[syslog-ng] R: Destination program input

Tue Apr 24 14:47:09 UTC 2018

Hello.

I have found the problem that cause my destination program not work.

Indeed I see that the log line received by the destination program are preceeded by the string '<190>'.

I can't explain why this strings appear, but after updating the program so that the log line are trimmed of the leading characters, the program has worked as I expected.

Could someone explain why the string '<190>' appear?

Regards,

Rocco

> -----Messaggio originale-----
> Da: syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] Per conto di
> Scappatura Rocco
> Inviato: lunedì 23 aprile 2018 11:08
> A: 'syslog-ng at lists.balabit.hu' <syslog-ng at lists.balabit.hu>
> Oggetto: [syslog-ng] R: Destination program input
> 
> Hello.
> 
> Thanks for the answer Sandor Geller.
> Could you please show me a template program() destination that works
> following the logic you explained in your answer?
> 
> Regards,
> 
> Rocco
> 
> > -----Messaggio originale-----
> > Da: Scappatura Rocco
> > Inviato: venerdì 20 aprile 2018 18:40
> > A: 'syslog-ng at lists.balabit.hu' <syslog-ng at lists.balabit.hu>
> > Oggetto: Destination program input
> >
> > Hello.
> >
> > I have written a C program that read the successful POP3 access log
> > lines to my POP3 server. After get one line, it get the time and the
> > POP3 account that logged in. These data are then stored in the account
> MySQL database.
> >
> > The program (named 'pop3_access') works fine:
> >
> > echo "Apr 10 12:00:17 mail1 pop3d: LOGIN, user= xxx at domain.tld,
> > ip=[::ffff:xxx.yyy.zzz.vvv], port=[56196]"|./pop3_access
> >
> > Infact quering DB, I get:
> >
> > username		pop3_last_access
> > xxx at domain.tld	2018-04-10 12:00:17
> >
> > I have configured syslog:
> >
> > filter f_pop3_access    { facility(local7) and match ('LOGIN,'); };
> > destination d_pop3_last_access { program("/usr/local/bin/pop3_access
> > >/dev/null" ); }; log { source(src); filter(f_pop3_access);
> > destination(d_pop3_last_access); };
> >
> > But no rows are inserted in the database..
> >
> > From log of destination program 'pop3_access'  I see the it remains in
> > a while loop waiting for an 'EOF' that never arrives:
> >
> >    while (fgets(line, MAXSTR, stdin)) {
> >         if (sscanf(line, "%s %d %s %s %s %s %s %s %s", mese, &giorno,
> > ora, s, proto, comando, u, ip, porta) != 9){
> >                 syslog (LOG_NOTICE, "Errore scanf");
> >                 exit(-1);
> >         }
> >    }
> >
> > How I have to do so that my program succeed in taking the syslog row
> > correctly, and then returns after process the data as expected?
> >
> > Regards,
> >
> > Rocco Scappatura
> __________________________________________________________
> ____________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq