19 15:12:05 src@Sensor1 barnyard: [1:1421:13] SNMP AgentX/tcp request [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.25.1.152:4482 -> 172.28.100.10:705 Mar 19 15:12:16 src@Sensor1 barnyard: [122:1:0] portscan: TCP Portscan [Classification: Unknown] [Priority: 3] {PROTO255} 172.25.1.152 -> 172.28.100.10 Mar 19 15:12:19 src@Sensor1 barnyard: [1:1394:8] SHELLCODE x86 NOOP [Classification: Executable code was detected] [Priority: 1] {UDP} 172.25.1.152:137 -> 172.28.100.10:137 Mar 19 15:12:20 src@Sensor1 barnyard: [1:1394:8] SHELLCODE x86 NOOP [Classification: Executable code was detected] [Priority: 1] {UDP} 172.25.1.152:137 -> 172.28.100.10:137 Mar 19 15:12:22 src@Sensor1 barnyard: [1:1394:8] SHELLCODE x86 NOOP [Classification: Executable code was detected] [Priority: 1] {UDP} 172.25.1.152:137 -> 172.28.100.10:137
I think it has something in common with this topic:
https://lists.balabit.hu/pipermail/syslog-ng/2006-October/009454.html
Thanks in advance!
Sub-Zero
-- GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen! Jetzt dabei sein: http://www.shortview.de/?mc=sv_ext_mf@gmx ______________________________________________________________ ________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Psst! Geheimtipp: Online Games kostenlos spielen bei den GMX Free Games! http://games.entertainment.gmx.net/de/entertainment/games/free ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html ------- End of Original Message -------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html