unable to setup syslog-ng for log monitoring
Hi I am using syslog-ng 3.0 and I am trying to monitor log files. If there is word "attackalert" found in the log file syslog-ng should invoke a script. I created "/root/workspace/test" a bash script only with a simple echo statement to check if it is working correctly or not. The problem is whenever I start syslog-ng the script starts executing even if the word "attackalert" is not recorded. The following is my syslog-ng.conf configuration. Is there anything I am missing here ? Please advice. options { flush_lines (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source s_file { file("/root/workspace/app_desktop/sup.log.php");}; destination d_prog { program("/root/workspace/test"); }; filter f_attack_alert { match("attackalert" value("MESSAGE")); }; log { source(s_file); filter(f_attack_alert); destination(d_prog); }; -- Warm Regards Supratik
Hi All! On Tue, 2010-11-30 at 13:40 +0530, Supratik Goswami wrote:
I created "/root/workspace/test" a bash script only with a simple echo statement to check if it is working correctly or not. The problem is whenever I start syslog-ng the script starts executing even if the word "attackalert" is not recorded. The following is my syslog-ng.conf configuration. Is there anything I am missing here ? Please advice.
Yes, this is the expected (and documented) behavior. Syslog-ng start the scipt at the start time and the script should wait for the messages. And the script should not exit either because syslog-ng would not like it. -- SZALAY Attila Support (L3) Team Leader e-mail: attila.szalay@balabit.com BalaBit IT Security www.balabit.com H-1115 Bártfai str. 54. Budapest This Communication is Confidential. We only send and receive email on the basis of the terms set out at http://www.balabit.com/disclaimer/.
Can you please suggest me some solution on how to overcome this situation. My main purpose is to invoke the script which will send an alert mail only when there is a match of "attackalert" found in the log file. On Tue, Nov 30, 2010 at 2:13 PM, SZALAY Attila <sasa@balabit.hu> wrote:
Hi All!
On Tue, 2010-11-30 at 13:40 +0530, Supratik Goswami wrote:
I created "/root/workspace/test" a bash script only with a simple echo statement to check if it is working correctly or not. The problem is whenever I start syslog-ng the script starts executing even if the word "attackalert" is not recorded. The following is my syslog-ng.conf configuration. Is there anything I am missing here ? Please advice.
Yes, this is the expected (and documented) behavior. Syslog-ng start the scipt at the start time and the script should wait for the messages.
And the script should not exit either because syslog-ng would not like it.
-- SZALAY Attila Support (L3) Team Leader
e-mail: attila.szalay@balabit.com
BalaBit IT Security www.balabit.com H-1115 Bártfai str. 54. Budapest
This Communication is Confidential. We only send and receive email on the basis of the terms set out at http://www.balabit.com/disclaimer/.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Warm Regards Supratik
On 2010-11-30, Supratik Goswami wrote:
Can you please suggest me some solution on how to overcome this situation.
My main purpose is to invoke the script which will send an alert mail only when there is a match of "attackalert" found in the log file.
For goals like yours, I'd recommend Simple Event Correlator, which was made exactly for this kind of job. See: http://simple-evcorr.sourceforge.net/ http://sixshooter.v6.thrupoint.net/SEC-examples/article.html HTH, -- Jakub Jankowski|shasta@toxcorp.com|http://toxcorp.com/ GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D
participants (3)
-
Jakub Jankowski
-
Supratik Goswami
-
SZALAY Attila