Hi! First off, sorry for my poor english! I have a problem with a loop caused by syslog-ng v. 2.0.8. I have set up Snort as an IDS System. Snort writes its messages in unified-format to /var/log/snort/snort.alert and /var/log/snort/snort.log. There are two Barnyard processes which read the unified files and convert it to messages that syslog and MySQL understand. Syslog-ng writes the messages to /var/log/auth.log. All this is working fine. Now, I want to set up a filter for Priority 1 alerts. This alert should be send to the Administrator. I used following filter for syslog-ng: source src {unix-stream("/dev/log"); internal();}; destination email{program("/usr/local/bin/alert_mail.sh");}; filter high {match("[Priority: 1]");}; log {source(src);filter(high); destination(email);}; The alert_mail.sh: #!/bin/sh cat << EOF | mail -s "High Priority Snort Alert" Sub-Zero@xxx.de Alert, Priority 1 EOF Then I use Nessus to cause some alerts with Priority 1. I can see 4 alerts with the Priority 1 with BASE and in /var/log/auth.log. Syslog-ng recognises the alert with Priority 1 and activates the script /usr/local/bin/alert_mail.sh All this is working, but the script is restarted by syslog-ng again an again. Extract from /var/log/messages: Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Child program exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', status='0' Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Starting destination program; cmdline='/usr/local/bin/alert_mail.sh ' Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Closing log writer fd; fd='11' Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Child program exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', status='0' Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Starting destination program; cmdline='/usr/local/bin/alert_mail.sh ' Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Child program exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', status='0' Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Starting destination program; cmdline='/usr/local/bin/alert_mail.sh ' … Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Child program exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', status='256' Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Starting destination program; cmdline='/usr/local/bin/alert_mail.sh ' Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Child program exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', status='256' Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Starting destination program; cmdline='/usr/local/bin/alert_mail.sh ' Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Child program exited, restarting; … I get thousands of mails per minute till I stop syslog-ng. Output of /var/log/auth.log(so y see that syslog-ng writes snort/barnyard messages correctly to auth.log): Mar 19 13:56:54 src@Sensor1 barnyard: [1:1394:8] SHELLCODE x86 NOOP [Classification: Executable code was detected] [Priority: 1] {UDP} 172.25.1.152:4758 -> 172.28.100.10:137 Mar 19 13:57:13 src@Sensor1 barnyard: [1:1446:8] SMTP vrfy root [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.25.1.152:1085 -> 172.28.100.10:25 Mar 19 13:57:13 src@Sensor1 barnyard: [1:660:11] SMTP expn root [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.25.1.152:1085 -> 172.28.100.10:25 Mar 19 13:57:22 src@Sensor1 barnyard: [1:12626:2] Snort Alert [1:12626:0] [Classification: Decode of an RPC Query] [Priority: 2] {UDP} 172.25.1.152:1146 -> 172.28.100.10:111 Mar 19 13:57:22 src@Sensor1 barnyard: [1:585:9] RPC portmap sadmind request UDP [Classification: Decode of an RPC Query] [Priority: 2] {UDP} 172.25.1.152:1146 -> 172.28.100.10:111 Mar 19 13:57:24 src@Sensor1 barnyard: [1:566:6] POLICY PCAnywhere server response [Classification: Misc activity] [Priority: 3] {UDP} 172.25.1.152:1155 -> 172.28.100.10:5632 Mar 19 15:11:27 src@Sensor1 barnyard: [122:1:0] portscan: TCP Portscan [Classification: Unknown] [Priority: 3] {PROTO255} 172.25.1.152 -> 172.28.100.10 Mar 19 15:11:58 src@Sensor1 barnyard: [1:1420:13] SNMP trap tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.25.1.152:4482 -> 172.28.100.10:162 Mar 19 15:11:58 src@Sensor1 barnyard: [1:1418:13] SNMP request tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.25.1.152:4482 -> 172.28.100.10:161 Mar 19 15:12:05 src@Sensor1 barnyard: [1:1421:13] SNMP AgentX/tcp request [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.25.1.152:4482 -> 172.28.100.10:705 Mar 19 15:12:16 src@Sensor1 barnyard: [122:1:0] portscan: TCP Portscan [Classification: Unknown] [Priority: 3] {PROTO255} 172.25.1.152 -> 172.28.100.10 Mar 19 15:12:19 src@Sensor1 barnyard: [1:1394:8] SHELLCODE x86 NOOP [Classification: Executable code was detected] [Priority: 1] {UDP} 172.25.1.152:137 -> 172.28.100.10:137 Mar 19 15:12:20 src@Sensor1 barnyard: [1:1394:8] SHELLCODE x86 NOOP [Classification: Executable code was detected] [Priority: 1] {UDP} 172.25.1.152:137 -> 172.28.100.10:137 Mar 19 15:12:22 src@Sensor1 barnyard: [1:1394:8] SHELLCODE x86 NOOP [Classification: Executable code was detected] [Priority: 1] {UDP} 172.25.1.152:137 -> 172.28.100.10:137 I think it has something in common with this topic: https://lists.balabit.hu/pipermail/syslog-ng/2006-October/009454.html Thanks in advance! Sub-Zero -- GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen! Jetzt dabei sein: http://www.shortview.de/?mc=sv_ext_mf@gmx