[rsyslog] Help with Ommail Configuration

[Rainer Gerhards]

Thanks, HKS, for the good answers. There is one thing I would like to
bring to your attention: I often see that people do not check for
rsyslog error messages themselves. That complicates setup. I do not
blame anyone, but would like to make you aware of the problem.

I have just blogged about a potential (partial) solution and will try to
implement it:

http://blog.gerhards.net/2008/07/rsyslog-error-reporting-how-to-do-it.ht
ml

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of (private) HKS
> Sent: Thursday, July 24, 2008 11:36 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Help with Ommail Configuration
> 
> Oh - one other possibility. rsyslogd has to have mail enabled at
> compile time to work with it at runtime. check your catchall logfile -
> if it has messages like this, you didn't compile it in:
> 
> rsyslogd: could not load module '/usr/local/lib/rsyslog/ommail.so',
> dlopen: /usr/local/lib/rsyslog/ommail.so: cannot open shared object
> file: No such file or directory
> 
> To fix this, you'll need to reinstall. This time, when you run
> ./configure be sure to include --enable-mail. make install clean and
> you should be good to go...
> 
> -HKS
> 
> On Thu, Jul 24, 2008 at 5:01 PM, (private) HKS <hks.private at gmail.com>
> wrote:
> > A few things to try:
> >
> >  - You load ommail.so twice, once at the top and once right above
> your
> > $ActionMail... lines. I don't think this will break it, but it's
> > unnecessary - delete the second one.
> >
> >  - $ActionExecOnlyOnceEveryInterval 21600 means that it's only going
> > to attempt sending a message once every 6 hours. For testing
> purposes,
> > this will be obnoxious. Until you're ready for production, change it
> > to:
> > $ActionExecOnlyOnceEveryInterval 30
> >
> >  - Send everything to make sure you're  not missing it based on
> > something in the property-replacer/templates/whatever. Replace "if
> > $msg contains 'hard disk fatal failure' then :ommail:;mailBody"
with:
> > *.*  :ommail:;mailBody
> >
> > Try again. Try logging a few messages from the localhost first (with
> > RHEL you can just run "logger test" to log a user.notice message
with
> > content "test") and see if you get them.
> >
> > If you don't, check the mail logs on your mail server to see if it
> > ever received the message. If not, it's time to break out tcpdump
and
> > see if the packets are ever being generated.
> >
> > Hope that helps.
> >
> > -HKS
> >
> >
> >
> > On Thu, Jul 24, 2008 at 3:50 PM, Goutos, Kevin (DOB)
> > <Kevin.Goutos at budget.state.ny.us> wrote:
> >> Hello all,
> >>
> >> First off, I am not very Linux savvy. I don't have a lot of
> experience
> >> other then a basic course. This is probably way past my knowledge,
> but I
> >> really need to get it done. Appreciate any help you guys have to
> offer.
> >>
> >> I am working on a Red Hat Enterprise 4 box and I am running the
> latest
> >> edition of rsyslog. I currently have rsyslog configured to receive
> >> messages remotely via UDP. I am trying to set it up so that it will
> send
> >> out E-mail messages to the system Admin's based on the severity
> level of
> >> the log files I am receiving. I would like it so that any device
> that
> >> sends a log with a critical, alert, or emergency level facility
will
> >> send out an e-mail to a specific address.
> >>
> >> Here is my rsyslog.conf file. I used the sample code from Rainer
> >> Gerhards configuration page. I tried sending a test syslog with
> 'hard
> >> disk fatal failure' in it, but it is not sending out mail. Also
> tried
> >> without the templates below thinking it would just send me an email
> for
> >> every syslog that I received, but it doesn't appear to be sending
> mail.
> >> Any thoughts on what I am doing wrong. I'm sure there is a lot I
