Sending email on submission of some syslog-ng events

Posted by bennichols on Fri 25 Jan 2013 at 10:14

Tags: ,

Several years ago, I implemented a centralized syslog-ng server for our Linux servers, switches, routers and firewalls. It worked very well, but I ran into situations where I would not be in front of my laptop but I wanted to be notified of something coming through.

Examples:

  • Dial backups when a WAN link failed.
  • File permissions on a cron file being wrong and cron failing.

There are three main parts of syslog-ng configuration: destinations, filters and logs.

Create the destination: 

destination d_sendpage {
                        program (
                                 "/usr/local/bin/sendmessage.pl"
                                );
                       };

Create the filter: 

filter f_sendpage {
                   message("UPDOWN: Interface Async") or
                   message("BAD FILE MODE");
                  };

Create the log: 

log {
     source(s_net);
     filter(f_sendpage);
     destination (d_sendpage);
    };

Create a script to email the message that looks like this or similar: 

#!/usr/bin/perl -w

use strict;

my ($fh,$file,$in);
my ($to,$from,$subject,$sendmail);

$sendmail  = "/usr/sbin/sendmail -t";
$to        = "email\@example.com";
$from      = "monitor\@example.com";
$subject   = "Alert from syslog-ng ";

$fh = \*STDIN;
while ($in = <$fh>) {
  chomp ($in);

  &sendEmail ("$in");
}

##############################################################################

sub sendEmail {
  #
  # Send an email.
  #
  my ($body);
  ($body) = @_;

  $body = $subject . $body;

  open (SENDMAIL, "|$sendmail") or die "Couldn't open sendmail: $!\n";
  print SENDMAIL "To: $to\n",
                 "From:  $from\n",
                 "Subject: $body\n",
                 "Content-type: text/plain\n\n",
                 "$body\n";
  close (SENDMAIL);
}

##############################################################################

A simple call to mailx or bash would probably work as well.

Restart syslog-ng: 

/etc/init.d/syslog-nd restart

The end result is that messages matching our defined filter-patterns will be submitted by email.

Add Comment XML logo Printable version

 

<<< Redeploying Debian-Administration.org ... Restricting SSH logins to particular IP addresses >>>

 

 

#
Re: Sending email on submission of some syslog-ng events
Posted by algernon (213.253.xx.xx) on Fri 25 Jan 2013 at 11:12
[ Send Message ]
For what its worth, syslog-ng 3.4 (due in a week) will have built-in support for sending e-mail via SMTP, so alerting via email will become much simpler, and won't need an external perl script either.

[ Parent | Reply to this comment ]

#
Re: Sending email on submission of some syslog-ng events
Posted by Anonymous (212.222.xx.xx) on Fri 25 Jan 2013 at 11:20
Your solution sounds like "enumerating badness", which is a bad idea. I would use "logcheck". This way, I get a mail whenever something bad happens, even if never thought about it before.

Since I don't want to register, just google yourself for "enumerating badness".

[ Parent | Reply to this comment ]

#
Re: Sending email on submission of some syslog-ng events
Posted by Anonymous (unknown) on Fri 25 Jan 2013 at 11:29
You may take a look at ossec it is much better than this way IMHO.

-- AnhHK

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

Your version control software of choice is




( 816 votes ~ 9 comments )