[syslog-ng]how to pass a value from an expanded macro to an external program?

syslog-ng@lists.balabit.hu syslog-ng@lists.balabit.hu
Tue, 12 Apr 2005 15:31:02 -0400


--0__=0ABBE572DFFA4F718f9e8a93df938690918c0ABBE572DFFA4F71
Content-type: multipart/alternative; 
	Boundary="1__=0ABBE572DFFA4F718f9e8a93df938690918c0ABBE572DFFA4F71"

--1__=0ABBE572DFFA4F718f9e8a93df938690918c0ABBE572DFFA4F71
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: quoted-printable






thanks for the perl script... this is what I use... it probably could b=
e
cleaner, but it works for me ;)

#!/bin/sh
# mail su/sudo/ssh root alerts based off the syslog-ng filter
while read line; do
  msg=3D`echo $line|sed 's/^<[0-9][0-9]>//;'`
  prog=3D`echo $msg|awk '{print $5}'|sed -r
's/((:$)|(\[[0-9].+\]:$)|(\([a-z_].+\[[0-9].+\]:$))//g'`
  echo $msg|/bin/egrep '(@)' > /dev/null 2>&1
  if [ $? -ne 0 ]; then
    hostx=3D`echo $msg|awk -F"/" '{print $1}'|awk '{print $4}'`
  else
    hostx=3D`echo $msg|awk -F"@" '{print $2}'|awk '{print $1}'`
  fi
  echo $msg | /bin/mail -s "Log Alert - $hostx ($prog)"
mailgroup@domain.com
done





                                                                       =
    
             UNIX Admin                                                =
    
             <infosec@gmail.co                                         =
    
             m>                                                        =
 To 
             Sent by:                  syslog-ng@lists.balabit.hu      =
    
             syslog-ng-admin@l                                         =
 cc 
             ists.balabit.hu                                           =
    
                                                                   Subj=
ect 
                                       Re: [syslog-ng]how to pass a val=
ue  
             04/07/2005 06:50          from an expanded macro to an    =
    
             PM                        external program?               =
    
                                                                       =
    
                                                                       =
    
             Please respond to                                         =
    
             syslog-ng@lists.b                                         =
    
                 alabit.hu                                             =
    
                                                                       =
    
                                                                       =
    




D'oh! I left off the -n on the she-bang line:

#!/usr/bin/perl -n

...to make it behave correctly, but I'm sure you would have figured tha=
t
out.

On Apr 7, 2005 3:48 PM, UNIX Admin <infosec@gmail.com> wrote:

> You could modify the example at http://www.campin.net/perl-mail.txt t=
o
> do it for you, something like:
>
> #!/usr/bin/perl
> use warnings;
> use strict;
>
> # strip the priority
> s/^<[\d]{1,2}>//;
>
> if ( /[A-Z][a-z]{2}\s{1,2}\d{1,2}\s\d{2}:\d{2}:\d{2}\s(\w+)\s/ ) {
>         system("echo \"$_\" | /usr/bin/mailx -s \"log alert on host:
> $1\" user\@domain");
> } else {
>         system("echo \"$_\" | /usr/bin/mailx -s \"log alert on unknow=
n
> host\" user\@domain");
> }
>
> __END__
>
> The information is there, you just have to get it yourself.
>
_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html


ForwardSourceID:NT0001CA56=

--1__=0ABBE572DFFA4F718f9e8a93df938690918c0ABBE572DFFA4F71
Content-type: text/html; charset=US-ASCII
Content-Disposition: inline
Content-transfer-encoding: quoted-printable

