On Apr 7, 2005 10:48 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Wed, 2005-04-06 at 13:53 -0400, Andrew_Hilton@ElementK.com wrote:
I am attempting to mail log alerts for failed attempts by root through sshd.
I have various boxes logging remotely (through their native syslogd) to a central log server running syslog-ng 1.6.6 (on redhat ES3.0).
<SNIP>
I was hoping to be able to pass the $HOST (or other macros) to the script, but this doesn't seem to work?
the script is nothing more then a shell script which attempts to use $1 $2 in the subject line of the mail message.
the script does generate an email with the syslog message in the body, but $1 and $2 are empty.
how do I pass a value from an expanded macro to an external program?
Basically you can't. Syslog-ng starts the program up once during initialization and expects it to run continously expecting messages on stdin. It is easy to see that it is not possible to start a program containing arguments depending on the current log message as it is already started by that time.
You could modify the example at http://www.campin.net/perl-mail.txt to do it for you, something like: #!/usr/bin/perl use warnings; use strict; # strip the priority s/^<[\d]{1,2}>//; if ( /[A-Z][a-z]{2}\s{1,2}\d{1,2}\s\d{2}:\d{2}:\d{2}\s(\w+)\s/ ) { system("echo \"$_\" | /usr/bin/mailx -s \"log alert on host: $1\" user\@domain"); } else { system("echo \"$_\" | /usr/bin/mailx -s \"log alert on unknown host\" user\@domain"); } __END__ The information is there, you just have to get it yourself.