[syslog-ng] SOLVED: program destination problem (again...)

Alberto Sierra albertosierra at aesetres.com
Thu Aug 13 22:09:48 CEST 2009 

Ok, i finally found the problem, i don't know if it is only related to
the "template" option within the program directive, but it must end
with a newline character "\n" for the program to process every line.
like this:

 program("/usr/local/bin/ssh_alert_by_email.sh" template("$DATE $HOST
$PROGRAM $MSGONLY\n")); };

*note the \n after $MSGONLY

for the curious, this is the script that i implemented to get a
notification for every ssh successful login:

#!/bin/bash

recipient="alerts at example.com"

processLog()
{
subject=$(echo $1 |awk '{print "Successful ssh login by " $9, "on " $4}')
body=$(echo $1  |awk '{printf ("%s %s %s", "Date: " $1, $2, $3 "\\n"
"Hostname: " $4 "\\n" "Username: " $9 "\\n" "Source host: " $11); }')
/bin/echo -e $body | mail -e -s "$subject" $recipient
}

while read msg ; do
processLog "$msg"
done


On Thu, Aug 13, 2009 at 9:44 AM, Alberto
Sierra<albertosierra at aesetres.com> wrote:
> 0 S root     20465     1  0  80   0 -   443 -      11:26 pts/0
> 00:00:00 /bin/sh -c /usr/local/bin/ssh_alert_by_email.sh
> 0 S root     20466 20465  0  80   0 -   443 -      11:26 pts/0
> 00:00:00 /bin/bash /usr/local/bin/ssh_alert_by_email.sh
> 5 S root     20468     1  0  80   0 -   572 -      11:26 ?
> 00:00:00 /sbin/syslog-ng -p /var/run/syslog-ng.pid
>
> the PID is not changing, (unless the syslog-ng is restarted of
> course),  the debug.log shows the program runs until syslog-ng is
> restarted as well. but it still sends nothing to the /tmp/testlog
> file.
>
>
>
> On Thu, Aug 13, 2009 at 3:47 AM, Fegan, Joe<Joe.Fegan at hp.com> wrote:
>> In "ps -elf" do you see your script? Does the pid stay the same as time advances, or does it change (which would mean it's exiting and being replaced with a new instance by syslog-ng automatically). You could add a start and end marker to see if it's starting at all and if/when it's exiting. Like:
>>
>> #!/bin/bash
>> echo "$0 started `date`" >> /tmp/debug.log
>> while read line ; do
>> echo $line >> /tmp/testlog
>> done
>> echo "$0 exited `date`" >> /tmp/debug.log
>>
>>
>>
>> -----Original Message-----
>> From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Alberto Sierra
>> Sent: 13 August 2009 07:26
>> To: syslog-ng at lists.balabit.hu
>> Subject: [syslog-ng] program destination problem (again...)
>>
>> hi there,
>>
>> i know this is been discussed like a million times already but i'm
>> stuck and can't get around this.
>>
>> i'm using a program destination in my syslog-ng config, like this:
>> destination test_log { file("/var/log/testlog"); };
>> destination sshd_alerts {
>> program("/usr/local/bin/ssh_alert_by_email.sh" template("$DATE $HOST
>> $PROGRAM $MSGONLY")); };
>>
>> filter sshd { program("sshd"); };
>> filter login_accepted { match("Accepted password|Accepted publickey"); };
>>
>>
>> log {
>>        source(s_all);
>>        filter(sshd);
>>        filter(login_accepted);
>>        destination(sshd_alerts);
>>        destination(test_log);
>> };
>>
>> and the script as follows:
>>
>> #!/bin/bash
>> while read line ; do
>> echo $line >> /tmp/testlog
>> done
>>
>> that's it,  it logs to the destination(test_log) but the script does nothing.
>>
>> i followed a similar thread:
>> https://lists.balabit.hu/pipermail/syslog-ng/2008-March/011512.html
>>
>> and the script works well interactively in the shell. I think i hit a
>> dead end here... btw version 2.0.9
>>
>> --
>> Alberto Sierra
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>
>
>
> --
> Alberto Sierra Reales [aesetres]
> IT Consultant
> Cel. 8319-1805
>



-- 
Alberto Sierra Reales [aesetres]
IT Consultant
Cel. 8319-1805

More information about the syslog-ng mailing list