[syslog-ng] trouble shoot program() function

Fegan, Joe Joe.Fegan at hp.com
Tue Jan 26 13:43:48 CET 2010


Your script needs to have a loop where it reads stdin and processes each line as a separate message. It is not allowed to process one message and exit, like it does today.

Joe. 

-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Sal Polifemo
Sent: 24 January 2010 01:31
To: syslog-ng mail list
Subject: [syslog-ng] trouble shoot program() function

Hi everyone.

I am trying to send mail notifications using the syslog-ng program()
function and it's not working.

To verify the filter works I use the same filter to log to a file and
the data is going to the file correctly.
When I run the script manually 
"grep ASA-5-111008 log_file | /usr/local/bin/cisco-cfg.pl" mail is
generated.

I added code to write to a file and that did not work.

I am including the syslog-ng.cfg snippet and the cisco-cfg.pl code.
Any ideas how I can trouble shoot why the email is not being sent from
syslog-ng

Thanks for you help

syslog-ng.conf
===========
source external {
   udp(port(514));
   tcp(ip(0.0.0.0) port(5000) max-connections(300));
};

destination d_cisco_config{
    program ("/usr/local/bin/cisco-cfg.pl");
};

destination test {
    file ("/var/log/HOSTS/test");
};

filter f_firewall_config{
    match("ASA-6-605005") or
    match("ASA-5-111008");
};

log {
    #log to file to test that filter is working
    source(external);
    filter(f_firewall_config);
    destination(test);
};

log {
    source (external);
    filter (f_firewall_config);
    destination(d_cisco_config);
};

/usr/local/bin/cisco-cfg.pl
================
#!/usr/bin/perl -n
use strict;
use warnings;

my $d_month = "";
my $d_day   = "";
my $d_hour  = "";
my $d_min   = "";
my $d_sec   = "";
my $host    = "";
my $user    = "";
my $command = "";
my $user_pc   = "";
my $interface = "";
my $title = "";
my $to = "";
my $from = "";
my $subject = "";

if (/ASA\-5\-111008/)
{
    /(\w{1,3})\s*(\d{1,2})\s(\d{2})\d{2})\d{2}).*?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*?'(.*?)'.*?'(.*?)'/;
    $d_month =$1;
    $d_day   = $2;
    $d_hour  = $3;
    $d_min   = $4;
    $d_sec   = $5;
    $host    = $6;
    $user    =$7;
    $command = $8;

    $to = 'user at mail.com';
    $title = "$host Firewall config alert";
    $from = 'root at cadis.net';
    open( MAIL, "|/usr/sbin/sendmail -t");
    print MAIL "EOT";

    ## Mail Header
    print MAIL "To: $to\n";
    print MAIL "From: $from\n";
    print MAIL "Subject: Firewall config change on $host\n\n";

    ## mail body
    print MAIL "Host: $host\n";
    print MAIL "Edited by: $user\n";
    print MAIL "Command issued: $command\n";
    print MAIL "Log stamp: $d_month $d_day $d_hour:$d_min.$d_sec\n";
    print MAIL "\n\n";
    print MAIL "Log message:\n";
    print MAIL "$_\n";

    print MAIL "EOT";

    close( MAIL );
}


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html



More information about the syslog-ng mailing list