Solved rc.d scripting assistance for u2eve

K

Khaine

Hi,

I am using ids-tools to convert read unified2 log files from security/snort and output events as JSON. I've written a rc.d script to start ids-tools at start-up but it doesn't appear to work.

This is the rc.d script I've drafted. I am terrible at shell scripting. Could someone help me debug the script and get it to work.

Code: 
#!/bin/sh

# PROVIDE: u2eve
# REQUIRE: DAEMON
# BEFORE: LOGIN
# KEYWORD: shutdown

. /etc/rc.subr

name="u2eve"
rcvar="u2eve_enable"
load_rc_config $name

: ${u2eve_enable:="NO"}

# daemon

start_precmd=u2eve_enable_prestart
command=/usr/sbin/daemon

pidfile="/var/run/${name}"
command_args="-rP ${pidfile} /usr/local/bin/idstools-u2eve --directory /var/log/snort/ --snort-conf /usr/local/etc/snort/snort.conf --prefix snort.alert --follow --bookmark --delete --output /var/log/snort/snort.json"


Many thanks

Khaine
 
Code: 
start_precmd=u2eve_enable_prestart

Adding this means you need to create a function called u2eve_enable_prestart, which you don't have. Typically you use the precmd to test if the configuration is valid or not. If you don't have that function, remove the line.
 
SirDice said:
Code: 
start_precmd=u2eve_enable_prestart

Adding this means you need to create a function called u2eve_enable_prestart, which you don't have. Typically you use the precmd to test if the configuration is valid or not. If you don't have that function, remove the line.
Click to expand...

That makes sense. I've embedded the configuration within the rc.d script and as such have removed that line, however the script still doesn't work.
 
Does the script produce syntax errors or does it simply not do what you want? To find what it's doing run it like this: sh -x /usr/local/etc/rc.d/u2eve start. The -x will cause the shell to print everything giving you some insights into what it's doing.
 
Thank you so much for your help. Using sh -x I managed to figure out a number of my errors (including not having run_rc_command "$1") and it now works :). I've replicated my corrected version below for reference in case anyone else is looking to push snort logs into ELK

Code: 
#!/bin/sh

# PROVIDE: idstools-u2json
# REQUIRE: DAEMON
# BEFORE: LOGIN
# KEYWORD: shutdown

. /etc/rc.subr


name="u2json"
rcvar="${name}_enable"
load_rc_config $name

: ${u2json_enable:="NO"}
: ${u2json_config:="--directory /var/log/snort/ --snort-conf /usr/local/etc/snort/snort.conf --prefix snort.alert --follow --delete --output /var/log/snort/snort.json"}

# daemon
start_precmd=u2json_prestart
command=/usr/sbin/daemon
pidfile="/var/run/${name}"
command_args="-rP ${pidfile} /usr/local/bin/idstools-u2json ${u2json_config}"

u2json_prestart() {
# Have to empty rc_flags so they don't get passed to daemon(8)
                rc_flags=""
}

run_rc_command "$1"
 
You must log in or register to reply here.
Back
Top