[syslog-ng]SEC and SYSLOG-NG

Sawall, Christopher L syslog-ng@lists.balabit.hu
Tue, 1 Jul 2003 14:58:35 -0500


This is a multi-part message in MIME format.

------_=_NextPart_001_01C3400B.27B7590C
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable


I'm trying to use SEC now, instead of SWATCH.  Any progress on getting
things up on your website?

If I manually run against a log file, it works great, but I'm trying to
integrate it into syslog-ng.

I saw a post where you showed the following:

#######################################
destination d_sec {=20
        program("/usr/local/sbin/sec.pl -input=3D\"-\"
-conf=3D/usr/local/etc/sec.conf >/var/log/sec.err 2>&1");=20
=20
};

# send all logs to sec
log {=20
        source(src);
        filter(f_not_brightmail);
        destination(d_sec);=20
};
#######################################

I made up my own filter to include all facilities so as to watch for
everything.  But I'm not getting it to work, it never reports back.  If
I do a "ps -ef", I can see that syslog-ng did start up the SEC
process... but no luck.

Any help would be appreciated.

Thanks,
Chris


*******************************
The information contained in this message may be privileged and/or=
 confidential and=20
protected from disclosure. If the reader of this message is not the=
 intended recipient,=20
or an employee or agent responsible for delivering this message to the=
 intended recipient,=20
you are hereby notified that any dissemination, distribution or copying of=
 this=20
communication is strictly prohibited. Note that any views or opinions=
 presented in this=20
message are solely those of the author and do not necessarily represent=
 those of Ameren.=20
All emails are subject to monitoring and archival. Finally, the recipient=
 should check=20
this message and any attachments for the presence of viruses. Ameren=
 accepts no liability=20
for any damage caused by any virus transmitted by this email. If you have=
 received this in=20
error, please notify the sender immediately by replying to the message and=
 deleting the=20
material from any computer. Ameren Corporation=20
*******************************

------_=_NextPart_001_01C3400B.27B7590C
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=
=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version 6.0.6249.1">
<TITLE>SEC and SYSLOG-NG</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P><FONT SIZE=3D2 FACE=3D"Arial">I'm trying to use SEC now, instead of=
 SWATCH.&nbsp; Any progress on getting things up on your website?</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">If I manually run against a log file, it=
 works great, but I'm trying to integrate it into syslog-ng.</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">I saw a post where you showed the=
 following:</FONT>
</P>

<P><FONT SIZE=3D2 FACE=
=3D"Arial">#######################################</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">destination d_sec { </FONT>

<BR><FONT SIZE=3D2 FACE=
=3D"Arial">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
 program(&quot;/usr/local/sbin/sec.pl -input=3D\&quot;-\&quot; -conf=
=3D/usr/local/etc/sec.conf &gt;/var/log/sec.err 2&gt;&amp;1&quot;); </FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">&nbsp;</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">};</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial"># send all logs to sec</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">log { </FONT>

<BR><FONT SIZE=3D2 FACE=
=3D"Arial">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; source(src);</FONT>

<BR><FONT SIZE=3D2 FACE=
=3D"Arial">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
 filter(f_not_brightmail);</FONT>

<BR><FONT SIZE=3D2 FACE=
=3D"Arial">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; destination(d_sec);=
 </FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">};</FONT>

<BR><FONT SIZE=3D2 FACE=
=3D"Arial">#######################################</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">I made up my own filter to include all=
 facilities so as to watch for everything.&nbsp; But I'm not getting it to=
 work, it never reports back.&nbsp; If I do a &quot;ps -ef&quot;, I can see=
 that syslog-ng did start up the SEC process&#8230; but no luck.</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Any help would be appreciated.</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Thanks,</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">Chris</FONT>
</P>

</BODY>
</HTML><table><tr><td bgcolor=3D#ffffff><font color=
=3D#000000><pre>*******************************
The information contained in this message may be privileged and/or=
 confidential and=20
protected from disclosure. If the reader of this message is not the=
 intended recipient,=20
or an employee or agent responsible for delivering this message to the=
 intended recipient,=20
you are hereby notified that any dissemination, distribution or copying of=
 this=20
communication is strictly prohibited. Note that any views or opinions=
 presented in this=20
message are solely those of the author and do not necessarily represent=
 those of Ameren.=20
All emails are subject to monitoring and archival. Finally, the recipient=
 should check=20
this message and any attachments for the presence of viruses. Ameren=
 accepts no liability=20
for any damage caused by any virus transmitted by this email. If you have=
 received this in=20
error, please notify the sender immediately by replying to the message and=
 deleting the=20
material from any computer. Ameren Corporation=20
*******************************
</pre></font></td></tr></table>
------_=_NextPart_001_01C3400B.27B7590C--