[syslog-ng] regular expressions ...
Balazs Scheidler
bazsi@balabit.hu
Wed, 1 Sep 1999 10:51:44 +0200
On Wed, Sep 01, 1999 at 02:29:20AM +0200, Josef Bergmann wrote:
> Hi Balazs!
>
> On 31 Aug 99, at 11:36, Balazs Scheidler wrote:
>
> > filter f_alerts { match("(alert)|(breakin)|..."); };
>
> Ok, thanks again I've fiddled around now a little bit with the filter and yes
> this works fine :)
>
> > destination d_script { program("/usr/local/sbin/alertscript"); };
> > log { source(src); filter(f_alerts); destination(d_script); };
> >
> > The script is run as soon as syslog-ng starts up, and is kept running until the
> > configuration is reloaded, or syslog-ng is terminated.
>
> Is it possible to run the script only when the filter matches? I want sent a
> mail (with the logentry) when a specific event (eg. kernel deny filter) occurs.
>
> For example the log look like this:
>
> Aug 31 21:50:06 gate kernel: IP fw-in deny eth1 UDP 193.XXX.XXX.XXX:137
> 193.XXX.XXX.XXX:137 L=78 S=0x00 I=39426 F=0x0000 T=128
>
> I want filter this event and send a mail with the logentry if it occurs.
>
> filter f_alert1 { match("deny"); };
> destination d_script {program("/usr/local/sbin/alertscript"); };
> log {source(src); filter(f_alert1); destination(d_script); };
>
> #!/bin/sh
> # alerscript
> # did not work
> mail -s "Alert" root $1
What about:
#!/bin/sh
while read line; do
echo $line | mail -s "Log alert" root
done
--
Bazsi