[syslog-ng] R: Destination program input

Scheidler, Balázs balazs.scheidler at balabit.com
Tue Apr 24 14:51:35 UTC 2018


Because we are using the standard syslog format when sending it to a
program() destination and 190 tells the facility and severity of the
message.

You can customize the output using a template() option, e.g.:

program("/bin/foobar" template("$ISODATE $HOST $MSGHDR$MSG\n"));

But you can include any macro or name-value pair in the template, or even
transform the output using template functions.

The template language is a pretty powerful part of syslog-ng that allows a
lot of customization on how a log message is sent to a peer.

Bazsi

-- 
Bazsi

On Tue, Apr 24, 2018 at 4:47 PM, Scappatura Rocco <
Rocco.Scappatura at infracom.it> wrote:

> Hello.
>
> I have found the problem that cause my destination program not work.
>
> Indeed I see that the log line received by the destination program are
> preceeded by the string '<190>'.
>
> I can't explain why this strings appear, but after updating the program so
> that the log line are trimmed of the leading characters, the program has
> worked as I expected.
>
> Could someone explain why the string '<190>' appear?
>
> Regards,
>
> Rocco
>
>
>
> > -----Messaggio originale-----
> > Da: syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] Per conto di
> > Scappatura Rocco
> > Inviato: lunedì 23 aprile 2018 11:08
> > A: 'syslog-ng at lists.balabit.hu' <syslog-ng at lists.balabit.hu>
> > Oggetto: [syslog-ng] R: Destination program input
> >
> > Hello.
> >
> > Thanks for the answer Sandor Geller.
> > Could you please show me a template program() destination that works
> > following the logic you explained in your answer?
> >
> > Regards,
> >
> > Rocco
> >
> > > -----Messaggio originale-----
> > > Da: Scappatura Rocco
> > > Inviato: venerdì 20 aprile 2018 18:40
> > > A: 'syslog-ng at lists.balabit.hu' <syslog-ng at lists.balabit.hu>
> > > Oggetto: Destination program input
> > >
> > > Hello.
> > >
> > > I have written a C program that read the successful POP3 access log
> > > lines to my POP3 server. After get one line, it get the time and the
> > > POP3 account that logged in. These data are then stored in the account
> > MySQL database.
> > >
> > > The program (named 'pop3_access') works fine:
> > >
> > > echo "Apr 10 12:00:17 mail1 pop3d: LOGIN, user= xxx at domain.tld,
> > > ip=[::ffff:xxx.yyy.zzz.vvv], port=[56196]"|./pop3_access
> > >
> > > Infact quering DB, I get:
> > >
> > > username            pop3_last_access
> > > xxx at domain.tld      2018-04-10 12:00:17
> > >
> > > I have configured syslog:
> > >
> > > filter f_pop3_access    { facility(local7) and match ('LOGIN,'); };
> > > destination d_pop3_last_access { program("/usr/local/bin/pop3_access
> > > >/dev/null" ); }; log { source(src); filter(f_pop3_access);
> > > destination(d_pop3_last_access); };
> > >
> > > But no rows are inserted in the database..
> > >
> > > From log of destination program 'pop3_access'  I see the it remains in
> > > a while loop waiting for an 'EOF' that never arrives:
> > >
> > >    while (fgets(line, MAXSTR, stdin)) {
> > >         if (sscanf(line, "%s %d %s %s %s %s %s %s %s", mese, &giorno,
> > > ora, s, proto, comando, u, ip, porta) != 9){
> > >                 syslog (LOG_NOTICE, "Errore scanf");
> > >                 exit(-1);
> > >         }
> > >    }
> > >
> > > How I have to do so that my program succeed in taking the syslog row
> > > correctly, and then returns after process the data as expected?
> > >
> > > Regards,
> > >
> > > Rocco Scappatura
> > __________________________________________________________
> > ____________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180424/6926920c/attachment.html>


More information about the syslog-ng mailing list