[rsyslog] Help with Ommail Configuration

(private) HKS hks.private at gmail.com
Thu Jul 24 23:01:42 CEST 2008 

A few things to try:

 - You load ommail.so twice, once at the top and once right above your
$ActionMail... lines. I don't think this will break it, but it's
unnecessary - delete the second one.

 - $ActionExecOnlyOnceEveryInterval 21600 means that it's only going
to attempt sending a message once every 6 hours. For testing purposes,
this will be obnoxious. Until you're ready for production, change it
to:
$ActionExecOnlyOnceEveryInterval 30

 - Send everything to make sure you're  not missing it based on
something in the property-replacer/templates/whatever. Replace "if
$msg contains 'hard disk fatal failure' then :ommail:;mailBody" with:
*.*  :ommail:;mailBody

Try again. Try logging a few messages from the localhost first (with
RHEL you can just run "logger test" to log a user.notice message with
content "test") and see if you get them.

If you don't, check the mail logs on your mail server to see if it
ever received the message. If not, it's time to break out tcpdump and
see if the packets are ever being generated.

Hope that helps.

-HKS



On Thu, Jul 24, 2008 at 3:50 PM, Goutos, Kevin (DOB)
<Kevin.Goutos at budget.state.ny.us> wrote:
> Hello all,
>
> First off, I am not very Linux savvy. I don't have a lot of experience
> other then a basic course. This is probably way past my knowledge, but I
> really need to get it done. Appreciate any help you guys have to offer.
>
> I am working on a Red Hat Enterprise 4 box and I am running the latest
> edition of rsyslog. I currently have rsyslog configured to receive
> messages remotely via UDP. I am trying to set it up so that it will send
> out E-mail messages to the system Admin's based on the severity level of
> the log files I am receiving. I would like it so that any device that
> sends a log with a critical, alert, or emergency level facility will
> send out an e-mail to a specific address.
>
> Here is my rsyslog.conf file. I used the sample code from Rainer
> Gerhards configuration page. I tried sending a test syslog with 'hard
> disk fatal failure' in it, but it is not sending out mail. Also tried
> without the templates below thinking it would just send me an email for
> every syslog that I received, but it doesn't appear to be sending mail.
> Any thoughts on what I am doing wrong. I'm sure there is a lot I need to
> do, so please let me know. Thanks!
>
> $template mailSubject,"disk problem on %hostname%"
> $template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"'
>
> I edited out the 3 lines below in the code for security reasons..
> $ActionMailSMTPServer <ip of smtp server>
> $ActionMailFrom <from address>
> $ActionMailTo <my email>
>
>
>
> Here is my code from rsyslog.conf below.
>
>
>
> # if you experience problems, check
> # http://www.rsyslog.com/troubleshoot for assistance
>
> # rsyslog v3: load input modules
> # If you do not load inputs, nothing happens!
> # You may need to set the module load path if modules are not found.
>
> $ModLoad immark.so # provides --MARK-- message capability
> $ModLoad imuxsock.so # provides support for local system logging (e.g.
> via logger command)
> $ModLoad imklog.so # kernel logging (formerly provided by rklogd)
> $ModLoad ommail
>
> $template TraditionalFormatWithPRI,"%PRI-text%: %timegenerated%
> %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"
>
> # Log all kernel messages to the console.
> # Logging much else clutters up the screen.
> #kern.*                                                 /dev/console
>
> # Log anything (except mail) of level info or higher.
> # Don't log private authentication messages!
> *.info;mail.none;authpriv.none;cron.none
> -/var/log/messages
>
> # The authpriv file has restricted access.
> authpriv.*                                              /var/log/secure
>
> # Log all the mail messages in one place.
> mail.*
> -/var/log/maillog
>
> # Log cron stuff
> cron.*                                                  -/var/log/cron
>
> # Everybody gets emergency messages
> *.emerg                                                 *
>
> # Save news errors of level crit and higher in a special file.
> uucp,news.crit
> -/var/log/spooler
>
> # Save boot messages also to boot.log
> local7.*
> /var/log/boot.log
>
> #Catch all incoming syslog messages
> *.*
> /var/log/catchall;TraditionalFormatWithPRI
>
> # Remote Logging (we use TCP for reliable delivery)
> # An on-disk queue is created for this action. If the remote host is
> # down, messages are spooled to disk and sent when it is up again.
> $WorkDirectory /rsyslog/spool # where to place spool files
> $ActionQueueFileName uniqName # unique name prefix for spool files
> $ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as
> possible)
> $ActionQueueSaveOnShutdown on # save messages to disk on shutdown
> $ActionQueueType LinkedList   # run asynchronously
> $ActionResumeRetryCount -1    # infinite retries if host is down
> # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
> *.* @10.57.106.140:514
>
> $ModLoad ommail
> $ActionMailSMTPServer <ip of smtp server>
> $ActionMailFrom <from address>
> $ActionMailTo <my email>
> $template mailSubject,"disk problem on %hostname%"
> $template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
> $ActionMailSubject mailSubject
> # make sure we receive a mail only once in six
> # hours (21,600 seconds ;))
> $ActionExecOnlyOnceEveryInterval 21600
> # the if ... then ... mailBody mus be on one line!
> if $msg contains 'hard disk fatal failure' then :ommail:;mailBody
>
>
> # ######### Receiving Messages from Remote Hosts ##########
> # TCP Syslog Server:
> # provides TCP syslog reception and GSS-API (if compiled to support it)
> $ModLoad imtcp.so  # load module
> $InputTCPServerRun 514 # start up TCP listener at port 514
>
> # UDP Syslog Server:
> $ModLoad imudp.so  # provides UDP syslog reception
> $UDPServerRun 514 # start a UDP syslog server at standard port
> --------------------------------------------------------
> This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. If you have received this e-mail in error, or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately if you have received this e-mail by mistake, and delete it from your system.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>

More information about the rsyslog mailing list