Hello all,
First off, I am not very Linux savvy. I don't have a lot of experience
other then a basic course. This is probably way past my knowledge, but I
really need to get it done. Appreciate any help you guys have to offer.
I am working on a Red Hat Enterprise 4 box and I am running the latest
edition of rsyslog. I currently have rsyslog configured to receive
messages remotely via UDP. I am trying to set it up so that it will send
out E-mail messages to the system Admin's based on the severity level of
the log files I am receiving. I would like it so that any device that
sends a log with a critical, alert, or emergency level facility will
send out an e-mail to a specific address.
Here is my rsyslog.conf file. I used the sample code from Rainer
Gerhards configuration page. I tried sending a test syslog with 'hard
disk fatal failure' in it, but it is not sending out mail. Also tried
without the templates below thinking it would just send me an email for
every syslog that I received, but it doesn't appear to be sending mail.
Any thoughts on what I am doing wrong. I'm sure there is a lot I need to
do, so please let me know. Thanks!
$template mailSubject,"disk problem on %hostname%"
$template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"'
I edited out the 3 lines below in the code for security reasons..
$ActionMailSMTPServer <ip of smtp server>
$ActionMailFrom <from address>
$ActionMailTo <my email>
Here is my code from rsyslog.conf below.
# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance
# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!
# You may need to set the module load path if modules are not found.
$ModLoad immark.so # provides --MARK-- message capability
$ModLoad imuxsock.so # provides support for local system logging (e.g.
via logger command)
$ModLoad imklog.so # kernel logging (formerly provided by rklogd)
$ModLoad ommail
$template TraditionalFormatWithPRI,"%PRI-text%: %timegenerated%
%HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none
-/var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.*
-/var/log/maillog
# Log cron stuff
cron.* -/var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit
-/var/log/spooler
# Save boot messages also to boot.log
local7.*
/var/log/boot.log
#Catch all incoming syslog messages
*.*
/var/log/catchall;TraditionalFormatWithPRI
# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
$WorkDirectory /rsyslog/spool # where to place spool files
$ActionQueueFileName uniqName # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as
possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
*.* @10.57.106.140:514
$ModLoad ommail
$ActionMailSMTPServer <ip of smtp server>
$ActionMailFrom <from address>
$ActionMailTo <my email>
$template mailSubject,"disk problem on %hostname%"
$template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
$ActionMailSubject mailSubject
# make sure we receive a mail only once in six
# hours (21,600 seconds ;))
$ActionExecOnlyOnceEveryInterval 21600
# the if ... then ... mailBody mus be on one line!
if $msg contains 'hard disk fatal failure' then :ommail:;mailBody
# ######### Receiving Messages from Remote Hosts ##########
# TCP Syslog Server:
# provides TCP syslog reception and GSS-API (if compiled to support it)
$ModLoad imtcp.so # load module
$InputTCPServerRun 514 # start up TCP listener at port 514
# UDP Syslog Server:
$ModLoad imudp.so # provides UDP syslog reception
$UDPServerRun 514 # start a UDP syslog server at standard port
--------------------------------------------------------
This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. If you have received this e-mail in error, or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately if you have received this e-mail by mistake, and delete it from your system.
First off, I am not very Linux savvy. I don't have a lot of experience
other then a basic course. This is probably way past my knowledge, but I
really need to get it done. Appreciate any help you guys have to offer.
I am working on a Red Hat Enterprise 4 box and I am running the latest
edition of rsyslog. I currently have rsyslog configured to receive
messages remotely via UDP. I am trying to set it up so that it will send
out E-mail messages to the system Admin's based on the severity level of
the log files I am receiving. I would like it so that any device that
sends a log with a critical, alert, or emergency level facility will
send out an e-mail to a specific address.
Here is my rsyslog.conf file. I used the sample code from Rainer
Gerhards configuration page. I tried sending a test syslog with 'hard
disk fatal failure' in it, but it is not sending out mail. Also tried
without the templates below thinking it would just send me an email for
every syslog that I received, but it doesn't appear to be sending mail.
Any thoughts on what I am doing wrong. I'm sure there is a lot I need to
do, so please let me know. Thanks!
$template mailSubject,"disk problem on %hostname%"
$template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"'
I edited out the 3 lines below in the code for security reasons..
$ActionMailSMTPServer <ip of smtp server>
$ActionMailFrom <from address>
$ActionMailTo <my email>
Here is my code from rsyslog.conf below.
# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance
# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!
# You may need to set the module load path if modules are not found.
$ModLoad immark.so # provides --MARK-- message capability
$ModLoad imuxsock.so # provides support for local system logging (e.g.
via logger command)
$ModLoad imklog.so # kernel logging (formerly provided by rklogd)
$ModLoad ommail
$template TraditionalFormatWithPRI,"%PRI-text%: %timegenerated%
%HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none
-/var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.*
-/var/log/maillog
# Log cron stuff
cron.* -/var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit
-/var/log/spooler
# Save boot messages also to boot.log
local7.*
/var/log/boot.log
#Catch all incoming syslog messages
*.*
/var/log/catchall;TraditionalFormatWithPRI
# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
$WorkDirectory /rsyslog/spool # where to place spool files
$ActionQueueFileName uniqName # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as
possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
*.* @10.57.106.140:514
$ModLoad ommail
$ActionMailSMTPServer <ip of smtp server>
$ActionMailFrom <from address>
$ActionMailTo <my email>
$template mailSubject,"disk problem on %hostname%"
$template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
$ActionMailSubject mailSubject
# make sure we receive a mail only once in six
# hours (21,600 seconds ;))
$ActionExecOnlyOnceEveryInterval 21600
# the if ... then ... mailBody mus be on one line!
if $msg contains 'hard disk fatal failure' then :ommail:;mailBody
# ######### Receiving Messages from Remote Hosts ##########
# TCP Syslog Server:
# provides TCP syslog reception and GSS-API (if compiled to support it)
$ModLoad imtcp.so # load module
$InputTCPServerRun 514 # start up TCP listener at port 514
# UDP Syslog Server:
$ModLoad imudp.so # provides UDP syslog reception
$UDPServerRun 514 # start a UDP syslog server at standard port
--------------------------------------------------------
This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. If you have received this e-mail in error, or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately if you have received this e-mail by mistake, and delete it from your system.