I setup a match line to match the string "attackalert" from portsentry, and I pipe this off to a script that mails it to me. This works great, but I get emails with "<29>" prepended to it. Example: <29>Nov 5 12:46:37 skitzo portsentry[121]: attackalert: Host 209.202.221.43 has been blocked via dropped route using command: "/usr/local/sbin/iptables -I INPUT -s 209.202.221.43 -j DROP" I just setup sqlsyslogd to output to a mysql database from a program() destination, and it prepends the <29> to the messages sent there as well. I checked out http://www.ietf.org/rfc/rfc3164.txt and it looks like this is a priority. How can I keep this from showing up in the output? I hacked sqlsyslogd to print the string from 4 chars into the timestamp, so my mysql inputs are clean, but what do I do to clean up the mail? -- Nate Campi http://www.campin.net GnuPG key: 0xC17AEF79 Key fingerprint = BF12 722F 8799 E614 33CC FAB7 5A90 C464 C17A EF79
On Mon, Nov 05, 2001 at 03:03:15PM -0800, Nate Campi wrote:
I just setup sqlsyslogd to output to a mysql database from a program() destination, and it prepends the <29> to the messages sent there as well.
I've been inputting logs into the database all day now, and I see that many different priorities are reported. The problem is that some prioritites are single digit (i.e. <6>) while others are double digit (i.e. <29>), messing up my C prog which parses the syslog messages. It counts on the timestamp portion being a certain number of characters. I found this in afprogram.c: if (self->dest) A_WRITE_STRING(&self->dest->buffer->super, c_format("<%i>%S %S %S\n", msg->pri, msg->date, msg->host, msg->msg)); I tried to remove the priority part: if (self->dest) A_WRITE_STRING(&self->dest->buffer->super, c_format("%S %S %S\n", msg->date, msg->host, msg->msg)); but it won't compile: -DHAVE_CONFIG_H -I. -I/usr/src/syslog-ng-1.4.14/src -I. -O2 -Wall -I/usr/src/libol-0.2.23/src -D_GNU_SOURCE -c afstreams.c /usr/src/libol-0.2.23/utils/make_class <afprogram.c >afprogram.c.xT /bin/sh: /usr/src/libol-0.2.23/utils/make_class: No such file or directory make[3]: *** [afprogram.c.x] Error 127 make[3]: Leaving directory `/usr/src/syslog-ng-1.4.14/src' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/usr/src/syslog-ng-1.4.14/src' make[1]: *** [all-recursive-am] Error 2 make[1]: Leaving directory `/usr/src/syslog-ng-1.4.14/src' make: *** [all-recursive] Error 1 I would really like to ditch the priority info, but if not, can't I at least format the entry like you can with printf() to keep a leading zero when it's a single digit priority? I don't know where c_format() is defined, and if it will accept formatting like this. I suck at C and don't want to have to rewrite this db entry program, I'd have to do it in Perl, and it would be much harder for me than simply modifying syslog-ng a little. TIA, -- Nate Campi http://www.campin.net GnuPG key: 0xC17AEF79 Key fingerprint = BF12 722F 8799 E614 33CC FAB7 5A90 C464 C17A EF79 If I had a ( for every $ the government spent, what would I have? Typical unix response: Too many ('s.
On Mon, Nov 05, 2001 at 11:50:15PM -0800, Nate Campi wrote:
On Mon, Nov 05, 2001 at 03:03:15PM -0800, Nate Campi wrote:
I just setup sqlsyslogd to output to a mysql database from a program() destination, and it prepends the <29> to the messages sent there as well.
I've been inputting logs into the database all day now, and I see that many different priorities are reported. The problem is that some prioritites are single digit (i.e. <6>) while others are double digit (i.e. <29>), messing up my C prog which parses the syslog messages. It counts on the timestamp portion being a certain number of characters.
I found this in afprogram.c:
if (self->dest) A_WRITE_STRING(&self->dest->buffer->super, c_format("<%i>%S %S %S\n", msg->pri, msg->date, msg->host, msg->msg));
I tried to remove the priority part:
if (self->dest) A_WRITE_STRING(&self->dest->buffer->super, c_format("%S %S %S\n", msg->date, msg->host, msg->msg));
but it won't compile:
-DHAVE_CONFIG_H -I. -I/usr/src/syslog-ng-1.4.14/src -I. -O2 -Wall -I/usr/src/libol-0.2.23/src -D_GNU_SOURCE -c afstreams.c /usr/src/libol-0.2.23/utils/make_class <afprogram.c >afprogram.c.xT /bin/sh: /usr/src/libol-0.2.23/utils/make_class: No such file or directory make[3]: *** [afprogram.c.x] Error 127 make[3]: Leaving directory `/usr/src/syslog-ng-1.4.14/src' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/usr/src/syslog-ng-1.4.14/src' make[1]: *** [all-recursive-am] Error 2 make[1]: Leaving directory `/usr/src/syslog-ng-1.4.14/src' make: *** [all-recursive] Error 1
the problem is that you don't have scsh installed necessary to produce .x files from .c and .h files. Since you didn't modify class definitions this step is not required, so you can satisfy the dependency by touching afprogram.c.x. Another solution is to use the template() option in the 1.5.x series. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
Hi, Is there any chance that I can get a copy of your mail script? I can't seem to get one to work. Yes, I'm a newbie.....but I'm trying! Thanks, Sb ----- Original Message ----- From: "Nate Campi" <nate@campin.net> To: <syslog-ng@lists.balabit.hu> Sent: Monday, November 05, 2001 6:03 PM Subject: [syslog-ng]syslog-ng messages sent to outside prog
I setup a match line to match the string "attackalert" from portsentry, and I pipe this off to a script that mails it to me.
