reaky
join:2004-01-18
Killeen, TX | Sending emails via syslog-ng Hi friends
I have syslog-ng installed in RHEL5 server, I make it as CEntral log for all servers in my network, Filtered by IP
Now What I want to do is make it send to me an email for a specific log for one of my server, In other word when any log sent from this IP (192.168.1.1 ) For example to send me email with this new log value to myemail@mydomain.com
The following is the part of configuration for my syslog-ng.conf that related with remote servers.
=============================================
source s_remote {
tcp(ip(0.0.0.0) port(514));
udp(ip(0.0.0.0) port(514));
};
destination d_separatedbyhosts {
file("/var/log/syslog-ng/servers/$HOST/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));
};
log { source(s_remote); destination(d_separatedbyhosts); };
===============================================
Thanks
Best Regards
Reaky |
|
|
|
| I do this with a syslog-ng filter expression, a new destination as a FIFO, and some Perl script that reads the FIFO and uses Mail::Mailer to send an email.
I can share this code if you wish. |
|
reaky
join:2004-01-18
Killeen, TX | reply to reaky
thatnks for you replay
Coulde u pleas hare this filtration and code ?
Thanks |
|
| reply to reaky
Snippet from syslog-ng.conf
options {
#Jan 11, 2007
#Do not use DNS, too much info being sent to perform rDNS/DNS lookups!
use_fqdn(no);
use_dns(no);
#Misc
keep_hostname(yes);
long_hostnames(off);
chain_hostnames(no);
check_hostname(no);
log_msg_size(4096);
stats(60);
flush_lines(1000);
flush_timeout(30);
};
source src {
pipe("/proc/kmsg");
unix-stream("/dev/log");
internal();
udp();
tcp(port(514) keep-alive(yes));
};
destination host_fifo {
file("/syslog_fifos/host_fifo" sync(1));
};
filter f_host {
match("192.168.1.1");
};
log {
source(src);
filter(f_host);
destination(host_fifo);
};
The Perl code that does the FIFO read:
#!/usr/bin/perl -w
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Watch FIFO and email data
# SirMeowmixIII
# Jul 01, 2009
use Mail::Mailer;
use POSIX qw(setsid);
&daemonize;
#Loop forever.
while(1){
&read_fifo();
sleep(15);
}
sub daemonize {
chdir '/' or die "Can't chdir to /: $!";
open STDIN, '/dev/null' or die "Can't read /dev/null: $!";
open STDOUT, '>>/dev/null' or die "Can't write to /dev/null: $!";
open STDERR, '>>/dev/null' or die "Can't write to /dev/null: $!";
defined(my $pid = fork) or die "Can't fork: $!";
exit if $pid;
setsid or die "Can't start a new session: $!";
umask 0;
}
sub error_hander(){ #If an error, sleep for 15 seconds and try again instead of doing a 'die'.
print($_[0]);
sleep(15);
return;
}
sub do_alert(){
$from_address = 'sender@senderdomain.com';
$to_address = 'recipient@destination.com';
$subject = "Message Subject";
$body = $_[0] . "\n";
$mailer = Mail::Mailer->new();
$mailer->open({ From => $from_address,To => $to_address, Subject => $subject}) or die "Can't open: $!\n";
print $mailer $body;
$mailer->close();
print localtime(time()) . $_[0] . "\n";
}
sub read_fifo(){
#Grab the PIPE
open ISA_FIFO, "< /syslog_fifos/host_fifo" || &error_handler("Cannot open FIFO pipe");
while(<ISA_FIFO>){
&do_alert($_);
}
close(ISA_FIFO);
print "*** FIFO CLOSED ***\n";
return 0;
}
|
|
reaky
join:2004-01-18
Killeen, TX
3 edits | reply to reaky
Dear SirMeowmix_III
I take some of your Idea and modified it, and use the following
=======================================================
source sme {file (/var/log/syslog-ng/servers/172.31.250.68/local7.log); };
destination maillog { program ("/usr/local/bin/syslog-mail-perl" );
log {source(sme); destination(maillog); };
=======================================================
And the perl script like the following:
+++++++++++++++++++++++++++++++++++=
#!/usr/bin/perl -n
# thanks to Brian Dowling for an example with security in mind.
$TO = 'reaky@domain.com';
$FROM = $TO;
s/^//;
open(MAIL, "|/usr/sbin/sendmail -t");
print MAIL "EOT";
To: $TO
From: $FROM
Subject: SME Log Alert: $_
$_
EOT
close(MAIL);
+++++++++++++++++++++++++++++++++++++++
When It tried to send emails I found that I must restart syslog every time to send the mails to sendmail, In another word it buffer the emails tell I restart syslog-ng then It forwerd it to send mail and can see it in the mail log.
Do you have any idea for that ?
Thanks |
|
reaky
join:2004-01-18
Killeen, TX | reply to reaky
Dear SirMeowmix_III
I tried the configuration like you sent as the following:
#=================================================================
# Remote logging
source src {
pipe("/proc/kmsg");
unix-stream("/dev/log");
tcp(ip(0.0.0.0) port(514));
udp(ip(0.0.0.0) port(514));
};
destination maillog { program("/syslog_fifos/host_fifo" flush_lines(1));
};
filter f_host {
match("172.31.250.68");
};
log {source(src); filter(f_host); destination(maillog); };
#==================================================================
But when I restart It gave me the following note :
WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration; |
|
