syslog-ng experts?

leaskovski · 12 Jul 2016 at 12:30

Hi Guys,

I am using my raspberry pi to act as a syslog server on my network at home to catch syslog messages from kit that I want monitoring, i.e. my router. Getting syslog up and running and getting it to capture those messages from the router is easier and am logging out to a file on disk, so no issues there.

Now I want to take it a step further and get it to trigger alerts for certain events.

I have defined a destination which is to trigger sendmail:

destination d_alert { program("sendmail"); };

And I create a filter to capture any messages that I want to trigger the alert for:

filter f_openvpn { message("OpenVPN"); };

This is for any incoming connections to the router that contains OpenVPN in the log line.

And I have a my log command, that uses the source, filter and destination to do the business:

log { source(s_net); filter(f_openvpn); destination(d_alert); };

Question is, the destination gets called, but is there a way to get the log message in its entirety to pass that to the destination so that I can include that in my email alert?

Any syslog-ng experts on here?

Thanks

leaskovski · 13 Jul 2016 at 11:00

First post, and giving help... I like that!

Anyway, I am using 3.3 that comes from the RASPBIAN repos.

I have slightly modified my config to include the following options:

Code:

# This is for external syslog messages from the any network connection on port 514 (syslog)
source s_net { udp(ip(0.0.0.0) port(514)); };

# Log messages from the sky router
destination d_router { file("/var/log/router.log"); };

# Email alerts
destination d_emailalerts { program("/etc/syslog-alert.sh" template("${MSG}") ); };

# Filter for the Sky Router
filter f_router { host( "192.168.0.1" ); };

# Filters for email alerts
filter f_openvpn { message( "OpenVPN" ); };

# Log messages from the network for the sky router to the router log file destination
log { source(s_net); filter(f_router); destination(d_router); };

# Send an alert for OpenVPN messages in the sky router syslog messages
#log { source(s_net); filter(f_router); filter(f_openvpn); destination(d_emailalerts); };

A couple of things,

The sky router syslog messages are getting captured fine and sent out to the "/var/log/router.log" file fine, no problems there.

When I enable the last "log" definition, which is mean't to capture incoming syslong messages that are from the sky router (f_router filter) and contain "OpenVPN" in the message text (f_openvpn), I get spammed by the PI as it is constantly firing as if my filters aren't working. So thats one problem.

The destination (d_emailalerts) is basically to fire off a bash script that sends the email, and the bash script works fine, as I am getting all those emails for the previous issue, but I assumed that when the destination is defined, that the template command would basically format me a parameter that is passed to the bash script, however the emails coming from the script, do not contain any message.

Bash script being called by the destination:

Code:

#!/bin/bash
#Send an email when a client connects with today's time and date
NOW="$(date +"%H:%M:%S - %Y-%m-%d")"

mail -s "Syslog Event - $NOW" "[email protected]" -a "From: Raspberry PI <[email protected]>" << EOF
At $NOW, Syslog-ng captured the following event and raised this alert.

$1
.
EOF
exit 0

Any help is very much welcome! Thanks

edit:
syslog-ng version info:

Code:

syslog-ng 3.3.5
Installer-Version: 3.3.5
Revision: ssh+git://[email protected]//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.3--master#d5d607c05251b38e821efe27bc46ac8db78dd722
Compile-Date: Mar 22 2013 23:27:12
Default-Modules: affile,afprog,afsocket,afuser,afsql,basicfuncs,csvparser,dbparser,syslogformat
Available-Modules: dbparser,csvparser,afprog,convertfuncs,tfjson,syslogformat,afsocket,afuser,afsql,confgen,basicfuncs,affile,afmongodb,afsocket-tls
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Pcre: on

leaskovski · 13 Jul 2016 at 15:31

Cheers! Will have a look and let you know how I get on.

Awesome first 2 posts. Random how you signed up to reply to me, but I will take that! Thanks again.

leaskovski · 2 Aug 2016 at 22:18

Ok, so I finally got around to doing this.

Adding the \n to the template and updating the bash script to have a while loop like the example in the link you gave me worked!

Thanks a million!