[rsyslog] Help with Ommail Configuration

(private) HKS hks.private at gmail.com
Thu Jul 24 23:35:39 CEST 2008 

Oh - one other possibility. rsyslogd has to have mail enabled at
compile time to work with it at runtime. check your catchall logfile -
if it has messages like this, you didn't compile it in:

rsyslogd: could not load module '/usr/local/lib/rsyslog/ommail.so',
dlopen: /usr/local/lib/rsyslog/ommail.so: cannot open shared object
file: No such file or directory

To fix this, you'll need to reinstall. This time, when you run
./configure be sure to include --enable-mail. make install clean and
you should be good to go...

-HKS

On Thu, Jul 24, 2008 at 5:01 PM, (private) HKS <hks.private at gmail.com> wrote:
> A few things to try:
>
>  - You load ommail.so twice, once at the top and once right above your
> $ActionMail... lines. I don't think this will break it, but it's
> unnecessary - delete the second one.
>
>  - $ActionExecOnlyOnceEveryInterval 21600 means that it's only going
> to attempt sending a message once every 6 hours. For testing purposes,
> this will be obnoxious. Until you're ready for production, change it
> to:
> $ActionExecOnlyOnceEveryInterval 30
>
>  - Send everything to make sure you're  not missing it based on
> something in the property-replacer/templates/whatever. Replace "if
> $msg contains 'hard disk fatal failure' then :ommail:;mailBody" with:
> *.*  :ommail:;mailBody
>
> Try again. Try logging a few messages from the localhost first (with
> RHEL you can just run "logger test" to log a user.notice message with
> content "test") and see if you get them.
>
> If you don't, check the mail logs on your mail server to see if it
> ever received the message. If not, it's time to break out tcpdump and
> see if the packets are ever being generated.
>
> Hope that helps.
>
> -HKS
>
>
>
> On Thu, Jul 24, 2008 at 3:50 PM, Goutos, Kevin (DOB)
> <Kevin.Goutos at budget.state.ny.us> wrote:
>> Hello all,
>>
>> First off, I am not very Linux savvy. I don't have a lot of experience
>> other then a basic course. This is probably way past my knowledge, but I
>> really need to get it done. Appreciate any help you guys have to offer.
>>
>> I am working on a Red Hat Enterprise 4 box and I am running the latest
>> edition of rsyslog. I currently have rsyslog configured to receive
>> messages remotely via UDP. I am trying to set it up so that it will send
>> out E-mail messages to the system Admin's based on the severity level of
>> the log files I am receiving. I would like it so that any device that
>> sends a log with a critical, alert, or emergency level facility will
>> send out an e-mail to a specific address.
>>
>> Here is my rsyslog.conf file. I used the sample code from Rainer
>> Gerhards configuration page. I tried sending a test syslog with 'hard
>> disk fatal failure' in it, but it is not sending out mail. Also tried
>> without the templates below thinking it would just send me an email for
>> every syslog that I received, but it doesn't appear to be sending mail.
>> Any thoughts on what I am doing wrong. I'm sure there is a lot I need to
>> do, so please let me know. Thanks!
>>
>> $template mailSubject,"disk problem on %hostname%"
>> $template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"'
>>
>> I edited out the 3 lines below in the code for security reasons..
>> $ActionMailSMTPServer <ip of smtp server>
>> $ActionMailFrom <from address>
>> $ActionMailTo <my email>
>>
>>
>>
>> Here is my code from rsyslog.conf below.
>>
>>
>>
>> # if you experience problems, check
>> # http://www.rsyslog.com/troubleshoot for assistance
>>
>> # rsyslog v3: load input modules
>> # If you do not load inputs, nothing happens!
>> # You may need to set the module load path if modules are not found.
>>
>> $ModLoad immark.so # provides --MARK-- message capability
>> $ModLoad imuxsock.so # provides support for local system logging (e.g.
>> via logger command)
>> $ModLoad imklog.so # kernel logging (formerly provided by rklogd)
>> $ModLoad ommail
>>
>> $template TraditionalFormatWithPRI,"%PRI-text%: %timegenerated%
>> %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"
>>
>> # Log all kernel messages to the console.
>> # Logging much else clutters up the screen.
>> #kern.*                                                 /dev/console
>>
>> # Log anything (except mail) of level info or higher.
>> # Don't log private authentication messages!
>> *.info;mail.none;authpriv.none;cron.none
>> -/var/log/messages
>>
>> # The authpriv file has restricted access.
>> authpriv.*                                              /var/log/secure
>>
>> # Log all the mail messages in one place.
>> mail.*
>> -/var/log/maillog
>>
>> # Log cron stuff
>> cron.*                                                  -/var/log/cron
>>
>> # Everybody gets emergency messages
>> *.emerg                                                 *
>>
>> # Save news errors of level crit and higher in a special file.
>> uucp,news.crit
>> -/var/log/spooler
>>
>> # Save boot messages also to boot.log
>> local7.*
>> /var/log/boot.log
>>
>> #Catch all incoming syslog messages
>> *.*
>> /var/log/catchall;TraditionalFormatWithPRI
>>
>> # Remote Logging (we use TCP for reliable delivery)
>> # An on-disk queue is created for this action. If the remote host is
>> # down, messages are spooled to disk and sent when it is up again.
>> $WorkDirectory /rsyslog/spool # where to place spool files
>> $ActionQueueFileName uniqName # unique name prefix for spool files
>> $ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as
>> possible)
>> $ActionQueueSaveOnShutdown on # save messages to disk on shutdown
>> $ActionQueueType LinkedList   # run asynchronously
>> $ActionResumeRetryCount -1    # infinite retries if host is down
>> # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
>> *.* @10.57.106.140:514
>>
>> $ModLoad ommail
>> $ActionMailSMTPServer <ip of smtp server>
>> $ActionMailFrom <from address>
>> $ActionMailTo <my email>
>> $template mailSubject,"disk problem on %hostname%"
>> $template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
>> $ActionMailSubject mailSubject
>> # make sure we receive a mail only once in six
>> # hours (21,600 seconds ;))
>> $ActionExecOnlyOnceEveryInterval 21600
>> # the if ... then ... mailBody mus be on one line!
>> if $msg contains 'hard disk fatal failure' then :ommail:;mailBody
>>
>>
>> # ######### Receiving Messages from Remote Hosts ##########
>> # TCP Syslog Server:
>> # provides TCP syslog reception and GSS-API (if compiled to support it)
>> $ModLoad imtcp.so  # load module
>> $InputTCPServerRun 514 # start up TCP listener at port 514
>>
>> # UDP Syslog Server:
>> $ModLoad imudp.so  # provides UDP syslog reception
>> $UDPServerRun 514 # start a UDP syslog server at standard port
>> --------------------------------------------------------
>> This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. If you have received this e-mail in error, or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately if you have received this e-mail by mistake, and delete it from your system.
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>
>

More information about the rsyslog mailing list