1

I have a simple requirement. I want to receive all syslog messages coming from user facility and store them in a file. If the syslog message contains a specific pattern, I want to execute a script.

I have the following configuration,

destination d_logfile { file("/var/log/logile.log"); };
destination d_start_script { program("/home/ubuntu/start-script.sh"); };
destination d_stop_script { program("/home/ubuntu/stop-script.sh"); };

filter f_logfile { facility(user) and not filter(f_debug); };
filter f_filter_start { facility(user) and message("start"); };
filter f_filter_stop { facility(user) and message("stop"); };

log { source(s_network_tcp); filter(f_logfile); destination(d_logfile); };
log { source(s_network_tcp); filter(f_filter_start); destination(d_start_script; };
log { source(s_network_tcp); filter(f_filter_stop; destination(d_stop_script); };

when I start syslog-ng it seems to loop and execute both start and stop scripts on and off.

am I missing something?

David Calderon
  • 11
  • 2

2 Answers2

0

If I understand correctly, then instead of a start/stop script, you really want to have one script that processes a sequence of messages, and a way to create this sequence. Check if you can create this sequence using the grouping-by() parser, for example using the ${HOST}${PROGRAM}${PID} scope. If it's not adequate, in newer syslog-ng versions you can write your own syslog-ng destination in Python, that probably gives you enough flexibility to get the job done (but you can also write parsers in Python if needed).

Robert Fekete
  • 552
  • 1
  • 3
  • 6
0

As I know syslog-ng calls the program destination after it has been started and sends a stream to them. I use it a similar way, but in the script have:
if grep -qE "start" ; then <do all you needs>

So the script runs with syslog and wait a message.

kenlukas
  • 3,101
  • 2
  • 16
  • 26
TheFdu4
  • 1