LogAnalysis
[logs] rsyslog email alerting Apr 08 2008 07:36PM
Rainer Gerhards (rgerhards hq adiscon com) (2 replies)
Re: [logs] rsyslog email alerting Apr 09 2008 03:56AM
Jason Haar (Jason Haar trimble co nz) (2 replies)
RE: [logs] rsyslog email alerting Apr 09 2008 06:54AM
Rainer Gerhards (rgerhards hq adiscon com)
RE: [logs] rsyslog email alerting Apr 09 2008 04:17AM
Clayton Dukes (cdukes) (cdukes cisco com)
Re: [logs] rsyslog email alerting Apr 09 2008 02:58AM
Harry Hoffman (hhoffman ip-solutions net)
Hi Rainer,

One of the things we do on a everyday basis is combine syslog with
swatch/sec to do email/(cell phone/pager) email address notices.

It's important to note that each type of device has a different max
length when dealing with messages.

To be honest more and more we allow nagios to handle the messages and
make the choice as when to escalate.

HTH.

Cheers,
Harry

Rainer Gerhards wrote:
> [disclaimer: I am the rsyslog author]
> Hi all:
>
> When we are at new tools, I'd like to ask for some feedback on syslogd
> email alerting. I have today released a version of rsyslog (3.17.0) that
> has native email alerting capabilities. I have included it because a
> couple of folks have asked for this feature and it was quickly done.
>
> I have not yet really evaluated the potential use cases. However, I
> think there are ample. I would be deeply interested in your feedback on
> the relevance of such a feature to your work. Do you do email alerting?
> If so, is it (near-)realtime? Do you prefer to use an external tool to
> do it? Would the functionality provided by rsyslog be sufficient for
> your needs? And, most importantly, what is missing?
>
> I promise to listen very carefully and try to implement anything that is
> doable and makes sense in the rsyslog context.
>
> Afer my sig, I have included a brief config sample outlining some of the
> functionality. The full (still brief) details can be found at
>
> http://www.rsyslog.com/doc-ommail.html
>
> And, of course, feel free to forward any questions and comments to me :)
>
> Thanks,
> Rainer
>
> The following is a sample code snippet that alerts the operator when
> disk problems are detected (based on a hypothetical "hard disk fatal
> failure" syslog message):
>
> $ModLoad ommail
> $ActionMailSMTPServer mail.example.net
> $ActionMailFrom rsyslog (at) example (dot) net [email concealed]
> $ActionMailTo operator (at) example (dot) net [email concealed]
> $template mailSubject,"disk problem on %hostname%"
> $template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
> $ActionMailSubject mailSubject
> # make sure we receive a mail only once in six
> # hours (21,600 seconds ;))
> $ActionExecOnlyOnceEveryInterval 21600
> # the if ... then ... mailBody mus be on one line!
> if $msg contains 'hard disk fatal failure' then :ommail:;mailBody
>
> Note that rsyslog has the ability to limit an action to be executed only
> once inside a specific period. In the above sample, the email alert
> happens only if there was no other such alert within the past 6 hours -
> this is absolutely vital to prevent an accidental DoS on your mailbox ;)
> ... but it may also be handy with other actions (e.g. SNMP trap
> notification etc etc).
>
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis (at) loganalysis (dot) org [email concealed]
> http://www.loganalysis.org/mailman/listinfo/loganalysis
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus