[syslog-ng] syslog-ng to trigger rancid

K K kkadow at gmail.com
Wed Jun 4 06:59:31 CEST 2008


On 5/19/08, Alexander Clouter <ac56 at soas.ac.uk> wrote:
> Mladen Tsvetkov <mladen.tsvetkov at telelink.com> [20080515 09:13:32 +0300]:
> > I am new to syslog-ng. I have successfully installed it and integrated
> > with mysql and php. My question is how can I make syslog-ng to start
> > rancid when a syslog configuration message is received from a cisco
> > device:
> >
> > 112578: 1564643: May 15 09:05:19.141 EEST: %SYS-5-CONFIG_I: Configured
> > from console by ******** on vty0 (10.10.10.10).
> >
> > So far I know that I have to use the program() directive. But how can I
> > pass the hostname and other parameters to rancid?
> >
> I probably would have thought an SNMP trap for ciscoConfigManEvent[1] would
> have been the 'correct' way to do this?
>
> If you plan on using the syslog messages, you probably need to seperately run
> swatch[2] to deal with this as it's outside of syslog-ng's remit (I think).

I have a slightly different kludge to accomplish this goal.

I use syslog-ng with match() to detect these events, write each to a
destination of /var/spool/rancid/$HOUR.$HOST

An hourly cron job looks in /var/spool/rancid and calls rancid for
just the known hostnames found (named for the previous hour), then
deletes the old files.

We realized that many analysts have a habit of going in and out of
config mode to make several changes in a row, this aggregates all the
changes, only calls rancid at most once an hour.


Kevin


More information about the syslog-ng mailing list