no mail being generated

[sal_]

Hi everyone.

I am trying to send mail notifications using the syslog-ng program() function and it's not working

I use the same filter to log to a file and the data is going to the file correctly.
When I run the script manually "grep ASA-5-111008 log_file | /usr/local/bin/cisco-cfg.pl" mail is generated.

I am including the syslog-ng.cfg snippet and the cisco-cfg.pl code.

Any ideas how I can trouble shoot why the email is not being sent from syslog-ng

Thanks for you help


syslog-ng.conf
===========
source external {
    udp(port(514));
    tcp(ip(0.0.0.0) port(5000) max-connections(300));
    };

destination d_cisco_config{
    program ("/usr/local/bin/cisco-cfg.pl");
    };

destination test {
    file ("/var/log/HOSTS/test");
    };

filter f_firewall_config{
    match("ASA-6-605005") or
    match("ASA-5-111008");
    };

log {
    #log to file to test that filter is working
    source(external);
    filter(f_firewall_config);
    destination(test);
    };

log {
    source (external);
    filter (f_switch_config);
    destination(d_cisco_config);
    };

/usr/local/bin/cisco-cfg.pl
================
#!/usr/bin/perl -n                                   
use strict;                                           
use warnings;                                         

my $d_month = "";
my $d_day   = "";
my $d_hour  = "";
my $d_min   = "";
my $d_sec   = "";
my $host    = "";
my $user    = "";
my $command = "";
my $user_pc   = "";
my $interface = "";
my $title = "";   
my $to = "";       
my $from = "";     
my $subject = ""; 

if (/ASA\-5\-111008/)
{                   
    /(\w{1,3})\s*(\d{1,2})\s(\d{2})\d{2})\d{2}).*?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*?'(.*?)'.*?'(.*?)'/;
    $d_month = $1;                                                                                             
    $d_day   = $2;                                                                                             
    $d_hour  = $3;                                                                                             
    $d_min   = $4;                                                                                             
    $d_sec   = $5;                                                                                             
    $host    = $6;                                                                                             
    $user    = $7;                                                                                             
    $command = $8;                                                                                             

    $to = 'user@mail.com';
    $title = "$host Firewall config alert";
    $from = 'root@cadis.net';   
    open( MAIL, "|/usr/sbin/sendmail -t");
    print MAIL "EOT";                     

    ## Mail Header
    print MAIL "To: $to\n";
    print MAIL "From: $from\n";
    print MAIL "Subject: Firewall config change on $host\n\n";

    ## mail body
    print MAIL "Host: $host\n";
    print MAIL "Edited by: $user\n";
    print MAIL "Command issued: $command\n";
    print MAIL "Log stamp: $d_month $d_day $d_hour:$d_min.$d_sec\n";
    print MAIL "\n\n";
    print MAIL "Log message:\n";
    print MAIL "$_\n";

    print MAIL "EOT";

    close( MAIL );
}

[Admin]

I will admit I am not a perl guy, but I do have a working email script.  I use this, which works quite well:

Code:

#!/usr/bin/perl -n
# thanks to Brian Dowling for an example with security in mind.

$TO = 'root@localhost';
$FROM = $TO;

s/^<\d{1,2}>//;

open(MAIL, "|/usr/sbin/sendmail -t");

print MAIL <<"EOT";
To: $TO
From: $FROM
Subject: Log Alert: $_

$_

EOT

close(MAIL);

The problem with the script you're using may be a problem with the if () condition at the top, which prevents the mail from being sent, but I am not certain.

[sal_]

Thanks for the reply.  I tried trouble shooting by taking out the if statement and still nothing.

I also tried writing to a file

print "test\n";
print "$_\n";

and only the "test" string is being written.
I think syslog-ng is not passing the data.

[Admin]

I was just looking at your config again and noticed that in this log statement:
log {
    source (external);
    filter (f_switch_config);
    destination(d_cisco_config);
    };

There does not appear to be a filter by the name of f_switch_config defined.  Is that defined elsewhere in the syslog-ng.conf file?

[sal_]

Thanks, I fixed the filter name.

I think I'm making progress, I got one email delivered.

[Admin]

good deal.  let us know what you find or get need additional help