[syslog-ng]how to pass a value from an expanded macro to an external
program?
syslog-ng@lists.balabit.hu
syslog-ng@lists.balabit.hu
Tue, 12 Apr 2005 15:31:02 -0400
--0__=0ABBE572DFFA4F718f9e8a93df938690918c0ABBE572DFFA4F71
Content-type: multipart/alternative;
Boundary="1__=0ABBE572DFFA4F718f9e8a93df938690918c0ABBE572DFFA4F71"
--1__=0ABBE572DFFA4F718f9e8a93df938690918c0ABBE572DFFA4F71
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: quoted-printable
thanks for the perl script... this is what I use... it probably could b=
e
cleaner, but it works for me ;)
#!/bin/sh
# mail su/sudo/ssh root alerts based off the syslog-ng filter
while read line; do
msg=3D`echo $line|sed 's/^<[0-9][0-9]>//;'`
prog=3D`echo $msg|awk '{print $5}'|sed -r
's/((:$)|(\[[0-9].+\]:$)|(\([a-z_].+\[[0-9].+\]:$))//g'`
echo $msg|/bin/egrep '(@)' > /dev/null 2>&1
if [ $? -ne 0 ]; then
hostx=3D`echo $msg|awk -F"/" '{print $1}'|awk '{print $4}'`
else
hostx=3D`echo $msg|awk -F"@" '{print $2}'|awk '{print $1}'`
fi
echo $msg | /bin/mail -s "Log Alert - $hostx ($prog)"
mailgroup@domain.com
done
=
UNIX Admin =
<infosec@gmail.co =
m> =
To
Sent by: syslog-ng@lists.balabit.hu =
syslog-ng-admin@l =
cc
ists.balabit.hu =
Subj=
ect
Re: [syslog-ng]how to pass a val=
ue
04/07/2005 06:50 from an expanded macro to an =
PM external program? =
=
=
Please respond to =
syslog-ng@lists.b =
alabit.hu =
=
=
D'oh! I left off the -n on the she-bang line:
#!/usr/bin/perl -n
...to make it behave correctly, but I'm sure you would have figured tha=
t
out.
On Apr 7, 2005 3:48 PM, UNIX Admin <infosec@gmail.com> wrote:
> You could modify the example at http://www.campin.net/perl-mail.txt t=
o
> do it for you, something like:
>
> #!/usr/bin/perl
> use warnings;
> use strict;
>
> # strip the priority
> s/^<[\d]{1,2}>//;
>
> if ( /[A-Z][a-z]{2}\s{1,2}\d{1,2}\s\d{2}:\d{2}:\d{2}\s(\w+)\s/ ) {
> system("echo \"$_\" | /usr/bin/mailx -s \"log alert on host:
> $1\" user\@domain");
> } else {
> system("echo \"$_\" | /usr/bin/mailx -s \"log alert on unknow=
n
> host\" user\@domain");
> }
>
> __END__
>
> The information is there, you just have to get it yourself.
