[syslog-ng] using the program destination driver

Matt Zagrabelny mzagrabe at d.umn.edu
Mon Aug 28 18:38:41 CEST 2006 

greetings list,

i will (breifly) describe what i would like to do, what i have tried in
order to accomplish that, and what i think is going wrong. i would very
much appreciate any help.

at the university that i work at we have a cisco vpn box that is
configured to send syslog messages to a debian box running syslog-ng
version 2.0rc1-2 (version in 'testing'). the types of messages that are
sent from the vpn box are like 'user logging in using ip <ip>' and 'user
logging out'. as these messages are coming in, i would like to spawn a
process, extract the useful bits of info from the syslog message and
update a database with the connection window for the user, local and
remote ip address.

what i have tried: 

excerpts from /etc/syslog-ng/syslog-ng.conf

source s_remote {
        udp();
};

destination dp_process_vpn {
    program("/usr/local/sbin/process_vpn_syslog");
};

filter f_vpn {
    netmask("131.212.4.2/255.255.255.255");
};

log {
        source(s_remote);
        filter(f_vpn);
        destination(dp_process_vpn);
};

end of excerpt from /etc/syslog-ng/syslog-ng.conf

# cat /usr/local/sbin/process_vpn_syslog
#!/usr/bin/perl

# eventually this program will parse the data in the syslog entry
# and update a database, but for now, it is just appending the
# info to a file in /tmp

use strict;

$| = 1;

my $file = '/tmp/vpn_info';
open FILE, '>>'.$file;

while (<>) {
        print FILE $_;
}

end of cat /usr/local/sbin/process_vpn_syslog

i do the following commands to test and confirm that the program
process_vpn_syslog is working ok and expected.

$ tail -f /tmp/vpn_info
$ tail -f /storage/syslog/hosts/131.212.4.2/2006/08/28/local4

i get instant data from the file destination driver syslogs going
to /storage/syslog/hosts/131.212.4.2/2006/08/28/local4.

i get *very* latent data in the file /tmp/vpn_info.


possibilities of what i think is going wrong:

1) data is not being flushed from syslog-ng to the program.

i have tried adding flush_lines(1) to the program directive above, to no
avail.

2) the syslog-ng documentation says:

that it starts the program once and restarts it if it exits.

i think i am looking for a program that is executed once for every
*line* entry from syslog-ng, however i am not sure where to go from
here.

thanks again for taking time to look at this.

sincerely,

-- 
Matt Zagrabelny - mzagrabe at d.umn.edu - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 1024D/84E22DA2 2005-11-07
Fingerprint: 78F9 18B3 EF58 56F5 FC85  C5CA 53E7 887F 84E2 2DA2

He is not a fool who gives up what he cannot keep to gain what he cannot
lose.
-Jim Elliot
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20060828/16a9644d/attachment.pgp

More information about the syslog-ng mailing list