[syslog-ng] R: R: Destination program input

Scappatura Rocco Rocco.Scappatura at infracom.it
Mon Apr 30 15:16:59 UTC 2018


Hello.

Perfect! Problem solved using templates!

Regards,

RS

Da: syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] Per conto di Scheidler, Balázs
Inviato: martedì 24 aprile 2018 16:52
A: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Oggetto: Re: [syslog-ng] R: Destination program input

Because we are using the standard syslog format when sending it to a program() destination and 190 tells the facility and severity of the message.
You can customize the output using a template() option, e.g.:
program("/bin/foobar" template("$ISODATE $HOST $MSGHDR$MSG\n"));
But you can include any macro or name-value pair in the template, or even transform the output using template functions.
The template language is a pretty powerful part of syslog-ng that allows a lot of customization on how a log message is sent to a peer.
Bazsi

--
Bazsi

On Tue, Apr 24, 2018 at 4:47 PM, Scappatura Rocco <Rocco.Scappatura at infracom.it<mailto:Rocco.Scappatura at infracom.it>> wrote:
Hello.

I have found the problem that cause my destination program not work.

Indeed I see that the log line received by the destination program are preceeded by the string '<190>'.

I can't explain why this strings appear, but after updating the program so that the log line are trimmed of the leading characters, the program has worked as I expected.

Could someone explain why the string '<190>' appear?

Regards,

Rocco



> -----Messaggio originale-----
> Da: syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu<mailto:syslog-ng-bounces at lists.balabit.hu>] Per conto di
> Scappatura Rocco
> Inviato: lunedì 23 aprile 2018 11:08
> A: 'syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>' <syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>
> Oggetto: [syslog-ng] R: Destination program input
>
> Hello.
>
> Thanks for the answer Sandor Geller.
> Could you please show me a template program() destination that works
> following the logic you explained in your answer?
>
> Regards,
>
> Rocco
>
> > -----Messaggio originale-----
> > Da: Scappatura Rocco
> > Inviato: venerdì 20 aprile 2018 18:40
> > A: 'syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>' <syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>
> > Oggetto: Destination program input
> >
> > Hello.
> >
> > I have written a C program that read the successful POP3 access log
> > lines to my POP3 server. After get one line, it get the time and the
> > POP3 account that logged in. These data are then stored in the account
> MySQL database.
> >
> > The program (named 'pop3_access') works fine:
> >
> > echo "Apr 10 12:00:17 mail1 pop3d: LOGIN, user= xxx at domain.tld<mailto:xxx at domain.tld>,
> > ip=[::ffff:xxx.yyy.zzz.vvv], port=[56196]"|./pop3_access
> >
> > Infact quering DB, I get:
> >
> > username            pop3_last_access
> > xxx at domain.tld<mailto:xxx at domain.tld>      2018-04-10 12:00:17
> >
> > I have configured syslog:
> >
> > filter f_pop3_access    { facility(local7) and match ('LOGIN,'); };
> > destination d_pop3_last_access { program("/usr/local/bin/pop3_access
> > >/dev/null" ); }; log { source(src); filter(f_pop3_access);
> > destination(d_pop3_last_access); };
> >
> > But no rows are inserted in the database..
> >
> > From log of destination program 'pop3_access'  I see the it remains in
> > a while loop waiting for an 'EOF' that never arrives:
> >
> >    while (fgets(line, MAXSTR, stdin)) {
> >         if (sscanf(line, "%s %d %s %s %s %s %s %s %s", mese, &giorno,
> > ora, s, proto, comando, u, ip, porta) != 9){
> >                 syslog (LOG_NOTICE, "Errore scanf");
> >                 exit(-1);
> >         }
> >    }
> >
> > How I have to do so that my program succeed in taking the syslog row
> > correctly, and then returns after process the data as expected?
> >
> > Regards,
> >
> > Rocco Scappatura
> __________________________________________________________
> ____________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180430/a7e7111d/attachment.html>


More information about the syslog-ng mailing list