Sending email via syslog-ng

camry · 06-30-2009, 06:31 AM

Hi friends
I have syslog-ng installed in RHEL5 server, I make it as CEntral log for all servers in my network, Filtered by IP
Now What I want to do is make it send to me an email for a specific log for one of my server, In other word when any log sent from this IP (192.168.1.1 ) For example to send me email with this new log value to myemail@mydomain.com
The following is the part of configuration for my syslog-ng.conf that related with remote servers.
=============================================

source s_remote {
tcp(ip(0.0.0.0) port(514));
udp(ip(0.0.0.0) port(514));
};

destination d_separatedbyhosts {
file("/var/log/syslog-ng/servers/$HOST/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));
};

log { source(s_remote); destination(d_separatedbyhosts); };
===============================================

Thanks
Best Regards
Reaky

zhjim · 06-30-2009, 07:12 AM

Something like this should do the trick. Just create a filter that matches the ip address of the server you want to be noted about.

de

Code:

stination syslogmail { program("/usr/sbin/syslogmail produktivsystem you@yourhost.org"); };
log { source(src); filter(f_warn); destination(syslogmail); };

Just for the cause: did you check out the manual?
http://www.balabit.com/dl/guides/sys...e-admin-en.pdf

Cheers zhjim

camry · 07-01-2009, 07:24 AM

This is v nice
But could you please give me an example for the mail script /usr/sbin/syslogmail as I'm not v good in programming.

Thanks for your help

camry · 07-01-2009, 08:05 AM

Dear I got Example for this perl script as the following:
=============================================
#!/usr/bin/perl -n
# thanks to Brian Dowling for an example with security in mind.

$TO = 'email@dot.com';
$FROM = $TO;

s/^<\d{1,2}>//;

open(MAIL, "|/usr/sbin/sendmail -t");

print MAIL <<"EOT";
To: $TO
From: $FROM
Subject: Log Alert: $_

$_

EOT

close(MAIL);
=============================================

But there's just small question, Is theis filter (f_warn) will send every ne
This is What I wrote in the configuration, Ihope I woted it in right way, I'll test and inform you with the results
==============
#Filtration
destination syslogmail { program("/usr/local/bin/syslog-mail-perl"); };
# find messages, and send to the mail-alert script
log { source(163.121.189.131); filter(f_warn); destination(syslogmail); };
==============

Thanks

camry · 07-01-2009, 08:29 AM

I think this will not work with syslog V3, there's something missing, It faild to start and gave me the following error:

WARNING: file source: default value of follow_freq in file sources is changing in 3.0 to '1' for all files except /proc/kmsg;
Error in configuration, unresolved source reference; source='10.0.0.15'

camry · 07-02-2009, 03:17 AM

Dear I still have a problem, the following is my configuration file that realated with remote IP's

======================================================================================
======================================================================================

# Remote logging
source s_remote {
tcp(ip(0.0.0.0) port(514));
udp(ip(0.0.0.0) port(514));
};

destination d_separatedbyhosts {
file("/var/log/syslog-ng/servers/$HOST/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));
};

log { source(s_remote); destination(d_separatedbyhosts); };

#==============================================================
#Filtration for SME Alerts
source s_remote {
tcp(ip(10.0.0.15) port(514));
udp(ip(10.0.0.15) port(514));
};

destination syslogmail { program("/usr/local/bin/syslog-mail-perl"); };
log { source(r_remote); destination(syslogmail); };

#======================================================================================
#======================================================================================
The first part is the original for all remote IP's and It's working good
The second is the part of the IP that I want to filter
When I restart It gave m ethe following error

WARNING: file source: default value of follow_freq in file sources is changing in 3.0 to '1' for all files except /proc/kmsg;
Error in configuration, unresolved source reference; source='r_remote'

Could u please help me in that
Thanks

zhjim · 07-02-2009, 04:18 AM

[QUOTE=camry

log { source(s_remote); destination(d_separatedbyhosts); };

log { source(r_remote); destination(syslogmail); };
[/QUOTE]

You have a typo. The first log line contains s_remote and the second r_remote. I guess the r_remote source is not defined.

camry · 07-06-2009, 07:43 AM

Dears

It solved now with the following
===============================================
source sme {file (/var/log/syslog-ng/servers/172.31.250.68/local7.log); };

destination maillog { program ("/usr/local/bin/syslog-mail-perl" );
};
log {source(sme); destination(maillog); };
===============================================

Using the perl script:
+++++++++++++++++++++++++++++++++++=
#!/usr/bin/perl -n
# thanks to Brian Dowling for an example with security in mind.

$TO = 'reaky@domain.com';
$FROM = $TO;

s/^//;

open(MAIL, "|/usr/sbin/sendmail -t");

print MAIL "EOT";
To: $TO
From: $FROM
Subject: SME Log Alert: $_

$_

EOT

close(MAIL);
+++++++++++++++++++++++++++++++++++++++

But there's still small problem that It worked very fine when I send to root user in the machine, But when I tried to send to outside I found that I must restart syslog every time to send the mails to sendmail, In another word it buffer the emails tell I restart syslog-ng then It forwerd it to send mail and can see it in the mail log.
Do you have any idea for that ?
Thanks

zhjim · 07-08-2009, 03:19 AM

I had a similar thing with syslog-ng v2. It seems to me that syslog-ng buffers the program once it started. So if you change part of your shell script you have to tell syslog-ng about it. Only way I know about is a restart or maybe a sig HUP to the syslog-ng process.