[syslog-ng]how to pass a value from an expanded macro to an external program?

syslog-ng@lists.balabit.hu syslog-ng@lists.balabit.hu
Wed, 6 Apr 2005 13:53:57 -0400 

--0__=0ABBE548DFF3602D8f9e8a93df938690918c0ABBE548DFF3602D
Content-type: text/plain; charset=US-ASCII





I am attempting to mail log alerts for failed attempts by root through
sshd.

I have various boxes logging remotely (through their native syslogd) to a
central log server running syslog-ng 1.6.6 (on redhat ES3.0).

I have the following in my syslog-ng conf specific to ssh:

# i know this catches all, and not just root
filter f_ssh_login_attempt {
        program("sshd.*")
        and match("(Failed)")
        and not match("Accepted");
};

destination d_mail-alert { program("/usr/local/bin/syslog-mail $HOST
$PROGRAM"); };

log {
        source (s_udp);
        filter(f_ssh_login_attempt);
        destination(d_mail-alert);
};

I was hoping to be able to pass the $HOST (or other macros) to the script,
but this doesn't seem to work?

the script is nothing more then a shell script which attempts to use $1 $2
in the subject line of the mail message.

the script does generate an email with the syslog message in the body, but
$1 and $2 are empty.

how do I pass a value from an expanded macro to an external program?

I will be installing swatch at some point, but since I already had
syslog-ng running...

thanks
--0__=0ABBE548DFF3602D8f9e8a93df938690918c0ABBE548DFF3602D
Content-type: text/html; charset=US-ASCII
Content-Disposition: inline

<html><body>
<p>I am attempting to mail log alerts for failed attempts by root through sshd.<br>
<br>
I have various boxes logging remotely (through their native syslogd) to a central log server running syslog-ng 1.6.6 (on redhat ES3.0).<br>
<br>
I have the following in my syslog-ng conf specific to ssh:<br>
<br>
# i know this catches all, and not just root<br>
filter f_ssh_login_attempt {<br>
        program(&quot;sshd.*&quot;)<br>
        and match(&quot;(Failed)&quot;)<br>
        and not match(&quot;Accepted&quot;);<br>
};<br>
<br>
destination d_mail-alert { program(&quot;/usr/local/bin/syslog-mail $HOST $PROGRAM&quot;); };<br>
<br>
log {<br>
        source (s_udp);<br>
        filter(f_ssh_login_attempt);<br>
        destination(d_mail-alert);<br>
};<br>
<br>
I was hoping to be able to pass the $HOST (or other macros) to the script, but this doesn't seem to work?<br>
<br>
the script is nothing more then a shell script which attempts to use $1 $2 in the subject line of the mail message.<br>
<br>
the script does generate an email with the syslog message in the body, but $1 and $2 are empty.<br>
<br>
how do I pass a value from an expanded macro to an external program?<br>
<br>
I will be installing swatch at some point, but since I already had syslog-ng running... <br>
<br>
thanks<br>
</body></html>
--0__=0ABBE548DFF3602D8f9e8a93df938690918c0ABBE548DFF3602D--