[syslog-ng]how to pass a value from an expanded macro to an external program?

syslog-ng@lists.balabit.hu syslog-ng@lists.balabit.hu
Thu, 7 Apr 2005 15:46:27 -0400 

--0__=0ABBE54FDFFBB41B8f9e8a93df938690918c0ABBE54FDFFBB41B
Content-type: multipart/alternative; 
	Boundary="1__=0ABBE54FDFFBB41B8f9e8a93df938690918c0ABBE54FDFFBB41B"

--1__=0ABBE54FDFFBB41B8f9e8a93df938690918c0ABBE54FDFFBB41B
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: quoted-printable






Got it.  Thanks.  I should have realized that.

I'm parsing the message from stdin, and building the mail message that =
way.
works fine.





                                                                       =
    
             Balazs Scheidler                                          =
    
             <bazsi@balabit.hu                                         =
    
             >                                                         =
 To 
             Sent by:                  syslog-ng@lists.balabit.hu      =
    
             syslog-ng-admin@l                                         =
 cc 
             ists.balabit.hu                                           =
    
                                                                   Subj=
ect 
                                       Re: [syslog-ng]how to pass a val=
ue  
             04/07/2005 01:48          from an expanded macro to an    =
    
             PM                        external program?               =
    
                                                                       =
    
                                                                       =
    
             Please respond to                                         =
    
             syslog-ng@lists.b                                         =
    
                 alabit.hu                                             =
    
                                                                       =
    
                                                                       =
    




On Wed, 2005-04-06 at 13:53 -0400, Andrew_Hilton@ElementK.com wrote:
> I am attempting to mail log alerts for failed attempts by root throug=
h
> sshd.
>
> I have various boxes logging remotely (through their native syslogd)
> to a central log server running syslog-ng 1.6.6 (on redhat ES3.0).
>
> I have the following in my syslog-ng conf specific to ssh:
>
> # i know this catches all, and not just root
> filter f_ssh_login_attempt {
> program("sshd.*")
> and match("(Failed)")
> and not match("Accepted");
> };
>
> destination d_mail-alert { program("/usr/local/bin/syslog-mail $HOST
> $PROGRAM"); };
>
> log {
> source (s_udp);
> filter(f_ssh_login_attempt);
> destination(d_mail-alert);
> };
>
> I was hoping to be able to pass the $HOST (or other macros) to the
> script, but this doesn't seem to work?
>
> the script is nothing more then a shell script which attempts to use
> $1 $2 in the subject line of the mail message.
>
> the script does generate an email with the syslog message in the body=
,
> but $1 and $2 are empty.
>
> how do I pass a value from an expanded macro to an external program?

Basically you can't. Syslog-ng starts the program up once during
initialization and expects it to run continously expecting messages on
stdin. It is easy to see that it is not possible to start a program
containing arguments depending on the current log message as it is
already started by that time.

--
Bazsi


_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html


ForwardSourceID:NT0001C8AA=

--1__=0ABBE54FDFFBB41B8f9e8a93df938690918c0ABBE54FDFFBB41B
Content-type: text/html; charset=US-ASCII
Content-Disposition: inline
Content-transfer-encoding: quoted-printable

<html><body>
<p>Got it.  Thanks.  I should have realized that.<br>
<br>
I'm parsing the message from stdin, and building the mail message that =
way. works fine.<br>
<br>
<font face=3D"Arial"><br>
</font><br>
<img src=3D"cid:10__=3D0ABBE54FDFFBB41B8f9e8a93df9@elementk.com" width=3D=
"16" height=3D"16" alt=3D"Inactive hide details for Balazs Scheidler &l=
t;bazsi@balabit.hu&gt;">Balazs Scheidler &lt;bazsi@balabit.hu&gt;<br>
<br>
<br>