This works great, but I get emails with "<29>" prepended to it. Example:
<29>Nov 5 12:46:37 skitzo portsentry[121]: attackalert: Host 209.202.221.43 has been blocked via dropped route using command: "/usr/local/sbin/iptables -I INPUT -s 209.202.221.43 -j DROP"
I just setup sqlsyslogd to output to a mysql database from a program() destination, and it prepends the <29> to the messages sent there as well.
I checked out http://www.ietf.org/rfc/rfc3164.txt and it looks like this is a priority. How can I keep this from showing up in the output? I hacked sqlsyslogd to print the string from 4 chars into the timestamp, so my mysql inputs are clean, but what do I do to clean up the mail? -- Nate Campi http://www.campin.net GnuPG key: 0xC17AEF79 Key fingerprint = BF12 722F 8799 E614 33CC FAB7 5A90 C464 C17A EF79
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
Snortball on Tue, Nov 06, 2001 at 09:25:43AM -0500: Hey,
Is there any chance that I can get a copy of your mail script? I can't seem to get one to work. Yes, I'm a newbie.....but I'm trying!
while read LOGLINE; do echo $LOGLINE | mail foo@bar.com done should do it. Greetings, -- ____ ____ / _/| - > Gregor Binder <gb@(rootnexus.net|sysfive.com)> | / || _\ \ \__ Id: 0xE2F31C4B Fp: 8B8A 5CE3 B79B FBF1 5518 8871 0EFB AFA3 E2F3 1C4B
On Tue, Nov 06, 2001 at 04:12:58PM +0100, Gregor Binder wrote:
Snortball on Tue, Nov 06, 2001 at 09:25:43AM -0500:
Hey,
Is there any chance that I can get a copy of your mail script? I can't seem to get one to work. Yes, I'm a newbie.....but I'm trying!
while read LOGLINE; do
echo $LOGLINE | mail foo@bar.com
I had found that script in the archives from a posting by Balazs. I ended up patching sqlsyslogd, since it's easier to patch the logging utility once than to patch syslog-ng every time I upgrade. I just need to know about strstr(), and my problems were over ;) If people are interested I can post it to the list. -- Nate Campi http://www.campin.net GnuPG key: 0xC17AEF79 Key fingerprint = BF12 722F 8799 E614 33CC FAB7 5A90 C464 C17A EF79 What goes up, must come down. Ask any system administrator.
I'M VERY VERY SORRY! This was supposed to go to the sender, not the list....I promise I'll stop being stupid.... ----- Original Message ----- From: "Snortball" <snortball@hotmail.com> To: <syslog-ng@lists.balabit.hu> Sent: Tuesday, November 06, 2001 9:25 AM Subject: Re: [syslog-ng]syslog-ng messages sent to outside prog
Hi,
Is there any chance that I can get a copy of your mail script? I can't seem to get one to work. Yes, I'm a newbie.....but I'm trying!
Thanks,
Sb ----- Original Message ----- From: "Nate Campi" <nate@campin.net> To: <syslog-ng@lists.balabit.hu> Sent: Monday, November 05, 2001 6:03 PM Subject: [syslog-ng]syslog-ng messages sent to outside prog
I setup a match line to match the string "attackalert" from portsentry, and I pipe this off to a script that mails it to me.
This works great, but I get emails with "<29>" prepended to it. Example:
<29>Nov 5 12:46:37 skitzo portsentry[121]: attackalert: Host 209.202.221.43 has been blocked via dropped route using command: "/usr/local/sbin/iptables -I INPUT -s 209.202.221.43 -j DROP"
I just setup sqlsyslogd to output to a mysql database from a program() destination, and it prepends the <29> to the messages sent there as well.
I checked out http://www.ietf.org/rfc/rfc3164.txt and it looks like this is a priority. How can I keep this from showing up in the output? I hacked sqlsyslogd to print the string from 4 chars into the timestamp, so my mysql inputs are clean, but what do I do to clean up the mail? -- Nate Campi http://www.campin.net GnuPG key: 0xC17AEF79 Key fingerprint = BF12 722F 8799 E614 33CC FAB7 5A90 C464 C17A EF79
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
participants (4)
-
Balazs Scheidler
-
Gregor Binder
-
Nate Campi
-
Snortball