Solved rc.d scripting assistance for u2eve

Khaine

Member

Reaction score: 4
Messages: 59

Hi,

I am using ids-tools to convert read unified2 log files from security/snort and output events as JSON. I've written a rc.d script to start ids-tools at start-up but it doesn't appear to work.

This is the rc.d script I've drafted. I am terrible at shell scripting. Could someone help me debug the script and get it to work.

Code:
#!/bin/sh

# PROVIDE: u2eve
# REQUIRE: DAEMON
# BEFORE: LOGIN
# KEYWORD: shutdown

. /etc/rc.subr

name="u2eve"
rcvar="u2eve_enable"
load_rc_config $name

: ${u2eve_enable:="NO"}

# daemon

start_precmd=u2eve_enable_prestart
command=/usr/sbin/daemon

pidfile="/var/run/${name}"
command_args="-rP ${pidfile} /usr/local/bin/idstools-u2eve --directory /var/log/snort/ --snort-conf /usr/local/etc/snort/snort.conf --prefix snort.alert --follow --bookmark --delete --output /var/log/snort/snort.json"


Many thanks

Khaine
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,346
Messages: 38,863

Code:
start_precmd=u2eve_enable_prestart

Adding this means you need to create a function called u2eve_enable_prestart, which you don't have. Typically you use the precmd to test if the configuration is valid or not. If you don't have that function, remove the line.
 
OP
K

Khaine

Member

Reaction score: 4
Messages: 59

Code:
start_precmd=u2eve_enable_prestart

Adding this means you need to create a function called u2eve_enable_prestart, which you don't have. Typically you use the precmd to test if the configuration is valid or not. If you don't have that function, remove the line.

That makes sense. I've embedded the configuration within the rc.d script and as such have removed that line, however the script still doesn't work.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,346
Messages: 38,863

Does the script produce syntax errors or does it simply not do what you want? To find what it's doing run it like this: sh -x /usr/local/etc/rc.d/u2eve start. The -x will cause the shell to print everything giving you some insights into what it's doing.
 
OP
K

Khaine

Member

Reaction score: 4
Messages: 59

Thank you so much for your help. Using sh -x I managed to figure out a number of my errors (including not having run_rc_command "$1") and it now works :). I've replicated my corrected version below for reference in case anyone else is looking to push snort logs into ELK

Code:
#!/bin/sh

# PROVIDE: idstools-u2json
# REQUIRE: DAEMON
# BEFORE: LOGIN
# KEYWORD: shutdown

. /etc/rc.subr


name="u2json"
rcvar="${name}_enable"
load_rc_config $name

: ${u2json_enable:="NO"}
: ${u2json_config:="--directory /var/log/snort/ --snort-conf /usr/local/etc/snort/snort.conf --prefix snort.alert --follow --delete --output /var/log/snort/snort.json"}

# daemon
start_precmd=u2json_prestart
command=/usr/sbin/daemon
pidfile="/var/run/${name}"
command_args="-rP ${pidfile} /usr/local/bin/idstools-u2json ${u2json_config}"

u2json_prestart() {
# Have to empty rc_flags so they don't get passed to daemon(8)
                rc_flags=""
}

run_rc_command "$1"
 
Top