<html><body>
<p>thanks for the perl script... this is what I use... it probably coul=
d be cleaner, but it works for me ;)<br>
<br>
#!/bin/sh<br>
# mail su/sudo/ssh root alerts based off the syslog-ng filter<br>
while read line; do<br>
  msg=3D`echo $line|sed 's/^&lt;[0-9][0-9]&gt;//;'`<br>
  prog=3D`echo $msg|awk '{print $5}'|sed -r 's/((:$)|(\[[0-9].+\]:$)|(\=
([a-z_].+\[[0-9].+\]:$))//g'`<br>
  echo $msg|/bin/egrep '(@)' &gt; /dev/null 2&gt;&amp;1<br>
  if [ $? -ne 0 ]; then<br>
    hostx=3D`echo $msg|awk -F&quot;/&quot; '{print $1}'|awk '{print $4}=
'`<br>
  else<br>
    hostx=3D`echo $msg|awk -F&quot;@&quot; '{print $2}'|awk '{print $1}=
'`<br>
  fi<br>
  echo $msg | /bin/mail -s &quot;Log Alert - $hostx ($prog)&quot; mailg=
roup@domain.com<br>
done<br>
<font face=3D"Arial"><br>
</font><br>
<br>
<img src=3D"cid:10__=3D0ABBE572DFFA4F718f9e8a93df9@elementk.com" width=3D=
"16" height=3D"16" alt=3D"Inactive hide details for UNIX Admin &lt;info=
sec@gmail.com&gt;">UNIX Admin &lt;infosec@gmail.com&gt;<br>
<br>
<br>

<table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">=

<tr valign=3D"top"><td style=3D"background-image:url(cid:20__=3D0ABBE57=
2DFFA4F718f9e8a93df9@elementk.com); background-repeat: no-repeat; " wid=
th=3D"40%">
<ul>
<ul>
<ul>
<ul><b><font size=3D"2">UNIX Admin &lt;infosec@gmail.com&gt;</font></b>=
<font size=3D"2"> </font><br>
<font size=3D"2">Sent by: syslog-ng-admin@lists.balabit.hu</font>
<p><font size=3D"2">04/07/2005 06:50 PM</font><br>
<br>

<table border=3D"1">
<tr valign=3D"top"><td width=3D"168" bgcolor=3D"#FFFFFF"><div align=3D"=
center"><font size=3D"2">Please respond to<br>
syslog-ng@lists.balabit.hu</font></div></td></tr>
</table>
</ul>
</ul>
</ul>
</ul>
</td><td width=3D"60%">
<table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">=

<tr valign=3D"top"><td width=3D"1%" valign=3D"middle"><img src=3D"cid:3=
0__=3D0ABBE572DFFA4F718f9e8a93df9@elementk.com" border=3D"0" height=3D"=
1" width=3D"58" alt=3D""><br>
<div align=3D"right"><font size=3D"2">To</font></div></td><td width=3D"=
100%"><img src=3D"cid:30__=3D0ABBE572DFFA4F718f9e8a93df9@elementk.com" =
border=3D"0" height=3D"1" width=3D"1" alt=3D""><br>
<font size=3D"2">syslog-ng@lists.balabit.hu</font></td></tr>

<tr valign=3D"top"><td width=3D"1%" valign=3D"middle"><img src=3D"cid:3=
0__=3D0ABBE572DFFA4F718f9e8a93df9@elementk.com" border=3D"0" height=3D"=
1" width=3D"58" alt=3D""><br>
<div align=3D"right"><font size=3D"2">cc</font></div></td><td width=3D"=
100%"><img src=3D"cid:30__=3D0ABBE572DFFA4F718f9e8a93df9@elementk.com" =
border=3D"0" height=3D"1" width=3D"1" alt=3D""><br>
</td></tr>

<tr valign=3D"top"><td width=3D"1%" valign=3D"middle"><img src=3D"cid:3=
0__=3D0ABBE572DFFA4F718f9e8a93df9@elementk.com" border=3D"0" height=3D"=
1" width=3D"58" alt=3D""><br>
<div align=3D"right"><font size=3D"2">Subject</font></div></td><td widt=
h=3D"100%"><img src=3D"cid:30__=3D0ABBE572DFFA4F718f9e8a93df9@elementk.=
com" border=3D"0" height=3D"1" width=3D"1" alt=3D""><br>
<font size=3D"2">Re: [syslog-ng]how to pass a value from an expanded ma=
cro to an external program?</font></td></tr>
</table>