<table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">=

<tr valign=3D"top"><td style=3D"background-image:url(cid:20__=3D0ABBE54=
FDFFBB41B8f9e8a93df9@elementk.com); background-repeat: no-repeat; " wid=
th=3D"40%">
<ul>
<ul>
<ul>
<ul><b><font size=3D"2">Balazs Scheidler &lt;bazsi@balabit.hu&gt;</font=
></b><font size=3D"2"> </font><br>
<font size=3D"2">Sent by: syslog-ng-admin@lists.balabit.hu</font>
<p><font size=3D"2">04/07/2005 01:48 PM</font><br>
<br>

<table border=3D"1">
<tr valign=3D"top"><td width=3D"168" bgcolor=3D"#FFFFFF"><div align=3D"=
center"><font size=3D"2">Please respond to<br>
syslog-ng@lists.balabit.hu</font></div></td></tr>
</table>
</ul>
</ul>
</ul>
</ul>
</td><td width=3D"60%">
<table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">=

<tr valign=3D"top"><td width=3D"1%" valign=3D"middle"><img src=3D"cid:3=
0__=3D0ABBE54FDFFBB41B8f9e8a93df9@elementk.com" border=3D"0" height=3D"=
1" width=3D"58" alt=3D""><br>
<div align=3D"right"><font size=3D"2">To</font></div></td><td width=3D"=
100%"><img src=3D"cid:30__=3D0ABBE54FDFFBB41B8f9e8a93df9@elementk.com" =
border=3D"0" height=3D"1" width=3D"1" alt=3D""><br>
<font size=3D"2">syslog-ng@lists.balabit.hu</font></td></tr>

<tr valign=3D"top"><td width=3D"1%" valign=3D"middle"><img src=3D"cid:3=
0__=3D0ABBE54FDFFBB41B8f9e8a93df9@elementk.com" border=3D"0" height=3D"=
1" width=3D"58" alt=3D""><br>
<div align=3D"right"><font size=3D"2">cc</font></div></td><td width=3D"=
100%"><img src=3D"cid:30__=3D0ABBE54FDFFBB41B8f9e8a93df9@elementk.com" =
border=3D"0" height=3D"1" width=3D"1" alt=3D""><br>
</td></tr>

<tr valign=3D"top"><td width=3D"1%" valign=3D"middle"><img src=3D"cid:3=
0__=3D0ABBE54FDFFBB41B8f9e8a93df9@elementk.com" border=3D"0" height=3D"=
1" width=3D"58" alt=3D""><br>
<div align=3D"right"><font size=3D"2">Subject</font></div></td><td widt=
h=3D"100%"><img src=3D"cid:30__=3D0ABBE54FDFFBB41B8f9e8a93df9@elementk.=
com" border=3D"0" height=3D"1" width=3D"1" alt=3D""><br>
<font size=3D"2">Re: [syslog-ng]how to pass a value from an expanded ma=
cro to an	external program?</font></td></tr>
</table>

