syslog-ng experts?

leaskovski · 12 Jul 2016 at 12:30

Hi Guys,

I am using my raspberry pi to act as a syslog server on my network at home to catch syslog messages from kit that I want monitoring, i.e. my router. Getting syslog up and running and getting it to capture those messages from the router is easier and am logging out to a file on disk, so no issues there.

Now I want to take it a step further and get it to trigger alerts for certain events.

I have defined a destination which is to trigger sendmail:

destination d_alert { program("sendmail"); };

And I create a filter to capture any messages that I want to trigger the alert for:

filter f_openvpn { message("OpenVPN"); };

This is for any incoming connections to the router that contains OpenVPN in the log line.

And I have a my log command, that uses the source, filter and destination to do the business:

log { source(s_net); filter(f_openvpn); destination(d_alert); };

Question is, the destination gets called, but is there a way to get the log message in its entirety to pass that to the destination so that I can include that in my email alert?

Any syslog-ng experts on here?

Thanks

frobert · 13 Jul 2016 at 08:34

Hi,
I don't know which version of syslog-ng you are using (and how it was compiled), but more recent syslog-ng versions have an smtp() destination that allow you to send emails directly from syslog-ng.

Otherwise, syslog-ng should pass the entire log message to the destination, could you be more specific about what is missing? It's possible that you have modified the message template. Try to adjust the template of the destination, see https://www.balabit.com/sites/defau...in/html/configuring-destinations-program.html

HTH,
Robert

leaskovski · 13 Jul 2016 at 11:00

First post, and giving help... I like that!

Anyway, I am using 3.3 that comes from the RASPBIAN repos.

I have slightly modified my config to include the following options:

Code:

# This is for external syslog messages from the any network connection on port 514 (syslog)
source s_net { udp(ip(0.0.0.0) port(514)); };

# Log messages from the sky router
destination d_router { file("/var/log/router.log"); };

# Email alerts
destination d_emailalerts { program("/etc/syslog-alert.sh" template("${MSG}") ); };

# Filter for the Sky Router
filter f_router { host( "192.168.0.1" ); };

# Filters for email alerts
filter f_openvpn { message( "OpenVPN" ); };

# Log messages from the network for the sky router to the router log file destination
log { source(s_net); filter(f_router); destination(d_router); };

# Send an alert for OpenVPN messages in the sky router syslog messages
#log { source(s_net); filter(f_router); filter(f_openvpn); destination(d_emailalerts); };

A couple of things,

The sky router syslog messages are getting captured fine and sent out to the "/var/log/router.log" file fine, no problems there.

When I enable the last "log" definition, which is mean't to capture incoming syslong messages that are from the sky router (f_router filter) and contain "OpenVPN" in the message text (f_openvpn), I get spammed by the PI as it is constantly firing as if my filters aren't working. So thats one problem.

The destination (d_emailalerts) is basically to fire off a bash script that sends the email, and the bash script works fine, as I am getting all those emails for the previous issue, but I assumed that when the destination is defined, that the template command would basically format me a parameter that is passed to the bash script, however the emails coming from the script, do not contain any message.

Bash script being called by the destination:

Code:

#!/bin/bash
#Send an email when a client connects with today's time and date
NOW="$(date +"%H:%M:%S - %Y-%m-%d")"

mail -s "Syslog Event - $NOW" "[email protected]" -a "From: Raspberry PI <[email protected]>" << EOF
At $NOW, Syslog-ng captured the following event and raised this alert.

$1
.
EOF
exit 0

Any help is very much welcome! Thanks

edit:
syslog-ng version info:

Code:

syslog-ng 3.3.5
Installer-Version: 3.3.5
Revision: ssh+git://[email protected]//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.3--master#d5d607c05251b38e821efe27bc46ac8db78dd722
Compile-Date: Mar 22 2013 23:27:12
Default-Modules: affile,afprog,afsocket,afuser,afsql,basicfuncs,csvparser,dbparser,syslogformat
Available-Modules: dbparser,csvparser,afprog,convertfuncs,tfjson,syslogformat,afsocket,afuser,afsql,confgen,basicfuncs,affile,afmongodb,afsocket-tls
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Pcre: on

frobert · 13 Jul 2016 at 12:52

Hi,

* Unfortunately, 3.3 does not include the smtp destination.

* The program() destination should send the message to the stdin (I think line-by-line) of the script. Try adding a \n to your template, like:

destination d_emailalerts { program("/etc/syslog-alert.sh" template("${MSG}\n") ); };

* Another problem can be that your script exits at the end, therefore syslog-ng tries to restart it (this might be the cause of the flood). Instead of reading a line and exiting, use a loop that keeps reading the stdin, and sending it in an email. Something like this: http://marc.info/?l=syslog-ng&m=125019422421252

Let me know if any of these solves the problem, the syslog-ng docs are a bit vague in this regard, so I'd like to update them to make it easier to avoid such problems.

leaskovski · 13 Jul 2016 at 15:31

Cheers! Will have a look and let you know how I get on.

Awesome first 2 posts. Random how you signed up to reply to me, but I will take that! Thanks again.

frobert · 13 Jul 2016 at 15:45

I am the maintainer of the syslog-ng documentation, and have a Google alert that notifies me of syslog-ng related posts (well, at least some of it)

leaskovski · 2 Aug 2016 at 22:18

Ok, so I finally got around to doing this.

Adding the \n to the template and updating the bash script to have a while loop like the example in the link you gave me worked!

Thanks a million!