<table border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
<tr valign=3D"top"><td width=3D"58"><img src=3D"cid:30__=3D0ABBE572DFFA=
4F718f9e8a93df9@elementk.com" border=3D"0" height=3D"1" width=3D"1" alt=
=3D""></td><td width=3D"336"><img src=3D"cid:30__=3D0ABBE572DFFA4F718f9=
e8a93df9@elementk.com" border=3D"0" height=3D"1" width=3D"1" alt=3D""><=
/td></tr>
</table>
</td></tr>
</table>
<br>
<tt>D'oh! I left off the -n on the she-bang line:<br>
<br>
#!/usr/bin/perl -n<br>
<br>
...to make it behave correctly, but I'm sure you would have figured tha=
t out.<br>
<br>
On Apr 7, 2005 3:48 PM, UNIX Admin &lt;infosec@gmail.com&gt; wrote:<br>=

<br>
&gt; You could modify the example at </tt><tt><a href=3D"http://www.cam=
pin.net/perl-mail.txt">http://www.campin.net/perl-mail.txt</a></tt><tt>=
&nbsp;to<br>
&gt; do it for you, something like:<br>
&gt; <br>
&gt; #!/usr/bin/perl<br>
&gt; use warnings;<br>
&gt; use strict;<br>
&gt; <br>
&gt; # strip the priority<br>
&gt; s/^&lt;[\d]{1,2}&gt;//;<br>
&gt; <br>
&gt; if ( /[A-Z][a-z]{2}\s{1,2}\d{1,2}\s\d{2}:\d{2}:\d{2}\s(\w+)\s/ ) {=
<br>
&gt; &nbsp; &nbsp; &nbsp; &nbsp; system(&quot;echo \&quot;$_\&quot; | /=
usr/bin/mailx -s \&quot;log alert on host:<br>
&gt; $1\&quot; user\@domain&quot;);<br>
&gt; } else {<br>
&gt; &nbsp; &nbsp; &nbsp; &nbsp; system(&quot;echo \&quot;$_\&quot; | /=
usr/bin/mailx -s \&quot;log alert on unknown<br>
&gt; host\&quot; user\@domain&quot;);<br>
&gt; }<br>
&gt; <br>
&gt; __END__<br>
&gt; <br>
&gt; The information is there, you just have to get it yourself.<br>
&gt;<br>
_______________________________________________<br>
syslog-ng maillist &nbsp;- &nbsp;syslog-ng@lists.balabit.hu<br>
</tt><tt><a href=3D"https://lists.balabit.hu/mailman/listinfo/syslog-ng=
">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a></tt><tt><br>
Frequently asked questions at </tt><tt><a href=3D"http://www.campin.net=
/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a></tt><=
tt><br>
<br>
</tt><br>
<font color=3D"#FFFFFF">ForwardSourceID:NT0001CA56    </font><br>
</body></html>=


--1__=0ABBE572DFFA4F718f9e8a93df938690918c0ABBE572DFFA4F71--


--0__=0ABBE572DFFA4F718f9e8a93df938690918c0ABBE572DFFA4F71
Content-type: image/gif; 
	name="graycol.gif"
Content-Disposition: inline; filename="graycol.gif"
Content-ID: <10__=0ABBE572DFFA4F718f9e8a93df9@elementk.com>
Content-transfer-encoding: base64

R0lGODlhEAAQAKECAMzMzAAAAP///wAAACH5BAEAAAIALAAAAAAQABAAAAIXlI+py+0PopwxUbpu
ZRfKZ2zgSJbmSRYAIf4fT3B0aW1pemVkIGJ5IFVsZWFkIFNtYXJ0U2F2ZXIhAAA7

--0__=0ABBE572DFFA4F718f9e8a93df938690918c0ABBE572DFFA4F71
Content-type: image/gif; 
	name="pic10383.gif"
Content-Disposition: inline; filename="pic10383.gif"
Content-ID: <20__=0ABBE572DFFA4F718f9e8a93df9@elementk.com>
Content-transfer-encoding: base64

