[logs] rsyslog email alerting Apr 08 2008 07:36PM
Rainer Gerhards (rgerhards hq adiscon com)
[disclaimer: I am the rsyslog author]
Hi all:

When we are at new tools, I'd like to ask for some feedback on syslogd
email alerting. I have today released a version of rsyslog (3.17.0) that
has native email alerting capabilities. I have included it because a
couple of folks have asked for this feature and it was quickly done.

I have not yet really evaluated the potential use cases. However, I
think there are ample. I would be deeply interested in your feedback on
the relevance of such a feature to your work. Do you do email alerting?
If so, is it (near-)realtime? Do you prefer to use an external tool to
do it? Would the functionality provided by rsyslog be sufficient for
your needs? And, most importantly, what is missing?

I promise to listen very carefully and try to implement anything that is
doable and makes sense in the rsyslog context.

Afer my sig, I have included a brief config sample outlining some of the
functionality. The full (still brief) details can be found at


And, of course, feel free to forward any questions and comments to me :)


The following is a sample code snippet that alerts the operator when
disk problems are detected (based on a hypothetical "hard disk fatal
failure" syslog message):

$ModLoad ommail
$ActionMailSMTPServer mail.example.net
$ActionMailFrom rsyslog (at) example (dot) net [email concealed]
$ActionMailTo operator (at) example (dot) net [email concealed]
$template mailSubject,"disk problem on %hostname%"
$template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
$ActionMailSubject mailSubject
# make sure we receive a mail only once in six
# hours (21,600 seconds ;))
$ActionExecOnlyOnceEveryInterval 21600
# the if ... then ... mailBody mus be on one line!
if $msg contains 'hard disk fatal failure' then :ommail:;mailBody

Note that rsyslog has the ability to limit an action to be executed only
once inside a specific period. In the above sample, the email alert
happens only if there was no other such alert within the past 6 hours -
this is absolutely vital to prevent an accidental DoS on your mailbox ;)
... but it may also be handy with other actions (e.g. SNMP trap
notification etc etc).

LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus