how to pass a value from an expanded macro to an external program?
I am attempting to mail log alerts for failed attempts by root through sshd. I have various boxes logging remotely (through their native syslogd) to a central log server running syslog-ng 1.6.6 (on redhat ES3.0). I have the following in my syslog-ng conf specific to ssh: # i know this catches all, and not just root filter f_ssh_login_attempt { program("sshd.*") and match("(Failed)") and not match("Accepted"); }; destination d_mail-alert { program("/usr/local/bin/syslog-mail $HOST $PROGRAM"); }; log { source (s_udp); filter(f_ssh_login_attempt); destination(d_mail-alert); }; I was hoping to be able to pass the $HOST (or other macros) to the script, but this doesn't seem to work? the script is nothing more then a shell script which attempts to use $1 $2 in the subject line of the mail message. the script does generate an email with the syslog message in the body, but $1 and $2 are empty. how do I pass a value from an expanded macro to an external program? I will be installing swatch at some point, but since I already had syslog-ng running... thanks
On Wed, 2005-04-06 at 13:53 -0400, Andrew_Hilton@ElementK.com wrote:
I am attempting to mail log alerts for failed attempts by root through sshd.
I have various boxes logging remotely (through their native syslogd) to a central log server running syslog-ng 1.6.6 (on redhat ES3.0).
I have the following in my syslog-ng conf specific to ssh:
# i know this catches all, and not just root filter f_ssh_login_attempt { program("sshd.*") and match("(Failed)") and not match("Accepted"); };
destination d_mail-alert { program("/usr/local/bin/syslog-mail $HOST $PROGRAM"); };
log { source (s_udp); filter(f_ssh_login_attempt); destination(d_mail-alert); };
I was hoping to be able to pass the $HOST (or other macros) to the script, but this doesn't seem to work?
the script is nothing more then a shell script which attempts to use $1 $2 in the subject line of the mail message.
the script does generate an email with the syslog message in the body, but $1 and $2 are empty.
how do I pass a value from an expanded macro to an external program?
Basically you can't. Syslog-ng starts the program up once during initialization and expects it to run continously expecting messages on stdin. It is easy to see that it is not possible to start a program containing arguments depending on the current log message as it is already started by that time. -- Bazsi
Got it. Thanks. I should have realized that. I'm parsing the message from stdin, and building the mail message that way. works fine. Balazs Scheidler <bazsi@balabit.hu > To Sent by: syslog-ng@lists.balabit.hu syslog-ng-admin@l cc ists.balabit.hu Subject Re: [syslog-ng]how to pass a value 04/07/2005 01:48 from an expanded macro to an PM external program? Please respond to syslog-ng@lists.b alabit.hu On Wed, 2005-04-06 at 13:53 -0400, Andrew_Hilton@ElementK.com wrote:
I am attempting to mail log alerts for failed attempts by root through sshd.
I have various boxes logging remotely (through their native syslogd) to a central log server running syslog-ng 1.6.6 (on redhat ES3.0).
I have the following in my syslog-ng conf specific to ssh:
# i know this catches all, and not just root filter f_ssh_login_attempt { program("sshd.*") and match("(Failed)") and not match("Accepted"); };
destination d_mail-alert { program("/usr/local/bin/syslog-mail $HOST $PROGRAM"); };
log { source (s_udp); filter(f_ssh_login_attempt); destination(d_mail-alert); };
I was hoping to be able to pass the $HOST (or other macros) to the script, but this doesn't seem to work?
the script is nothing more then a shell script which attempts to use $1 $2 in the subject line of the mail message.
the script does generate an email with the syslog message in the body, but $1 and $2 are empty.
how do I pass a value from an expanded macro to an external program?
Basically you can't. Syslog-ng starts the program up once during initialization and expects it to run continously expecting messages on stdin. It is easy to see that it is not possible to start a program containing arguments depending on the current log message as it is already started by that time. -- Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html ForwardSourceID:NT0001C8AA
On Apr 7, 2005 10:48 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Wed, 2005-04-06 at 13:53 -0400, Andrew_Hilton@ElementK.com wrote:
I am attempting to mail log alerts for failed attempts by root through sshd.
I have various boxes logging remotely (through their native syslogd) to a central log server running syslog-ng 1.6.6 (on redhat ES3.0).
<SNIP>
I was hoping to be able to pass the $HOST (or other macros) to the script, but this doesn't seem to work?
the script is nothing more then a shell script which attempts to use $1 $2 in the subject line of the mail message.
the script does generate an email with the syslog message in the body, but $1 and $2 are empty.
how do I pass a value from an expanded macro to an external program?
Basically you can't. Syslog-ng starts the program up once during initialization and expects it to run continously expecting messages on stdin. It is easy to see that it is not possible to start a program containing arguments depending on the current log message as it is already started by that time.
You could modify the example at http://www.campin.net/perl-mail.txt to do it for you, something like: #!/usr/bin/perl use warnings; use strict; # strip the priority s/^<[\d]{1,2}>//; if ( /[A-Z][a-z]{2}\s{1,2}\d{1,2}\s\d{2}:\d{2}:\d{2}\s(\w+)\s/ ) { system("echo \"$_\" | /usr/bin/mailx -s \"log alert on host: $1\" user\@domain"); } else { system("echo \"$_\" | /usr/bin/mailx -s \"log alert on unknown host\" user\@domain"); } __END__ The information is there, you just have to get it yourself.
D'oh! I left off the -n on the she-bang line: #!/usr/bin/perl -n ...to make it behave correctly, but I'm sure you would have figured that out. On Apr 7, 2005 3:48 PM, UNIX Admin <infosec@gmail.com> wrote:
You could modify the example at http://www.campin.net/perl-mail.txt to do it for you, something like:
#!/usr/bin/perl use warnings; use strict;
# strip the priority s/^<[\d]{1,2}>//;
if ( /[A-Z][a-z]{2}\s{1,2}\d{1,2}\s\d{2}:\d{2}:\d{2}\s(\w+)\s/ ) { system("echo \"$_\" | /usr/bin/mailx -s \"log alert on host: $1\" user\@domain"); } else { system("echo \"$_\" | /usr/bin/mailx -s \"log alert on unknown host\" user\@domain"); }
__END__
The information is there, you just have to get it yourself.
thanks for the perl script... this is what I use... it probably could be cleaner, but it works for me ;) #!/bin/sh # mail su/sudo/ssh root alerts based off the syslog-ng filter while read line; do msg=`echo $line|sed 's/^<[0-9][0-9]>//;'` prog=`echo $msg|awk '{print $5}'|sed -r 's/((:$)|(\[[0-9].+\]:$)|(\([a-z_].+\[[0-9].+\]:$))//g'` echo $msg|/bin/egrep '(@)' > /dev/null 2>&1 if [ $? -ne 0 ]; then hostx=`echo $msg|awk -F"/" '{print $1}'|awk '{print $4}'` else hostx=`echo $msg|awk -F"@" '{print $2}'|awk '{print $1}'` fi echo $msg | /bin/mail -s "Log Alert - $hostx ($prog)" mailgroup@domain.com done UNIX Admin <infosec@gmail.co m> To Sent by: syslog-ng@lists.balabit.hu syslog-ng-admin@l cc ists.balabit.hu Subject Re: [syslog-ng]how to pass a value 04/07/2005 06:50 from an expanded macro to an PM external program? Please respond to syslog-ng@lists.b alabit.hu D'oh! I left off the -n on the she-bang line: #!/usr/bin/perl -n ...to make it behave correctly, but I'm sure you would have figured that out. On Apr 7, 2005 3:48 PM, UNIX Admin <infosec@gmail.com> wrote:
You could modify the example at http://www.campin.net/perl-mail.txt to do it for you, something like:
#!/usr/bin/perl use warnings; use strict;
# strip the priority s/^<[\d]{1,2}>//;
if ( /[A-Z][a-z]{2}\s{1,2}\d{1,2}\s\d{2}:\d{2}:\d{2}\s(\w+)\s/ ) { system("echo \"$_\" | /usr/bin/mailx -s \"log alert on host: $1\" user\@domain"); } else { system("echo \"$_\" | /usr/bin/mailx -s \"log alert on unknown host\" user\@domain"); }
__END__
The information is there, you just have to get it yourself.
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html ForwardSourceID:NT0001CA56
participants (3)
-
Andrew_Hilton@ElementK.com
-
Balazs Scheidler
-
UNIX Admin