Per Jessen wrote:
Carlos E. R. wrote:
If what you need is simply isolating certain messages, that can be easily done with syslog-ng: it has regexp filters, so that you can send the isolated messages to a file, socket or network destination. What I wouldn't know right now is how to trigger execution of an script, though, I'd have to think about it
One option would be to select the needed messages and feed them to a named pipe, then have a script waiting to read from that pipe.
logsurfer is exactly such a system that reads messages and triggers events. syslog-ng is not an appropriate tool for that because it has no state. Yes, you can divert all ssh messages to one I/O stream, but that's not the problem to solve. The problem is triggering an action after $n$ messages with the same IP address have been seen in a given time frame. I.e., when one sees an IP address for the first time, one must create a new regex pattern and count the messages that arrive with that pattern in the given time frame, triggering execution of a command if that happens. Using syslog-ng w/ named pipes would ease the handling of log-file rotation; but that's not as big an issue since logrotate solves that nicely. Nevertheless, that's an aspect that I should add to my README file... :-) Cheers, Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany