[logs] rsyslog email alerting

[Harry Hoffman]

Hi Rainer,

One of the things we do on a everyday basis is combine syslog with 
swatch/sec to do email/(cell phone/pager) email address notices.


It's important to note that each type of device has a different max 
length when dealing with messages.

To be honest more and more we allow nagios to handle the messages and 
make the choice as when to escalate.

HTH.

Cheers,
Harry


Rainer Gerhards wrote:
> [disclaimer: I am the rsyslog author]
> Hi all:
> 
> When we are at new tools, I'd like to ask for some feedback on syslogd
> email alerting. I have today released a version of rsyslog (3.17.0) that
> has native email alerting capabilities. I have included it because a
> couple of folks have asked for this feature and it was quickly done.
> 
> I have not yet really evaluated the potential use cases. However, I
> think there are ample. I would be deeply interested in your feedback on
> the relevance of such a feature to your work. Do you do email alerting?
> If so, is it (near-)realtime? Do you prefer to use an external tool to
> do it? Would the functionality provided by rsyslog be sufficient for
> your needs? And, most importantly, what is missing?
> 
> I promise to listen very carefully and try to implement anything that is
> doable and makes sense in the rsyslog context.
> 
> Afer my sig, I have included a brief config sample outlining some of the
> functionality. The full (still brief) details can be found at
> 
> http://www.rsyslog.com/doc-ommail.html
> 
> And, of course, feel free to forward any questions and comments to me :)
> 
> Thanks,
> Rainer
> 
> The following is a sample code snippet that alerts the operator when
> disk problems are detected (based on a hypothetical "hard disk fatal
> failure" syslog message):
> 
> $ModLoad ommail
> $ActionMailSMTPServer mail.example.net
> $ActionMailFrom rsyslog at example.net
> $ActionMailTo operator at example.net
> $template mailSubject,"disk problem on %hostname%"
> $template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
> $ActionMailSubject mailSubject
> # make sure we receive a mail only once in six
> # hours (21,600 seconds ;))
> $ActionExecOnlyOnceEveryInterval 21600
> # the if ... then ... mailBody mus be on one line!
> if $msg contains 'hard disk fatal failure' then :ommail:;mailBody
> 
> Note that rsyslog has the ability to limit an action to be executed only
> once inside a specific period. In the above sample, the email alert
> happens only if there was no other such alert within the past 6 hours -
> this is absolutely vital to prevent an accidental DoS on your mailbox ;)
> ... but it may also be handy with other actions (e.g. SNMP trap
> notification etc etc).
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis