LogAnalysis
[logs] rsyslog email alerting Apr 08 2008 07:36PM
Rainer Gerhards (rgerhards hq adiscon com) (2 replies)
[disclaimer: I am the rsyslog author]
Hi all:

When we are at new tools, I'd like to ask for some feedback on syslogd
email alerting. I have today released a version of rsyslog (3.17.0) that
has native email alerting capabilities. I have included it because a
couple of folks have asked for this feature and it was quickly done.

I have not yet really evaluated the potential use cases. However, I
think there are ample. I would be deeply interested in your feedback on
the relevance of such a feature to your work. Do you do email alerting?
If so, is it (near-)realtime? Do you prefer to use an external tool to
do it? Would the functionality provided by rsyslog be sufficient for
your needs? And, most importantly, what is missing?

I promise to listen very carefully and try to implement anything that is
doable and makes sense in the rsyslog context.

Afer my sig, I have included a brief config sample outlining some of the
functionality. The full (still brief) details can be found at

http://www.rsyslog.com/doc-ommail.html

And, of course, feel free to forward any questions and comments to me :)

Thanks,
Rainer

The following is a sample code snippet that alerts the operator when
disk problems are detected (based on a hypothetical "hard disk fatal
failure" syslog message):

$ModLoad ommail
$ActionMailSMTPServer mail.example.net
$ActionMailFrom rsyslog (at) example (dot) net [email concealed]
$ActionMailTo operator (at) example (dot) net [email concealed]
$template mailSubject,"disk problem on %hostname%"
$template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
$ActionMailSubject mailSubject
# make sure we receive a mail only once in six
# hours (21,600 seconds ;))
$ActionExecOnlyOnceEveryInterval 21600
# the if ... then ... mailBody mus be on one line!
if $msg contains 'hard disk fatal failure' then :ommail:;mailBody

Note that rsyslog has the ability to limit an action to be executed only
once inside a specific period. In the above sample, the email alert
happens only if there was no other such alert within the past 6 hours -
this is absolutely vital to prevent an accidental DoS on your mailbox ;)
... but it may also be handy with other actions (e.g. SNMP trap
notification etc etc).

_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
Re: [logs] rsyslog email alerting Apr 09 2008 03:56AM
Jason Haar (Jason Haar trimble co nz) (2 replies)
RE: [logs] rsyslog email alerting Apr 09 2008 06:54AM
Rainer Gerhards (rgerhards hq adiscon com)
RE: [logs] rsyslog email alerting Apr 09 2008 04:17AM
Clayton Dukes (cdukes) (cdukes cisco com)
Re: [logs] rsyslog email alerting Apr 09 2008 02:58AM
Harry Hoffman (hhoffman ip-solutions net)


 

Privacy Statement
Copyright 2010, SecurityFocus