>
_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
ForwardSourceID:NT0001CA56=
--1__=0ABBE572DFFA4F718f9e8a93df938690918c0ABBE572DFFA4F71
Content-type: text/html; charset=US-ASCII
Content-Disposition: inline
Content-transfer-encoding: quoted-printable
<html><body>
<p>thanks for the perl script... this is what I use... it probably coul=
d be cleaner, but it works for me ;)<br>
<br>
#!/bin/sh<br>
# mail su/sudo/ssh root alerts based off the syslog-ng filter<br>
while read line; do<br>
msg=3D`echo $line|sed 's/^<[0-9][0-9]>//;'`<br>
prog=3D`echo $msg|awk '{print $5}'|sed -r 's/((:$)|(\[[0-9].+\]:$)|(\=
([a-z_].+\[[0-9].+\]:$))//g'`<br>
echo $msg|/bin/egrep '(@)' > /dev/null 2>&1<br>
if [ $? -ne 0 ]; then<br>
hostx=3D`echo $msg|awk -F"/" '{print $1}'|awk '{print $4}=
'`<br>
else<br>
hostx=3D`echo $msg|awk -F"@" '{print $2}'|awk '{print $1}=
'`<br>
fi<br>
echo $msg | /bin/mail -s "Log Alert - $hostx ($prog)" mailg=
roup@domain.com<br>
done<br>
<font face=3D"Arial"><br>
</font><br>
<br>
<img src=3D"cid:10__=3D0ABBE572DFFA4F718f9e8a93df9@elementk.com" width=3D=
"16" height=3D"16" alt=3D"Inactive hide details for UNIX Admin <info=
sec@gmail.com>">UNIX Admin <infosec@gmail.com><br>
<br>
<br>
<table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">=
<tr valign=3D"top"><td style=3D"background-image:url(cid:20__=3D0ABBE57=
2DFFA4F718f9e8a93df9@elementk.com); background-repeat: no-repeat; " wid=
th=3D"40%">
<ul>
<ul>
<ul>
<ul><b><font size=3D"2">UNIX Admin <infosec@gmail.com></font></b>=
<font size=3D"2"> </font><br>
<font size=3D"2">Sent by: syslog-ng-admin@lists.balabit.hu</font>
<p><font size=3D"2">04/07/2005 06:50 PM</font><br>
<br>
<table border=3D"1">
<tr valign=3D"top"><td width=3D"168" bgcolor=3D"#FFFFFF"><div align=3D"=
center"><font size=3D"2">Please respond to<br>
syslog-ng@lists.balabit.hu</font></div></td></tr>
</table>
</ul>
</ul>
</ul>
</ul>
</td><td width=3D"60%">
<table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">=
<tr valign=3D"top"><td width=3D"1%" valign=3D"middle"><img src=3D"cid:3=
0__=3D0ABBE572DFFA4F718f9e8a93df9@elementk.com" border=3D"0" height=3D"=
1" width=3D"58" alt=3D""><br>
<div align=3D"right"><font size=3D"2">To</font></div></td><td width=3D"=
100%"><img src=3D"cid:30__=3D0ABBE572DFFA4F718f9e8a93df9@elementk.com" =
border=3D"0" height=3D"1" width=3D"1" alt=3D""><br>
<font size=3D"2">syslog-ng@lists.balabit.hu</font></td></tr>
<tr valign=3D"top"><td width=3D"1%" valign=3D"middle"><img src=3D"cid:3=
0__=3D0ABBE572DFFA4F718f9e8a93df9@elementk.com" border=3D"0" height=3D"=
1" width=3D"58" alt=3D""><br>
<div align=3D"right"><font size=3D"2">cc</font></div></td><td width=3D"=
