Ok, i finally found the problem, i don't know if it is only related to the "template" option within the program directive, but it must end with a newline character "\n" for the program to process every line. like this: program("/usr/local/bin/ssh_alert_by_email.sh" template("$DATE $HOST $PROGRAM $MSGONLY\n")); }; *note the \n after $MSGONLY for the curious, this is the script that i implemented to get a notification for every ssh successful login: #!/bin/bash recipient="alerts@example.com" processLog() { subject=$(echo $1 |awk '{print "Successful ssh login by " $9, "on " $4}') body=$(echo $1 |awk '{printf ("%s %s %s", "Date: " $1, $2, $3 "\\n" "Hostname: " $4 "\\n" "Username: " $9 "\\n" "Source host: " $11); }') /bin/echo -e $body | mail -e -s "$subject" $recipient } while read msg ; do processLog "$msg" done On Thu, Aug 13, 2009 at 9:44 AM, Alberto Sierra<albertosierra@aesetres.com> wrote:

0 S root     20465     1  0  80   0 -   443 -      11:26 pts/0 00:00:00 /bin/sh -c /usr/local/bin/ssh_alert_by_email.sh 0 S root     20466 20465  0  80   0 -   443 -      11:26 pts/0 00:00:00 /bin/bash /usr/local/bin/ssh_alert_by_email.sh 5 S root     20468     1  0  80   0 -   572 -      11:26 ? 00:00:00 /sbin/syslog-ng -p /var/run/syslog-ng.pid

the PID is not changing, (unless the syslog-ng is restarted of course),  the debug.log shows the program runs until syslog-ng is restarted as well. but it still sends nothing to the /tmp/testlog file.

On Thu, Aug 13, 2009 at 3:47 AM, Fegan, Joe<Joe.Fegan@hp.com> wrote:

...

In "ps -elf" do you see your script? Does the pid stay the same as time advances, or does it change (which would mean it's exiting and being replaced with a new instance by syslog-ng automatically). You could add a start and end marker to see if it's starting at all and if/when it's exiting. Like:

#!/bin/bash echo "$0 started `date`" >> /tmp/debug.log while read line ; do echo $line >> /tmp/testlog done echo "$0 exited `date`" >> /tmp/debug.log

-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Alberto Sierra Sent: 13 August 2009 07:26 To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] program destination problem (again...)

hi there,

i know this is been discussed like a million times already but i'm stuck and can't get around this.

i'm using a program destination in my syslog-ng config, like this: destination test_log { file("/var/log/testlog"); }; destination sshd_alerts { program("/usr/local/bin/ssh_alert_by_email.sh" template("$DATE $HOST $PROGRAM $MSGONLY")); };

filter sshd { program("sshd"); }; filter login_accepted { match("Accepted password|Accepted publickey"); };

log {        source(s_all);        filter(sshd);        filter(login_accepted);        destination(sshd_alerts);        destination(test_log); };

and the script as follows:

#!/bin/bash while read line ; do echo $line >> /tmp/testlog done

that's it,  it logs to the destination(test_log) but the script does nothing.

i followed a similar thread: https://lists.balabit.hu/pipermail/syslog-ng/2008-March/011512.html

and the script works well interactively in the shell. I think i hit a dead end here... btw version 2.0.9

-- Alberto Sierra ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html

-- Alberto Sierra Reales [aesetres] IT Consultant Cel. 8319-1805

-- Alberto Sierra Reales [aesetres] IT Consultant Cel. 8319-1805