Rsyslog: execute script on matching log event

rsyslog

I have the following line in my /etc/rsyslog.conf

:programname, contains, "suhosin" /var/log/suhosin.log

which logs all php security related incidents to /var/log/suhosin.log. That is nice, but I would like rsyslog to execute my script action.sh instead of logging to file. How could I do that?

Best Answer

You are looking for omprog.

module(load="omprog")
action(type="omprog"
       binary="/pathto/omprog.py --parm1=\"value 1\" --parm2=\"value2\"
       template="RSYSLOG_TraditionalFileFormat")

See the docs for more details: http://www.rsyslog.com/doc/v8-stable/configuration/modules/omprog.html

Related Solutions

Rsyslog rule inconsistently applied

From the output you've given it looks like the python script is not sending all the pieces of the syslog message that rsyslog is expecting. It appears as if the "{FILTER}" part is where the host and app name should be. You can pretty easily prove this by running rsyslogd with the -d flag then sending the message from python and then from logger. You'll see the raw message as it comes from the socket that way and I bet you'll see that logger is sending more fields in front of the "{FILTER}" part.

Ubuntu – Rsyslog not creating log files

Create /dev/xconsole and set its correct ownership and permissions:

sudo touch /dev/xconsole
sudo chgrp syslog /dev/xconsole
sudo chmod 664 /dev/xconsole

Restart the rsyslog service as follows:

Ubuntu 14.04

sudo service rsyslog restart

Ubuntu 16.04 and later, using systemd

sudo systemctl restart rsyslog

Verify the error message no longer appears:

tail -n100 /var/log/syslog | grep rsyslog

Best Answer

Related Solutions

Rsyslog rule inconsistently applied

Ubuntu – Rsyslog not creating log files

Related Question