+ Logging, Syslog and Log Anaylsys Forums » Forums » Syslog & syslogd » syslog-ng
|-+ 

Using prgram destination and the program is not started - used to work
Username:
Password:
Home Help Search ^ Login Register
News:

Pages: [1]
0 Members and 1 Guest are viewing this topic. Topic Tools  
Read August 03, 2008, 04:29:03 am #0
Glidos

  • *
  • Newbie
  • Posts: 5
Using prgram destination and the program is not started - used to work
For some time, I've been getting syslog-ng to send email to root for certain events, using destination program, with the script, listed at the end of this post. It worked fine until I upgraded my server to use SuSE 11.0, which uses syslog-ng v1.6.12. Now the program is never executed.

Anyone any ideas?

The man pages that I have on my server, don't mention "program" as a valid destination, so I wondered if the feature might have been taken out, but that seems unlikely.


#!/usr/bin/perl
# file: syslog-mail
# spec: reads a line of input and mails it, designed to be a destination for syslog-ng

use strict;

$0='syslog-mail';
$|=1;

open MAILER,'|/usr/sbin/sendmail root';
print MAILER "Subject: syslog-mail started\n\nHello";
close MAILER;

while (my $msg = <STDIN>)
{
  my ($pri,$date,$host,$esrc,$evid,$emsg) = $msg =~ m/<(\d+)>(\w{3} +\d{1,2} \d{2}:\d{2}:\d{2}) ([\w\.\-]+) ([\w ]+)\[(\d+)\]: (.+)/o;
  my ($ip) = $emsg =~ m/.* from ([\w\.]+).*/o;
  my ($stat) = $emsg =~ m/(Accepted ).*/o;
  open MAILER,'|/usr/sbin/sendmail root';
  print MAILER "Subject: syslog: $host $esrc $stat$ip\n\n$msg";
  close MAILER;
}
Offline  
Read August 03, 2008, 06:42:15 am #1
mutex

  • *****
  • Administrator
  • Newbie
  • Posts: 782
Re: Using prgram destination and the program is not started - used to work
The program() destination driver does exist in 1.6.12.  Do you get any error messages when running syslog-ng in debug mode?
Offline  
Read August 03, 2008, 07:16:45 am #2
Glidos

  • *
  • Newbie
  • Posts: 5
Re: Using prgram destination and the program is not started - used to work
I just killed the syslog process, and then ran "syslog-ng -d" in a shell. I seemed to get nothing on stdout, and a huge number of lines on stderr. Here's a snapshot, with some bits that might be relevant, but I don't really know what I'm looking at.


gc_mark: Marking object of class 'log_connection' (26)
gc_mark: Marking object of class 'log_endpoint_info' (27)
gc_mark: Marking object of class 'log_endpoint_info' (27)
gc_mark: Marking object of class 'log_endpoint_info' (27)
gc_mark: Marking object of class 'log_dest_group' (28)
gc_mark: Marking object of class 'affile_dest' (29)
gc_mark: Marking object of class 'log_connection' (27)
gc_mark: Marking object of class 'log_endpoint_info' (28)
gc_mark: Marking object of class 'log_endpoint_info' (28)
gc_mark: Marking object of class 'log_endpoint_info' (28)
gc_mark: Marking object of class 'log_dest_group' (29)
gc_mark: Marking object of class 'afprogram_dest' (30)
gc_mark: Marking object of class 'afsocket_source_close_callback' (5)
gc_mark: Marking object of class 'afprogram_child' (3)
gc_mark: Marking object of class 'UNKNOWN' (1)
gc_mark: Marking object of class 'UNKNOWN' (1)
syslog-ng version 1.6.12 going down
gc_mark: Marking object of class 'syslog_backend' (0)
gc_mark: Marking object of class 'syslog_config' (1)
gc_mark: Marking object of class 'resource_list' (2)
gc_mark: Marking object of class 'io_fd' (3)
gc_mark: Marking object of class 'pkt_buffer' (4)
gc_mark: Marking object of class 'io_fd' (4)
gc_mark: Marking object of class 'log_reader' (5)
gc_mark: Marking object of class 'afsocket_source_connection' (6)
Offline  
Read August 03, 2008, 09:45:35 am #3
Glidos