R0lGODlhWABDALP/AAAAAK04Qf79/o+Gm7WuwlNObwoJFCsoSMDAwGFsmIuezf///wAAAAAAAAAA
AAAAACH5BAEAAAgALAAAAABYAEMAQAT/EMlJq704682770RiFMRinqggEUNSHIchG0BCfHhOjAuh
EDeUqTASLCbBhQrhG7xis2j0lssNDopE4jfIJhDaggI8YB1sZeZgLVA9YVCpnGagVjV171aRVrYR
RghXcAGFhoUETwYxcXNyADJ3GlcSKGAwLwllVC1vjIUHBWsFilKQdI8GA5IcpApeJQt8L09lmgkH
LZikoU5wjqcyAMMFrJIDPAKvCFletKSev1HBw8KrxtjZ2tvc3d5VyKtCKW3jfz4uMKmq3xu4N0nK
BVoJQmx2LGVOmrqNjjJf2hHAQo/eDwJGTKhQMcgQEEAnEjFS98+RnW3smGkZU6ncCWav/4wYOnAI
TihRL/4FEwbp28BXMMcoscQCVxlepL4IGDSCyJyVQOu0o7CjmLN50OZlqWmyFy5/6yBBuji0AxFR
M00oQAqNIstqI6qKHUsWRAEAvagsmfUEAImyxgbmUpJk3IklNUtJOUAVLoUr1+wqDGTE4zk+T6FG
uQb3SizBCwatiiUgCBN8vrz+zFjVyQ8FWkOlg4NQiZMB5QS8QO3mpOaKnL0Z2EKvNMSILEThKhCg
zMKPVxYJh23qm9KNW7pArPynMqZDiErsTMqI+LRi3QAgkFUbXpuFKhSYZALd0O5RKa2z9EYKBbpb
qxIKsjUPRgD7I2XYV6wyrOw92ykExP8NW4URhknC5dKGE4v4NENQj2jXjmfNgOZDaXb5glRmXQ33
YEWQYNcZFnrYcIQLNzyTFDQNkXIff0ExVlY4srziQk43inZgL4rwxxINMvpFFAz1KOODHiu+4aEw
NEjFl5B3JIKWKF3k6I9bfUGp5ZZcdunll5IA4cuHvQQJ5gcsoCWOOUwgltIwAKRxJgbIkJAQZEq0
2YliZnpZZ4BH3CnYOXldOUOfQoYDqF1LFHbXCrO8xmRsfoXDXJ6ChjCAH3QlhJcT6VWE6FCkfCco
CgrMFsROrIEX3o2whVjWDjoJccN3LdggSGXLCdLEgHr1lyU3O3QxhgohNKXJCWv8JQr/PDdaqd6w
2rj1inLiGeiCJoDspAoQlYE6QWLSECehcWIYxIQES6zhbn1iImTHEQyqJ4eIxJJoUBc+3CbBuwZE
V5cJPPkIjFDdeEabQbd6WgICTxiiz0f5dBKquXF6k4senwEhYGnKEFJeGrxUZy8dB8gmAXI/sPvH
ESfCwVt5hTgYiqQqtdRNHQIU1PJ33ZqmzgE90OwLaoJcnMop1WiMmgkPHQRIrwgFuNV90A3doNKT
mrKIN07AnGcI9BQjhCBN4RfA1qIZnMqorJCogKfGQnxSCDilTVIA0yl5ciTovgLuBDKFUDE9aQcw
9SA+rjSNf9/M1gxrj6VwDTS0IUSElMzBfsj0NFXR2kwsV1A5IF1grLgLL/r1R40BZEnuBWgmQEyb
jqRwSAt6bqMCOFkvKFN2GPPkUzIm/SCF8z8pVzpbjVnMsy0vOr1hw3SaSRUhpY09v0z0J1FnwzPl
fmh+xl4WtR0zGu24I4KbMQm3lnVu2oNWxI9W/lcyzA+mCKF4DBikxb/+UWtOGRiFP8qEwAayIgIA
Ow==

--0__=0ABBE572DFFA4F718f9e8a93df938690918c0ABBE572DFFA4F71
Content-type: image/gif; 
	name="ecblank.gif"
Content-Disposition: inline; filename="ecblank.gif"
Content-ID: <30__=0ABBE572DFFA4F718f9e8a93df9@elementk.com>
Content-transfer-encoding: base64

R0lGODlhEAABAIAAAAAAAP///yH5BAEAAAEALAAAAAAQAAEAAAIEjI8ZBQA7

--0__=0ABBE572DFFA4F718f9e8a93df938690918c0ABBE572DFFA4F71--