<table border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
<tr valign=3D"top"><td width=3D"58"><img src=3D"cid:30__=3D0ABBE54FDFFB=
B41B8f9e8a93df9@elementk.com" border=3D"0" height=3D"1" width=3D"1" alt=
=3D""></td><td width=3D"336"><img src=3D"cid:30__=3D0ABBE54FDFFBB41B8f9=
e8a93df9@elementk.com" border=3D"0" height=3D"1" width=3D"1" alt=3D""><=
/td></tr>
</table>
</td></tr>
</table>
<br>
<tt>On Wed, 2005-04-06 at 13:53 -0400, Andrew_Hilton@ElementK.com wrote=
:<br>
&gt; I am attempting to mail log alerts for failed attempts by root thr=
ough<br>
&gt; sshd.<br>
&gt; <br>
&gt; I have various boxes logging remotely (through their native syslog=
d)<br>
&gt; to a central log server running syslog-ng 1.6.6 (on redhat ES3.0).=
<br>
&gt; <br>
&gt; I have the following in my syslog-ng conf specific to ssh:<br>
&gt; <br>
&gt; # i know this catches all, and not just root<br>
&gt; filter f_ssh_login_attempt {<br>
&gt; program(&quot;sshd.*&quot;)<br>
&gt; and match(&quot;(Failed)&quot;)<br>
&gt; and not match(&quot;Accepted&quot;);<br>
&gt; };<br>
&gt; <br>
&gt; destination d_mail-alert { program(&quot;/usr/local/bin/syslog-mai=
l $HOST<br>
&gt; $PROGRAM&quot;); };<br>
&gt; <br>
&gt; log {<br>
&gt; source (s_udp);<br>
&gt; filter(f_ssh_login_attempt);<br>
&gt; destination(d_mail-alert);<br>
&gt; };<br>
&gt; <br>
&gt; I was hoping to be able to pass the $HOST (or other macros) to the=
<br>
&gt; script, but this doesn't seem to work?<br>
&gt; <br>
&gt; the script is nothing more then a shell script which attempts to u=
se<br>
&gt; $1 $2 in the subject line of the mail message.<br>
&gt; <br>
&gt; the script does generate an email with the syslog message in the b=
ody,<br>
&gt; but $1 and $2 are empty.<br>
&gt; <br>
&gt; how do I pass a value from an expanded macro to an external progra=
m?<br>
<br>
Basically you can't. Syslog-ng starts the program up once during<br>
initialization and expects it to run continously expecting messages on<=
br>
stdin. It is easy to see that it is not possible to start a program<br>=

containing arguments depending on the current log message as it is<br>
already started by that time.<br>
<br>
-- <br>
Bazsi<br>
<br>
<br>
_______________________________________________<br>
syslog-ng maillist &nbsp;- &nbsp;syslog-ng@lists.balabit.hu<br>
</tt><tt><a href=3D"https://lists.balabit.hu/mailman/listinfo/syslog-ng=
">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a></tt><tt><br>
Frequently asked questions at </tt><tt><a href=3D"http://www.campin.net=
/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a></tt><=
tt><br>
<br>
</tt><br>
<font color=3D"#FFFFFF">ForwardSourceID:NT0001C8AA    </font><br>
</body></html>=


--1__=0ABBE54FDFFBB41B8f9e8a93df938690918c0ABBE54FDFFBB41B--


--0__=0ABBE54FDFFBB41B8f9e8a93df938690918c0ABBE54FDFFBB41B
Content-type: image/gif; 
	name="graycol.gif"
Content-Disposition: inline; filename="graycol.gif"
Content-ID: <10__=0ABBE54FDFFBB41B8f9e8a93df9@elementk.com>
Content-transfer-encoding: base64

R0lGODlhEAAQAKECAMzMzAAAAP///wAAACH5BAEAAAIALAAAAAAQABAAAAIXlI+py+0PopwxUbpu
ZRfKZ2zgSJbmSRYAIf4fT3B0aW1pemVkIGJ5IFVsZWFkIFNtYXJ0U2F2ZXIhAAA7

--0__=0ABBE54FDFFBB41B8f9e8a93df938690918c0ABBE54FDFFBB41B
Content-type: image/gif; 
	name="pic06868.gif"
Content-Disposition: inline; filename="pic06868.gif"
Content-ID: <20__=0ABBE54FDFFBB41B8f9e8a93df9@elementk.com>
Content-transfer-encoding: base64

