program destination problem (again...)
hi there, i know this is been discussed like a million times already but i'm stuck and can't get around this. i'm using a program destination in my syslog-ng config, like this: destination test_log { file("/var/log/testlog"); }; destination sshd_alerts { program("/usr/local/bin/ssh_alert_by_email.sh" template("$DATE $HOST $PROGRAM $MSGONLY")); }; filter sshd { program("sshd"); }; filter login_accepted { match("Accepted password|Accepted publickey"); }; log { source(s_all); filter(sshd); filter(login_accepted); destination(sshd_alerts); destination(test_log); }; and the script as follows: #!/bin/bash while read line ; do echo $line >> /tmp/testlog done that's it, it logs to the destination(test_log) but the script does nothing. i followed a similar thread: https://lists.balabit.hu/pipermail/syslog-ng/2008-March/011512.html and the script works well interactively in the shell. I think i hit a dead end here... btw version 2.0.9 -- Alberto Sierra
Hi Does syslog-ng open source supports the java stack traces ? Problem : Actually java stack traces are in multiple new lines and syslog-ng client consider each line as a new log message. So each line of java stack traces is coming as a new message on the syslog-ng server. Is it possible to send complete java stack traces with log message? If yes then how ? I am using syslog-ng 3.0.3-1 on rhel 5 OS. - V
Hi I am using syslog-ng filter option to filter the log messages based on some filter criteria. Like log { source(s_network); filter(ABCD_filter); destination(d_ABCDfiles); }; log { source(s_network); filter(PQR_filter); destination(d_PQRfiles); }; log { source(s_network); filter(XYZ_filter); destination(d_XYZfiles); }; ... .. . In the above example the source is same for all the destination files but in this configuration all the filter rules are validating the log mesg. I want to configure it if mesg pass the filter ABCD criteria then it should not go to other filter and if it fails the ABCD filter criteria then it should go to next filter and so on. Does Syslog-ng support any macro or if-else.. for this?? - V
Hi, Use the final flag in each log-statement to indicate that processing stops: log { source(s_network); filter(ABCD_filter); destination(d_ABCDfiles); flags(final); }; Regards, Siem Korteweg -----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] Namens Jain, Vaibhav (GE Healthcare) Verzonden: donderdag 13 augustus 2009 10:04 Aan: Syslog-ng users' and developers' mailing list Onderwerp: [syslog-ng] syslog-ng open source - Problem with filter rules -Performance Hi I am using syslog-ng filter option to filter the log messages based on some filter criteria. Like log { source(s_network); filter(ABCD_filter); destination(d_ABCDfiles); }; log { source(s_network); filter(PQR_filter); destination(d_PQRfiles); }; log { source(s_network); filter(XYZ_filter); destination(d_XYZfiles); }; ... .. . In the above example the source is same for all the destination files but in this configuration all the filter rules are validating the log mesg. I want to configure it if mesg pass the filter ABCD criteria then it should not go to other filter and if it fails the ABCD filter criteria then it should go to next filter and so on. Does Syslog-ng support any macro or if-else.. for this?? - V _____________________________________________________________________________ _ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
In "ps -elf" do you see your script? Does the pid stay the same as time advances, or does it change (which would mean it's exiting and being replaced with a new instance by syslog-ng automatically). You could add a start and end marker to see if it's starting at all and if/when it's exiting. Like: #!/bin/bash echo "$0 started `date`" >> /tmp/debug.log while read line ; do echo $line >> /tmp/testlog done echo "$0 exited `date`" >> /tmp/debug.log -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Alberto Sierra Sent: 13 August 2009 07:26 To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] program destination problem (again...) hi there, i know this is been discussed like a million times already but i'm stuck and can't get around this. i'm using a program destination in my syslog-ng config, like this: destination test_log { file("/var/log/testlog"); }; destination sshd_alerts { program("/usr/local/bin/ssh_alert_by_email.sh" template("$DATE $HOST $PROGRAM $MSGONLY")); }; filter sshd { program("sshd"); }; filter login_accepted { match("Accepted password|Accepted publickey"); }; log { source(s_all); filter(sshd); filter(login_accepted); destination(sshd_alerts); destination(test_log); }; and the script as follows: #!