Launching command with a certain value after extracting it from patterndb
Hi all, Is it possible to trigger a command after extracting a field using patterndb? For example I have the following log: Nov 4 15:18:10 myserver01 info ftps[876]: Rule Allow <ALLOW>: - MAP user:mytest IP:1.1.1.1 With patterndb, I can extract field user with for example, a value of $user. Can I trigger a command like "cat $user >> /tmp/users.log" without calling a script?? Thanks.
Hi, On Wed, Nov 05, 2014 at 01:47:50PM +0000, C. L. Martinez wrote:
$user. Can I trigger a command like "cat $user >> /tmp/users.log" without calling a script??
Yes, you can! The idea is to have a file destination with a custom template. For instance: -----8<---- filter f_patterndb_rule_id_12345 { match("12345" value(".classifier.rule_id")) }; template t_users { template("${user}\n"); }; destination d_file_users { file("/tmp/users.log" template(t_users)); }; log { source(s_mysource); parser(p_mypatterndb); filter(f_patterndb_rule_id_12345); destination(d_file_users); }; ----->8----
You really want a command executed or just want to echo the value of the fields extracted into a file? I really wouldn't recomment trying to run a command that can be triggered for every incoming message, it can easily lead to a DoS, simply by flooding the syslog server with a lot of logs. Hmm... db-parser() is able to rate-limit actions though, the only needed thing is a command execution. Too bad it's too easy to inject badly formatted values into the command line, which is a security issue. In your example: cat $user, what if $user contains the the string "'; rm -rf /"? it would get executed in an innocent looking configuration. On Wed, Nov 5, 2014 at 2:47 PM, C. L. Martinez <carlopmart@gmail.com> wrote:
Hi all,
Is it possible to trigger a command after extracting a field using patterndb? For example I have the following log:
Nov 4 15:18:10 myserver01 info ftps[876]: Rule Allow <ALLOW>: - MAP user:mytest IP:1.1.1.1
With patterndb, I can extract field user with for example, a value of $user. Can I trigger a command like "cat $user >> /tmp/users.log" without calling a script??
Thanks.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi
You are right Bazsi ... Exists a lot of problems to do this. I will use sec.pl script as a destination to control these logs. Many thanks for your help. On Wed, Nov 5, 2014 at 3:06 PM, Balazs Scheidler <bazsi77@gmail.com> wrote:
You really want a command executed or just want to echo the value of the fields extracted into a file?
I really wouldn't recomment trying to run a command that can be triggered for every incoming message, it can easily lead to a DoS, simply by flooding the syslog server with a lot of logs.
Hmm... db-parser() is able to rate-limit actions though, the only needed thing is a command execution. Too bad it's too easy to inject badly formatted values into the command line, which is a security issue.
In your example: cat $user, what if $user contains the the string "'; rm -rf /"? it would get executed in an innocent looking configuration.
On Wed, Nov 5, 2014 at 2:47 PM, C. L. Martinez <carlopmart@gmail.com> wrote:
Hi all,
Is it possible to trigger a command after extracting a field using patterndb? For example I have the following log:
Nov 4 15:18:10 myserver01 info ftps[876]: Rule Allow <ALLOW>: - MAP user:mytest IP:1.1.1.1
With patterndb, I can extract field user with for example, a value of $user. Can I trigger a command like "cat $user >> /tmp/users.log" without calling a script??
Thanks.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (3)
-
Balazs Scheidler
-
C. L. Martinez
-
Fabien Wernli