100%"><img src=3D"cid:30__=3D0ABBE572DFFA4F718f9e8a93df9@elementk.com" =
border=3D"0" height=3D"1" width=3D"1" alt=3D""><br>
</td></tr>
<tr valign=3D"top"><td width=3D"1%" valign=3D"middle"><img src=3D"cid:3=
0__=3D0ABBE572DFFA4F718f9e8a93df9@elementk.com" border=3D"0" height=3D"=
1" width=3D"58" alt=3D""><br>
<div align=3D"right"><font size=3D"2">Subject</font></div></td><td widt=
h=3D"100%"><img src=3D"cid:30__=3D0ABBE572DFFA4F718f9e8a93df9@elementk.=
com" border=3D"0" height=3D"1" width=3D"1" alt=3D""><br>
<font size=3D"2">Re: [syslog-ng]how to pass a value from an expanded ma=
cro to an external program?</font></td></tr>
</table>
<table border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
<tr valign=3D"top"><td width=3D"58"><img src=3D"cid:30__=3D0ABBE572DFFA=
4F718f9e8a93df9@elementk.com" border=3D"0" height=3D"1" width=3D"1" alt=
=3D""></td><td width=3D"336"><img src=3D"cid:30__=3D0ABBE572DFFA4F718f9=
e8a93df9@elementk.com" border=3D"0" height=3D"1" width=3D"1" alt=3D""><=
/td></tr>
</table>
</td></tr>
</table>
<br>
<tt>D'oh! I left off the -n on the she-bang line:<br>
<br>
#!/usr/bin/perl -n<br>
<br>
...to make it behave correctly, but I'm sure you would have figured tha=
t out.<br>
<br>
On Apr 7, 2005 3:48 PM, UNIX Admin <infosec@gmail.com> wrote:<br>=
<br>
> You could modify the example at </tt><tt><a href=3D"http://www.cam=
pin.net/perl-mail.txt">http://www.campin.net/perl-mail.txt</a></tt><tt>=
to<br>
> do it for you, something like:<br>
> <br>
> #!/usr/bin/perl<br>
> use warnings;<br>
> use strict;<br>
> <br>
> # strip the priority<br>
> s/^<[\d]{1,2}>//;<br>
> <br>
> if ( /[A-Z][a-z]{2}\s{1,2}\d{1,2}\s\d{2}:\d{2}:\d{2}\s(\w+)\s/ ) {=
<br>
> system("echo \"$_\" | /=
usr/bin/mailx -s \"log alert on host:<br>
> $1\" user\@domain");<br>
> } else {<br>
> system("echo \"$_\" | /=
usr/bin/mailx -s \"log alert on unknown<br>
> host\" user\@domain");<br>
> }<br>
> <br>
> __END__<br>
> <br>
> The information is there, you just have to get it yourself.<br>
><br>
_______________________________________________<br>
syslog-ng maillist - syslog-ng@lists.balabit.hu<br>
</tt><tt><a href=3D"https://lists.balabit.hu/mailman/listinfo/syslog-ng=
">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a></tt><tt><br>
Frequently asked questions at </tt><tt><a href=3D"http://www.campin.net=
/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a></tt><=
tt><br>
<br>
</tt><br>
<font color=3D"#FFFFFF">ForwardSourceID:NT0001CA56 </font><br>
</body></html>=
--1__=0ABBE572DFFA4F718f9e8a93df938690918c0ABBE572DFFA4F71--
--0__=0ABBE572DFFA4F718f9e8a93df938690918c0ABBE572DFFA4F71
