Filter syslog messages then send an email

From Internetworkpro

Jump to: navigation, search
Configuration.png This page or section provides device configuration instructions
Please note that the information on this page has not been checked for accuracy and is not intended as a replacement to documentation. Please ensure you understand your desired objectives before attempting to apply any examples listed.
See more examples at Category:Configuration

Below is a configuration file for syslog-ng, and a script, which together send emails based on specified criteria. This is not a replacement for any monitoring system, use syslog-ng how you wish. I like emails of failed login attempts, critical, and alert level messages.

Here is a great tutorial on how to install syslog-ng, log to a database, and install a web front-end. There are other front-end syslog systems, this is just the one I tried. I like it, it has decent search capabilities, and a simple display.

syslog-ng with php front-end

they left out creating the named-pipe for the database, on their startup / 'check if named pipe exists' script. I added "mkfifo /tmp/mysql.pipe" to the top of the script.

here is the portion of the syslog-ng configuration for email: 

#this is syslog-ng's configuration file
#a log statement is applied with source and destination
source s_network {
       udp();
};

destination d_mail {
program("/etc/syslog-ng/syslogemail.sh");
};

filter f_highl { level(crit,alert);
};

#this is what strings source, dest, and filter together
log { source(s_network);filter(f_highl); destination(d_mail);
};

you will want to make sure your mail client can send mail. the variable var is set to the ip / dns of the device sending the log.

here is the script that takes input from syslog-ng, and will send mail: 

#!/bin/bash -x
while read line; do
      var=$(echo $line | cut -d' ' -f4)
      #printf "line: %s, var: %s\n" "$line "$var" >> /tmp/mylog
      echo $line | /usr/bin/mailx -s "log notification $var" test@nowhere.com
done

Here is another script that can send an email in a slightly different way, this example will defer any out of office replies and it will mark the email with high importance. 

#!/bin/bash
while read line; do
        TMPFILE=`mktemp`
        var=$(echo $line | cut -d' ' -f4)
        cat <<EOF >> $TMPFILE
To: noc@mycompany.com
Subject: Network device event
Content-Type: text/plain 
X-Priority: 1 
X-MSMail-Priority: High 
Importance: high
X-Auto-Response-Suppress: DR, OOF, AutoReply
 
$line
EOF
        sendmail -t < $TMPFILE
        rm -f $TMPFILE
done
Retrieved from "http://www.inetpro.org/wiki/Filter_syslog_messages_then_send_an_email"
Personal tools
Namespaces
Variants
Actions
Navigation
Categories
Toolbox