  • *
  • Newbie
  • Posts: 5
Re: Using prgram destination and the program is not started - used to work
Here's what I get after filtering out all the gc_mark lines, which I guess are something to do with garbage collection. I can't see anything that looks like an error.


syslog-ng -d 2>&1 | sed -e '/^gc_mark/d'
filter expr check: {filter_expr_op} (f_remotesshd)
filter expr check: {filter_expr_op} (f_remotesshd)
filter expr check: {filter_expr_op} (f_remotesshd)
filter expr check: {filter_expr_op} (f_warn)
filter expr check: {filter_expr_call} (f_warn)
filter expr check: {filter_expr_op} (f_warn => f_iptables)
filter expr check: {filter_expr_op} (f_warn => f_iptables)
filter expr check: {filter_expr_op} (f_messages)
filter expr check: {filter_expr_call} (f_messages)
filter expr check: {filter_expr_op} (f_messages => f_iptables)
filter expr check: {filter_expr_op} (f_messages => f_iptables)
filter expr check: {filter_expr_op} (f_acpid)
filter expr check: {filter_expr_op} (f_mail)
filter expr check: {filter_expr_op} (f_mailerr)
filter expr check: {filter_expr_op} (f_mailwarn)
filter expr check: {filter_expr_op} (f_mailinfo)
filter expr check: {filter_expr_op} (f_newserr)
filter expr check: {filter_expr_op} (f_newscrit)
filter expr check: {filter_expr_op} (f_newsnotice)
filter expr check: {filter_expr_op} (f_console)
filter expr check: {filter_expr_op} (f_console)
filter expr check: {filter_expr_op} (f_console)
filter expr check: {filter_expr_call} (f_console)
filter expr check: {filter_expr_op} (f_console => f_iptables)
filter expr check: {filter_expr_op} (f_console => f_iptables)
filter expr check: {filter_expr_op} (f_console)
filter expr check: {filter_expr_op} (f_iptables)
filter expr check: {filter_expr_op} (f_iptables)
io.c: Preparing fd 3 for reading
io.c: Preparing fd 4 for reading
io.c: Preparing fd 6 for writing
syslog-ng version 1.6.12 starting
Marking fd 6 for closing.
Closing fd 6.
io.c: Preparing fd 5 for writing
io.c: Preparing fd 6 for writing
Offline  
Read August 06, 2008, 07:47:53 am #4
Glidos

  • *
  • Newbie
  • Posts: 5
PLEASE HELP! Re: Using prgram destination and the program is not started
No one any ideas? I have no idea what else I can try to sort this out.
Offline  
Read August 06, 2008, 10:00:01 am #5
mutex

  • *****
  • Administrator
  • Newbie
  • Posts: 782
Re: Using prgram destination and the program is not started - used to work
I recommend subscribing to this list: https://lists.balabit.hu/mailman/listinfo/syslog-ng and posting your question there.
Offline  
Read August 06, 2008, 11:26:31 am #6
Glidos

  • *
  • Newbie
  • Posts: 5
Re: Using prgram destination and the program is not started - used to work
Thanks for your advice. Turns out it was apparmor. I didn't realise I had it enabled. Strange: it seems to be configured to constrain syslog-ng and no other deamons on my system. Anyway, I've just turned it off.
Offline  
Read August 06, 2008, 01:31:09 pm #7
mutex

  • *****
  • Administrator
  • Newbie
  • Posts: 782
Re: Using prgram destination and the program is not started - used to work
that is the 3rd time I've been bitten by apparmor.  I'm very glad you got it squared away.
Offline  
Pages: [1]
« previous next »
Jump to:  


Information Security News | Jerry Bell's blog | Enterprise IT | Tropical Fish Information | Tropical Fish Forums

Powered by SMF 1.1.7 | SMF © 2006-2008, Simple Machines LLC