Content-type: image/gif;
name="graycol.gif"
Content-Disposition: inline; filename="graycol.gif"
Content-ID: <10__=0ABBE572DFFA4F718f9e8a93df9@elementk.com>
Content-transfer-encoding: base64
R0lGODlhEAAQAKECAMzMzAAAAP///wAAACH5BAEAAAIALAAAAAAQABAAAAIXlI+py+0PopwxUbpu
ZRfKZ2zgSJbmSRYAIf4fT3B0aW1pemVkIGJ5IFVsZWFkIFNtYXJ0U2F2ZXIhAAA7
--0__=0ABBE572DFFA4F718f9e8a93df938690918c0ABBE572DFFA4F71
Content-type: image/gif;
name="pic10383.gif"
Content-Disposition: inline; filename="pic10383.gif"
Content-ID: <20__=0ABBE572DFFA4F718f9e8a93df9@elementk.com>
Content-transfer-encoding: base64
R0lGODlhWABDALP/AAAAAK04Qf79/o+Gm7WuwlNObwoJFCsoSMDAwGFsmIuezf///wAAAAAAAAAA
AAAAACH5BAEAAAgALAAAAABYAEMAQAT/EMlJq704682770RiFMRinqggEUNSHIchG0BCfHhOjAuh
EDeUqTASLCbBhQrhG7xis2j0lssNDopE4jfIJhDaggI8YB1sZeZgLVA9YVCpnGagVjV171aRVrYR
RghXcAGFhoUETwYxcXNyADJ3GlcSKGAwLwllVC1vjIUHBWsFilKQdI8GA5IcpApeJQt8L09lmgkH
LZikoU5wjqcyAMMFrJIDPAKvCFletKSev1HBw8KrxtjZ2tvc3d5VyKtCKW3jfz4uMKmq3xu4N0nK
BVoJQmx2LGVOmrqNjjJf2hHAQo/eDwJGTKhQMcgQEEAnEjFS98+RnW3smGkZU6ncCWav/4wYOnAI
TihRL/4FEwbp28BXMMcoscQCVxlepL4IGDSCyJyVQOu0o7CjmLN50OZlqWmyFy5/6yBBuji0AxFR
M00oQAqNIstqI6qKHUsWRAEAvagsmfUEAImyxgbmUpJk3IklNUtJOUAVLoUr1+wqDGTE4zk+T6FG
uQb3SizBCwatiiUgCBN8vrz+zFjVyQ8FWkOlg4NQiZMB5QS8QO3mpOaKnL0Z2EKvNMSILEThKhCg
zMKPVxYJh23qm9KNW7pArPynMqZDiErsTMqI+LRi3QAgkFUbXpuFKhSYZALd0O5RKa2z9EYKBbpb
qxIKsjUPRgD7I2XYV6wyrOw92ykExP8NW4URhknC5dKGE4v4NENQj2jXjmfNgOZDaXb5glRmXQ33
YEWQYNcZFnrYcIQLNzyTFDQNkXIff0ExVlY4srziQk43inZgL4rwxxINMvpFFAz1KOODHiu+4aEw
NEjFl5B3JIKWKF3k6I9bfUGp5ZZcdunll5IA4cuHvQQJ5gcsoCWOOUwgltIwAKRxJgbIkJAQZEq0
2YliZnpZZ4BH3CnYOXldOUOfQoYDqF1LFHbXCrO8xmRsfoXDXJ6ChjCAH3QlhJcT6VWE6FCkfCco
CgrMFsROrIEX3o2whVjWDjoJccN3LdggSGXLCdLEgHr1lyU3O3QxhgohNKXJCWv8JQr/PDdaqd6w
2rj1inLiGeiCJoDspAoQlYE6QWLSECehcWIYxIQES6zhbn1iImTHEQyqJ4eIxJJoUBc+3CbBuwZE
V5cJPPkIjFDdeEabQbd6WgICTxiiz0f5dBKquXF6k4senwEhYGnKEFJeGrxUZy8dB8gmAXI/sPvH
ESfCwVt5hTgYiqQqtdRNHQIU1PJ33ZqmzgE90OwLaoJcnMop1WiMmgkPHQRIrwgFuNV90A3doNKT
mrKIN07AnGcI9BQjhCBN4RfA1qIZnMqorJCogKfGQnxSCDilTVIA0yl5ciTovgLuBDKFUDE9aQcw
9SA+rjSNf9/M1gxrj6VwDTS0IUSElMzBfsj0NFXR2kwsV1A5IF1grLgLL/r1R40BZEnuBWgmQEyb
jqRwSAt6bqMCOFkvKFN2GPPkUzIm/SCF8z8pVzpbjVnMsy0vOr1hw3SaSRUhpY09v0z0J1FnwzPl
fmh+xl4WtR0zGu24I4KbMQm3lnVu2oNWxI9W/lcyzA+mCKF4DBikxb/+UWtOGRiFP8qEwAayIgIA
Ow==
--0__=0ABBE572DFFA4F718f9e8a93df938690918c0ABBE572DFFA4F71
Content-type: image/gif;
name="ecblank.gif"
Content-Disposition: inline; filename="ecblank.gif"
Content-ID: <30__=0ABBE572DFFA4F718f9e8a93df9@elementk.com>
Content-transfer-encoding: base64
R0lGODlhEAABAIAAAAAAAP///yH5BAEAAAEALAAAAAAQAAEAAAIEjI8ZBQA7
--0__=0ABBE572DFFA4F718f9e8a93df938690918c0ABBE572DFFA4F71--