[syslog-ng]how to pass a value from an expanded macro to an external program?

UNIX Admin syslog-ng@lists.balabit.hu
Thu, 7 Apr 2005 15:48:02 -0700


On Apr 7, 2005 10:48 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:
> On Wed, 2005-04-06 at 13:53 -0400, Andrew_Hilton@ElementK.com wrote:
> > I am attempting to mail log alerts for failed attempts by root through
> > sshd.
> >
> > I have various boxes logging remotely (through their native syslogd)
> > to a central log server running syslog-ng 1.6.6 (on redhat ES3.0).
> >
<SNIP>
> >
> > I was hoping to be able to pass the $HOST (or other macros) to the
> > script, but this doesn't seem to work?
> >
> > the script is nothing more then a shell script which attempts to use
> > $1 $2 in the subject line of the mail message.
> >
> > the script does generate an email with the syslog message in the body,
> > but $1 and $2 are empty.
> >
> > how do I pass a value from an expanded macro to an external program?
> 
> Basically you can't. Syslog-ng starts the program up once during
> initialization and expects it to run continously expecting messages on
> stdin. It is easy to see that it is not possible to start a program
> containing arguments depending on the current log message as it is
> already started by that time.
 

You could modify the example at http://www.campin.net/perl-mail.txt to
do it for you, something like:

#!/usr/bin/perl 
use warnings;
use strict;

# strip the priority
s/^<[\d]{1,2}>//;

if ( /[A-Z][a-z]{2}\s{1,2}\d{1,2}\s\d{2}:\d{2}:\d{2}\s(\w+)\s/ ) {
        system("echo \"$_\" | /usr/bin/mailx -s \"log alert on host:
$1\" user\@domain");
} else {
        system("echo \"$_\" | /usr/bin/mailx -s \"log alert on unknown
host\" user\@domain");
}

__END__

The information is there, you just have to get it yourself.