/bin/bash while read line ; do echo $line >> /tmp/testlog done that's it, it logs to the destination(test_log) but the script does nothing. i followed a similar thread: https://lists.balabit.hu/pipermail/syslog-ng/2008-March/011512.html and the script works well interactively in the shell. I think i hit a dead end here... btw version 2.0.9 -- Alberto Sierra ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
0 S root 20465 1 0 80 0 - 443 - 11:26 pts/0 00:00:00 /bin/sh -c /usr/local/bin/ssh_alert_by_email.sh 0 S root 20466 20465 0 80 0 - 443 - 11:26 pts/0 00:00:00 /bin/bash /usr/local/bin/ssh_alert_by_email.sh 5 S root 20468 1 0 80 0 - 572 - 11:26 ? 00:00:00 /sbin/syslog-ng -p /var/run/syslog-ng.pid the PID is not changing, (unless the syslog-ng is restarted of course), the debug.log shows the program runs until syslog-ng is restarted as well. but it still sends nothing to the /tmp/testlog file. On Thu, Aug 13, 2009 at 3:47 AM, Fegan, Joe<Joe.Fegan@hp.com> wrote:
In "ps -elf" do you see your script? Does the pid stay the same as time advances, or does it change (which would mean it's exiting and being replaced with a new instance by syslog-ng automatically). You could add a start and end marker to see if it's starting at all and if/when it's exiting. Like:
#!/bin/bash echo "$0 started `date`" >> /tmp/debug.log while read line ; do echo $line >> /tmp/testlog done echo "$0 exited `date`" >> /tmp/debug.log
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Alberto Sierra Sent: 13 August 2009 07:26 To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] program destination problem (again...)
hi there,
i know this is been discussed like a million times already but i'm stuck and can't get around this.
i'm using a program destination in my syslog-ng config, like this: destination test_log { file("/var/log/testlog"); }; destination sshd_alerts { program("/usr/local/bin/ssh_alert_by_email.sh" template("$DATE $HOST $PROGRAM $MSGONLY")); };
filter sshd { program("sshd"); }; filter login_accepted { match("Accepted password|Accepted publickey"); };
log { source(s_all); filter(sshd); filter(login_accepted); destination(sshd_alerts); destination(test_log); };
and the script as follows:
#!/bin/bash while read line ; do echo $line >> /tmp/testlog done
that's it, it logs to the destination(test_log) but the script does nothing.
i followed a similar thread: https://lists.balabit.hu/pipermail/syslog-ng/2008-March/011512.html
and the script works well interactively in the shell. I think i hit a dead end here... btw version 2.0.9
-- Alberto Sierra ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Alberto Sierra Reales [aesetres] IT Consultant Cel. 8319-1805
On Thu, 2009-08-13 at 00:26 -0600, Alberto Sierra wrote:
hi there,
i know this is been discussed like a million times already but i'm stuck and can't get around this.
i'm using a program destination in my syslog-ng config, like this: destination test_log { file("/var/log/testlog"); }; destination sshd_alerts { program("/usr/local/bin/ssh_alert_by_email.sh" template("$DATE $HOST $PROGRAM $MSGONLY")); };
try including an end-of-line in your template, since otherwise your script will wait for it. template("$DATE $HOST $PROGRAM $MSGONLY\n") note the last "\n" in the template.
filter sshd { program("sshd"); }; filter login_accepted { match("Accepted password|Accepted publickey"); };
log { source(s_all); filter(sshd); filter(login_accepted); destination(sshd_alerts); destination(test_log); };
and the script as follows:
#!/bin/bash while read line ; do echo $line >> /tmp/testlog done
that's it, it logs to the destination(test_log) but the script does nothing.
i followed a similar thread: https://lists.balabit.hu/pipermail/syslog-ng/2008-March/011512.html
and the script works well interactively in the shell. I think i hit a dead end here... btw version 2.0.9
-- Bazsi
participants (5)
-
Alberto Sierra
-
Balazs Scheidler
-
Fegan, Joe
-
Jain, Vaibhav (GE Healthcare)
-
Siem Korteweg