[syslog-ng] Launching command with a certain value after extracting it from patterndb

C. L. Martinez carlopmart at gmail.com
Wed Nov 5 17:37:32 CET 2014 

You are right Bazsi ... Exists a lot of problems to do this. I will
use sec.pl script as a destination to control these logs.

Many thanks for your help.

On Wed, Nov 5, 2014 at 3:06 PM, Balazs Scheidler <bazsi77 at gmail.com> wrote:
> You really want a command executed or just want to echo the value of the
> fields extracted into a file?
>
> I really wouldn't recomment trying to run a command that can be triggered
> for every incoming message, it can easily lead to a DoS, simply by flooding
> the syslog server with a lot of logs.
>
> Hmm... db-parser() is able to rate-limit actions though, the only needed
> thing is a command execution. Too bad it's too easy to inject badly
> formatted values into the command line, which is a security issue.
>
>
> In your example: cat $user, what if $user contains the the string  "'; rm
> -rf /"? it would get executed in an innocent looking configuration.
>
>
> On Wed, Nov 5, 2014 at 2:47 PM, C. L. Martinez <carlopmart at gmail.com> wrote:
>>
>> Hi all,
>>
>>  Is it possible to trigger a command after extracting a field using
>> patterndb? For example I have the following log:
>>
>> Nov  4 15:18:10 myserver01 info ftps[876]: Rule Allow <ALLOW>: - MAP
>> user:mytest IP:1.1.1.1
>>
>>
>>  With patterndb, I can extract field user with for example, a value of
>> $user. Can I trigger a command like "cat $user >> /tmp/users.log"
>> without calling a script??
>>
>> Thanks.
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>
>
>
> --
> Bazsi
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>

More information about the syslog-ng mailing list