Hi! I made some fine Deb-Pakets from libol 0.2.3 and syslog-ng 1.1.31 and installed it on a Debian 2.1 system. Everthing works/logs nicely :-) Now I want enable the "hashing-feature" and filter against a file with regex- terms but I found now proper info in the docs. How can configure this features? (I don't found "genh0" and "checkhash" as mentioned in the syslog-ng manpage). How can I realize a system which for example executes a script if a regex- target gets hit. The idea is to get a realtime logchecker which mails faults to the admin ... Thanks for help. bye Josef -- BERGMANN engineering & consulting http://bec.at/ 'While we liked developing Windows applications, we never inhaled.' - Philippe Kahn, 1992
I made some fine Deb-Pakets from libol 0.2.3 and syslog-ng 1.1.31 and installed it on a Debian 2.1 system. Everthing works/logs nicely :-)
great. in the meanwhile I've released 1.1.32 and libol 0.2.5, you may want to grab those as well.
Now I want enable the "hashing-feature" and filter against a file with regex- terms but I found now proper info in the docs. How can configure this features? (I don't found "genh0" and "checkhash" as mentioned in the syslog-ng manpage).
How can I realize a system which for example executes a script if a regex- target gets hit. The idea is to get a realtime logchecker which mails faults to the admin ...
hashing is not about a file with regexps in it. It is a digital fingerprint of each log message stored along with the logfile. This way unauthorized modification can easily be detected. However this feature is not yet implemented in the 1.1.xx branch only in 1.0.x. To do what you would like, you'll need the match filter and the new destination called "program", like this filter f_alerts { match("(alert)|(breakin)|..."); }; destination d_script { program("/usr/local/sbin/alertscript"); }; log { source(src); filter(f_alerts); destination(d_script); }; The script is run as soon as syslog-ng starts up, and is kept running until the configuration is reloaded, or syslog-ng is terminated. -- Bazsi
Hi Balazs! Thanks for the really fast answer :-) On 31 Aug 99, at 11:36, Balazs Scheidler wrote:
great. in the meanwhile I've released 1.1.32 and libol 0.2.5, you may want to grab those as well.
Yes I've checked this in the meantime and build also new debs for Debian 2.1 ... thanks.
Now I want enable the "hashing-feature" and filter against a file with regex- terms but I found now proper info in the docs. How can configure this features? (I don't found "genh0" and "checkhash" as mentioned in the syslog-ng manpage). [...] hashing is not about a file with regexps in it. It is a digital fingerprint of each log message stored along with the logfile. This way unauthorized modification can easily be detected. However this feature is not yet implemented in the 1.1.xx branch only in 1.0.x.
Sorry for my inaccurate question. Yes I meant hashing in that way, because of the fingerprints nobody should be able to modificate the logs. So I can find this in the 1.0.x branch, ok thanks. And regardless of the hashing-feature I want also regex the logs against specific patterns. Do the 1.0.x branch know regexps?
To do what you would like, you'll need the match filter and the new destination called "program", like this
Thanks! bye Josef -- BERGMANN engineering & consulting http://bec.at/ The gates of thought, -- how slow and late they discover themselves! Yet when they appear, we see that they were always there, always open. - Emerson
On Tue, Aug 31, 1999 at 12:32:44PM +0200, Josef Bergmann wrote:
Hi Balazs!
Thanks for the really fast answer :-)
On 31 Aug 99, at 11:36, Balazs Scheidler wrote:
great. in the meanwhile I've released 1.1.32 and libol 0.2.5, you may want to grab those as well.
Yes I've checked this in the meantime and build also new debs for Debian 2.1 ... thanks.
Now I want enable the "hashing-feature" and filter against a file with regex- terms but I found now proper info in the docs. How can configure this features? (I don't found "genh0" and "checkhash" as mentioned in the syslog-ng manpage). [...] hashing is not about a file with regexps in it. It is a digital fingerprint of each log message stored along with the logfile. This way unauthorized modification can easily be detected. However this feature is not yet implemented in the 1.1.xx branch only in 1.0.x.
Sorry for my inaccurate question. Yes I meant hashing in that way, because of the fingerprints nobody should be able to modificate the logs. So I can find this in the 1.0.x branch, ok thanks.
And regardless of the hashing-feature I want also regex the logs against specific patterns. Do the 1.0.x branch know regexps?
In addition what 1.1.x supports, 1.0.x has a filter called matchfile, which reads regexps from a file, currently in 1.1.x you need to inline such regexps to the config file. -- Bazsi
Hi Balazs! On 31 Aug 99, at 11:36, Balazs Scheidler wrote:
filter f_alerts { match("(alert)|(breakin)|..."); };
Ok, thanks again I've fiddled around now a little bit with the filter and yes this works fine :)
destination d_script { program("/usr/local/sbin/alertscript"); }; log { source(src); filter(f_alerts); destination(d_script); };
The script is run as soon as syslog-ng starts up, and is kept running until the configuration is reloaded, or syslog-ng is terminated.
Is it possible to run the script only when the filter matches? I want sent a mail (with the logentry) when a specific event (eg. kernel deny filter) occurs. For example the log look like this: Aug 31 21:50:06 gate kernel: IP fw-in deny eth1 UDP 193.XXX.XXX.XXX:137 193.XXX.XXX.XXX:137 L=78 S=0x00 I=39426 F=0x0000 T=128 I want filter this event and send a mail with the logentry if it occurs. filter f_alert1 { match("deny"); }; destination d_script {program("/usr/local/sbin/alertscript"); }; log {source(src); filter(f_alert1); destination(d_script); }; #!/bin/sh # alerscript # did not work mail -s "Alert" root $1 bye Josef -- BERGMANN engineering & consulting http://bec.at/ And remember that old savvy sayin' 'Some folk tell ya everything they know, and then keep on talkin' !'
On Wed, Sep 01, 1999 at 02:29:20AM +0200, Josef Bergmann wrote:
Hi Balazs!
On 31 Aug 99, at 11:36, Balazs Scheidler wrote:
filter f_alerts { match("(alert)|(breakin)|..."); };
Ok, thanks again I've fiddled around now a little bit with the filter and yes this works fine :)
destination d_script { program("/usr/local/sbin/alertscript"); }; log { source(src); filter(f_alerts); destination(d_script); };
The script is run as soon as syslog-ng starts up, and is kept running until the configuration is reloaded, or syslog-ng is terminated.
Is it possible to run the script only when the filter matches? I want sent a mail (with the logentry) when a specific event (eg. kernel deny filter) occurs.
For example the log look like this:
Aug 31 21:50:06 gate kernel: IP fw-in deny eth1 UDP 193.XXX.XXX.XXX:137 193.XXX.XXX.XXX:137 L=78 S=0x00 I=39426 F=0x0000 T=128
I want filter this event and send a mail with the logentry if it occurs.
filter f_alert1 { match("deny"); }; destination d_script {program("/usr/local/sbin/alertscript"); }; log {source(src); filter(f_alert1); destination(d_script); };
#!/bin/sh # alerscript # did not work mail -s "Alert" root $1
What about: #!/bin/sh while read line; do echo $line | mail -s "Log alert" root done -- Bazsi
participants (2)
-
Balazs Scheidler
-
Josef Bergmann