syslog-ng execute script on syslog pattern

Question

I have a simple requirement. I want to receive all syslog messages coming from user facility and store them in a file. If the syslog message contains a specific pattern, I want to execute a script.

I have the following configuration,

destination d_logfile { file("/var/log/logile.log"); }; destination d_start_script { program("/home/ubuntu/start-script.sh"); }; destination d_stop_script { program("/home/ubuntu/stop-script.sh"); }; filter f_logfile { facility(user) and not filter(f_debug); }; filter f_filter_start { facility(user) and message("start"); }; filter f_filter_stop { facility(user) and message("stop"); }; log { source(s_network_tcp); filter(f_logfile); destination(d_logfile); }; log { source(s_network_tcp); filter(f_filter_start); destination(d_start_script; }; log { source(s_network_tcp); filter(f_filter_stop; destination(d_stop_script); }; 

when I start syslog-ng it seems to loop and execute both start and stop scripts on and off.

am I missing something?

Answer 1

If I understand correctly, then instead of a start/stop script, you really want to have one script that processes a sequence of messages, and a way to create this sequence. Check if you can create this sequence using the grouping-by() parser, for example using the ${HOST}${PROGRAM}${PID} scope. If it's not adequate, in newer syslog-ng versions you can write your own syslog-ng destination in Python, that probably gives you enough flexibility to get the job done (but you can also write parsers in Python if needed).

Answer 2

As I know syslog-ng calls the program destination after it has been started and sends a stream to them. I use it a similar way, but in the script have:
if grep -qE "start" ; then <do all you needs>

So the script runs with syslog and wait a message.