From owner-freebsd-questions@freebsd.org Wed Apr 5 19:29:23 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D1093D3082D for ; Wed, 5 Apr 2017 19:29:23 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-it0-x230.google.com (mail-it0-x230.google.com [IPv6:2607:f8b0:4001:c0b::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9811730B for ; Wed, 5 Apr 2017 19:29:23 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-it0-x230.google.com with SMTP id y18so89224818itc.0 for ; Wed, 05 Apr 2017 12:29:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=67YEWAt9X0+cEl/cTmHAtZlGF/CHh6+txTl8DU+/DWA=; b=DoyosV+IoMjpnJiGAf3FNH4sprlqIkMjzYxSmNL5BjcSWie7Xi2CsRsnV0yDzp+e4v HL4W25NsvEzPchDZqMR68xF/jptgKGaFVlKvJ4MQEhepe2dt2KKYgj6j1tJsLlth8x9J OPVh2t2yPgLtfJVVHquo8WXVNEY0tVJ4fu07vygnDGTUR07df1JjMjoOvXIHXy1feJFQ wujjIon2K3g616fbpHNecZvT3141CXXRcv7zTZsqnozSSzoO9eCQpawiXfivp/jh3lfH /yr840OkTIKADabt/0OxvTTevMn4TSl0D16EX4IpKUlOSSnLW5zcbc+QFhd/A+jfqjZ8 j42w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=67YEWAt9X0+cEl/cTmHAtZlGF/CHh6+txTl8DU+/DWA=; b=Eg5//P+0+5dfNNuZMVqB8dSR0hpHIU6QRr1kI+ieMSwmMdCFEVe/Pth6hjMY4F9/Cq rAquzjjZNI01hFJfveM1kyjogkTDswShWjrnZiSPYQjLKua3yOcwrIuG+1WvqW2u1L7p XNsXCUAtQB0mcnZtlzXDVWxYrO+sBDeeq2+/IriQWopseHn95PYbLq/0M1I9w4T44TM7 iSatsWkwj79N1OtwY58+Hfywll1Vc2UNaJ0vUOhILDGx2xZ3q3XuicR9uU/7DrEa9prz bMLyrxCh+j2cpZRnkXywRm4BpkIfyt/4gO9OXYJuxg8OMf9fFJTh8IU5ifQvnWVN3Keq 8u4A== X-Gm-Message-State: AFeK/H37DZ6LRhIl3ZAQY/9OYDf2/F/UNM+DqziebnZ3iOK0uzVCCPWV 2uI11PogEVqIJVtC X-Received: by 10.36.199.197 with SMTP id t188mr22173494itg.85.1491420562894; Wed, 05 Apr 2017 12:29:22 -0700 (PDT) Received: from [10.0.10.3] (cpe-74-141-88-57.neo.res.rr.com. [74.141.88.57]) by smtp.googlemail.com with ESMTPSA id u191sm9114450ita.15.2017.04.05.12.29.22 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 05 Apr 2017 12:29:22 -0700 (PDT) Message-ID: <58E545A4.6070407@gmail.com> Date: Wed, 05 Apr 2017 15:29:40 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Ian Smith CC: freebsd-questions@freebsd.org Subject: Re: syslog.conf - log records to a script References: <20170405234624.T53970@sola.nimnet.asn.au> In-Reply-To: <20170405234624.T53970@sola.nimnet.asn.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2017 19:29:23 -0000 Ian Smith wrote: > In freebsd-questions Digest, Vol 670, Issue 3, Message: 7 > On Tue, 04 Apr 2017 15:22:15 -0400 Ernie Luzar wrote: > > > In syslog.conf I have these 2 lines. > > local0.* /var/log/security > > local0.* | exec /usr/local/bin/ipf.table > > The example in syslog.conf(5) uses no space between '|' and 'exec'. I'm > not sure whether that matters, but it's easy to test. > > > The security log file is being populated and working fine. > > Now I want to pipe the same log records to a script for processing. > > > > I'm using a very simple script to verify that the test script is being > > handed all the log records. My test ipf.table script looks like this, > > > > #! /bin/sh > > It's traditional (at least) to have no space between '#!' and '/bin/sh'. > I'm not entirely sure that matters either, but it's also an easy test. > > > read line > > echo "$line" >> /var/log/ipf.table.log > > > > When I issue "service syslogd restart" I get no errors. > > > > The ipf.table.log gets populated with the first log record and them > > nothing happens after that even though I can see more entries being > > logged to /var/log/security. > > > > What am I doing wrong here? > > I'm not sure :) > > Is /usr/local/bin/ipf.table owned by root and set executable? > Any error reports in /var/log/messages or /var/log/console.log? > > cheers, Ian > Thank you for desk checking this. All ways better to have a second pair of eyes looking things over. I made the changes you suggested and like you though it made no difference. The script permissions are correct. If they were not, the single record would not have processed. I issued "ps ax" and I don't see the ipf.table script running. I made this simple change to the ipf.table script; while read line; do echo "$line" >> /var/log/ipf.table.log done exit 0 Now the "ps ax" command shows it running and the /var/log/ipf.table.log file has the same content as the /var/log/security file. So its working like I wanted. Don't understand why, but thats ok. Thanks for your help.