Sending email on submission of some syslog-ng events

Posted by bennichols on Fri 25 Jan 2013 at 10:14

Several years ago, I implemented a centralized syslog-ng server for our Linux servers, switches, routers and firewalls. It worked very well, but I ran into situations where I would not be in front of my laptop but I wanted to be notified of something coming through.

Examples:

  • Dial backups when a WAN link failed.
  • File permissions on a cron file being wrong and cron failing.

There are three main parts of syslog-ng configuration: destinations, filters and logs.

Create the destination:

destination d_sendpage {
                        program (
                                 "/usr/local/bin/sendmessage.pl"
                                );
                       };

Create the filter:

filter f_sendpage {
                   message("UPDOWN: Interface Async") or
                   message("BAD FILE MODE");
                  };

Create the log:

log {
     source(s_net);
     filter(f_sendpage);
     destination (d_sendpage);
    };

Create a script to email the message that looks like this or similar:

#!/usr/bin/perl -w

use strict;

my ($fh,$file,$in);
my ($to,$from,$subject,$sendmail);

$sendmail  = "/usr/sbin/sendmail -t";
$to        = "email\@example.com";
$from      = "monitor\@example.com";
$subject   = "Alert from syslog-ng ";

$fh = \*STDIN;
while ($in = <$fh>) {
  chomp ($in);

  &sendEmail ("$in");
}

##############################################################################

sub sendEmail {
  #
  # Send an email.
  #
  my ($body);
  ($body) = @_;

  $body = $subject . $body;

  open (SENDMAIL, "|$sendmail") or die "Couldn't open sendmail: $!\n";
  print SENDMAIL "To: $to\n",
                 "From:  $from\n",
                 "Subject: $body\n",
                 "Content-type: text/plain\n\n",
                 "$body\n";
  close (SENDMAIL);
}

##############################################################################

A simple call to mailx or bash would probably work as well.

Restart syslog-ng:

/etc/init.d/syslog-nd restart

The end result is that messages matching our defined filter-patterns will be submitted by email.

 

 


Posted by algernon (213.253.xx.xx) on Fri 25 Jan 2013 at 11:12
For what its worth, syslog-ng 3.4 (due in a week) will have built-in support for sending e-mail via SMTP, so alerting via email will become much simpler, and won't need an external perl script either.

[ Parent | Reply to this comment ]

Posted by Anonymous (212.222.xx.xx) on Fri 25 Jan 2013 at 11:20
Your solution sounds like "enumerating badness", which is a bad idea. I would use "logcheck". This way, I get a mail whenever something bad happens, even if never thought about it before.

Since I don't want to register, just google yourself for "enumerating badness".

[ Parent | Reply to this comment ]

Posted by Anonymous (unknown) on Fri 25 Jan 2013 at 11:29
You may take a look at ossec it is much better than this way IMHO.

-- AnhHK

[ Parent | Reply to this comment ]

Posted by Anonymous (212.110.xx.xx) on Thu 13 Feb 2014 at 21:48
Thanks,

this works perfectly.

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 704 votes ~ 10 comments )