R0lGODlhWABDALP/AAAAAK04Qf79/o+Gm7WuwlNObwoJFCsoSMDAwGFsmIuezf///wAAAAAAAAAA
AAAAACH5BAEAAAgALAAAAABYAEMAQAT/EMlJq704682770RiFMRinqggEUNSHIchG0BCfHhOjAuh
EDeUqTASLCbBhQrhG7xis2j0lssNDopE4jfIJhDaggI8YB1sZeZgLVA9YVCpnGagVjV171aRVrYR
RghXcAGFhoUETwYxcXNyADJ3GlcSKGAwLwllVC1vjIUHBWsFilKQdI8GA5IcpApeJQt8L09lmgkH
LZikoU5wjqcyAMMFrJIDPAKvCFletKSev1HBw8KrxtjZ2tvc3d5VyKtCKW3jfz4uMKmq3xu4N0nK
BVoJQmx2LGVOmrqNjjJf2hHAQo/eDwJGTKhQMcgQEEAnEjFS98+RnW3smGkZU6ncCWav/4wYOnAI
TihRL/4FEwbp28BXMMcoscQCVxlepL4IGDSCyJyVQOu0o7CjmLN50OZlqWmyFy5/6yBBuji0AxFR
M00oQAqNIstqI6qKHUsWRAEAvagsmfUEAImyxgbmUpJk3IklNUtJOUAVLoUr1+wqDGTE4zk+T6FG
uQb3SizBCwatiiUgCBN8vrz+zFjVyQ8FWkOlg4NQiZMB5QS8QO3mpOaKnL0Z2EKvNMSILEThKhCg
zMKPVxYJh23qm9KNW7pArPynMqZDiErsTMqI+LRi3QAgkFUbXpuFKhSYZALd0O5RKa2z9EYKBbpb
qxIKsjUPRgD7I2XYV6wyrOw92ykExP8NW4URhknC5dKGE4v4NENQj2jXjmfNgOZDaXb5glRmXQ33
YEWQYNcZFnrYcIQLNzyTFDQNkXIff0ExVlY4srziQk43inZgL4rwxxINMvpFFAz1KOODHiu+4aEw
NEjFl5B3JIKWKF3k6I9bfUGp5ZZcdunll5IA4cuHvQQJ5gcsoCWOOUwgltIwAKRxJgbIkJAQZEq0
2YliZnpZZ4BH3CnYOXldOUOfQoYDqF1LFHbXCrO8xmRsfoXDXJ6ChjCAH3QlhJcT6VWE6FCkfCco
CgrMFsROrIEX3o2whVjWDjoJccN3LdggSGXLCdLEgHr1lyU3O3QxhgohNKXJCWv8JQr/PDdaqd6w
2rj1inLiGeiCJoDspAoQlYE6QWLSECehcWIYxIQES6zhbn1iImTHEQyqJ4eIxJJoUBc+3CbBuwZE
V5cJPPkIjFDdeEabQbd6WgICTxiiz0f5dBKquXF6k4senwEhYGnKEFJeGrxUZy8dB8gmAXI/sPvH
ESfCwVt5hTgYiqQqtdRNHQIU1PJ33ZqmzgE90OwLaoJcnMop1WiMmgkPHQRIrwgFuNV90A3doNKT
mrKIN07AnGcI9BQjhCBN4RfA1qIZnMqorJCogKfGQnxSCDilTVIA0yl5ciTovgLuBDKFUDE9aQcw
9SA+rjSNf9/M1gxrj6VwDTS0IUSElMzBfsj0NFXR2kwsV1A5IF1grLgLL/r1R40BZEnuBWgmQEyb
jqRwSAt6bqMCOFkvKFN2GPPkUzIm/SCF8z8pVzpbjVnMsy0vOr1hw3SaSRUhpY09v0z0J1FnwzPl
fmh+xl4WtR0zGu24I4KbMQm3lnVu2oNWxI9W/lcyzA+mCKF4DBikxb/+UWtOGRiFP8qEwAayIgIA
Ow==

--0__=0ABBE54FDFFBB41B8f9e8a93df938690918c0ABBE54FDFFBB41B
Content-type: image/gif; 
	name="ecblank.gif"
Content-Disposition: inline; filename="ecblank.gif"
Content-ID: <30__=0ABBE54FDFFBB41B8f9e8a93df9@elementk.com>
Content-transfer-encoding: base64

R0lGODlhEAABAIAAAAAAAP///yH5BAEAAAEALAAAAAAQAAEAAAIEjI8ZBQA7

--0__=0ABBE54FDFFBB41B8f9e8a93df938690918c0ABBE54FDFFBB41B--