Filter syslog messages then send an email

From Internetworkpro

This page or section provides device configuration instructions Please note that the information on this page has not been checked for accuracy and is not intended as a replacement to documentation. Please ensure you understand your desired objectives before attempting to apply any examples listed. See more examples at Category:Configuration

Below is a configuration file for syslog-ng, and a script, which together send emails based on specified criteria. This is not a replacement for any monitoring system, use syslog-ng how you wish. I like emails of failed login attempts, critical, and alert level messages.

Here is a great tutorial on how to install syslog-ng, log to a database, and install a web front-end. There are other front-end syslog systems, this is just the one I tried. I like it, it has decent search capabilities, and a simple display.

syslog-ng with php front-end

they left out creating the named-pipe for the database, on their startup / 'check if named pipe exists' script. I added "mkfifo /tmp/mysql.pipe" to the top of the script.

here is the portion of the syslog-ng configuration for email:

#this is syslog-ng's configuration file
#a log statement is applied with source and destination
source s_network {
       udp();
};

destination d_mail {
program("/etc/syslog-ng/syslogemail.sh");
};

filter f_highl { level(crit,alert);
};

#this is what strings source, dest, and filter together
log { source(s_network);filter(f_highl); destination(d_mail);
};

you will want to make sure your mail client can send mail. the variable var is set to the ip / dns of the device sending the log.

here is the script that takes input from syslog-ng, and will send mail:

#!/bin/bash -x
while read line; do
      var=$(echo $line | cut -d' ' -f4)
      #printf "line: %s, var: %s\n" "$line "$var" >> /tmp/mylog
      echo $line | /usr/bin/mailx -s "log notification $var" test@nowhere.com
done