You really want a command executed or just want to echo the value of the fields extracted into a file?

I really wouldn't recomment trying to run a command that can be triggered for every incoming message, it can easily lead to a DoS, simply by flooding the syslog server with a lot of logs.

Hmm... db-parser() is able to rate-limit actions though, the only needed thing is a command execution. Too bad it's too easy to inject badly formatted values into the command line, which is a security issue.

In your example: cat $user, what if $user contains the the string "'; rm -rf /"? it would get executed in an innocent looking configuration.

On Wed, Nov 5, 2014 at 2:47 PM, C. L. Martinez <carlopmart@gmail.com> wrote:

Hi all,

Is it possible to trigger a command after extracting a field using
patterndb? For example I have the following log:

Nov 4 15:18:10 myserver01 info ftps[876]: Rule Allow <ALLOW>: - MAP
user:mytest IP:1.1.1.1

With patterndb, I can extract field user with for example, a value of
$user. Can I trigger a command like "cat $user >> /tmp/users.log"
without calling a script??

Thanks.
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Bazsi