> need to
> >> do, so please let me know. Thanks!
> >>
> >> $template mailSubject,"disk problem on %hostname%"
> >> $template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"'
> >>
> >> I edited out the 3 lines below in the code for security reasons..
> >> $ActionMailSMTPServer <ip of smtp server>
> >> $ActionMailFrom <from address>
> >> $ActionMailTo <my email>
> >>
> >>
> >>
> >> Here is my code from rsyslog.conf below.
> >>
> >>
> >>
> >> # if you experience problems, check
> >> # http://www.rsyslog.com/troubleshoot for assistance
> >>
> >> # rsyslog v3: load input modules
> >> # If you do not load inputs, nothing happens!
> >> # You may need to set the module load path if modules are not
found.
> >>
> >> $ModLoad immark.so # provides --MARK-- message capability
> >> $ModLoad imuxsock.so # provides support for local system logging
> (e.g.
> >> via logger command)
> >> $ModLoad imklog.so # kernel logging (formerly provided by rklogd)
> >> $ModLoad ommail
> >>
> >> $template TraditionalFormatWithPRI,"%PRI-text%: %timegenerated%
> >> %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"
> >>
> >> # Log all kernel messages to the console.
> >> # Logging much else clutters up the screen.
> >> #kern.*
/dev/console
> >>
> >> # Log anything (except mail) of level info or higher.
> >> # Don't log private authentication messages!
> >> *.info;mail.none;authpriv.none;cron.none
> >> -/var/log/messages
> >>
> >> # The authpriv file has restricted access.
> >> authpriv.*
> /var/log/secure
> >>
> >> # Log all the mail messages in one place.
> >> mail.*
> >> -/var/log/maillog
> >>
> >> # Log cron stuff
> >> cron.*                                                  -
> /var/log/cron
> >>
> >> # Everybody gets emergency messages
> >> *.emerg                                                 *
> >>
> >> # Save news errors of level crit and higher in a special file.
> >> uucp,news.crit
> >> -/var/log/spooler
> >>
> >> # Save boot messages also to boot.log
> >> local7.*
> >> /var/log/boot.log
> >>
> >> #Catch all incoming syslog messages
> >> *.*
> >> /var/log/catchall;TraditionalFormatWithPRI
> >>
> >> # Remote Logging (we use TCP for reliable delivery)
> >> # An on-disk queue is created for this action. If the remote host
is
> >> # down, messages are spooled to disk and sent when it is up again.
> >> $WorkDirectory /rsyslog/spool # where to place spool files
> >> $ActionQueueFileName uniqName # unique name prefix for spool files
> >> $ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as
> >> possible)
> >> $ActionQueueSaveOnShutdown on # save messages to disk on shutdown
> >> $ActionQueueType LinkedList   # run asynchronously
> >> $ActionResumeRetryCount -1    # infinite retries if host is down
> >> # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
> >> *.* @10.57.106.140:514
> >>
> >> $ModLoad ommail
> >> $ActionMailSMTPServer <ip of smtp server>
> >> $ActionMailFrom <from address>
> >> $ActionMailTo <my email>
> >> $template mailSubject,"disk problem on %hostname%"
> >> $template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
> >> $ActionMailSubject mailSubject
> >> # make sure we receive a mail only once in six
> >> # hours (21,600 seconds ;))
> >> $ActionExecOnlyOnceEveryInterval 21600
> >> # the if ... then ... mailBody mus be on one line!
> >> if $msg contains 'hard disk fatal failure' then :ommail:;mailBody
> >>
> >>
> >> # ######### Receiving Messages from Remote Hosts ##########
> >> # TCP Syslog Server:
> >> # provides TCP syslog reception and GSS-API (if compiled to support
> it)
> >> $ModLoad imtcp.so  # load module
> >> $InputTCPServerRun 514 # start up TCP listener at port 514
> >>
> >> # UDP Syslog Server:
> >> $ModLoad imudp.so  # provides UDP syslog reception
> >> $UDPServerRun 514 # start a UDP syslog server at standard port
> >> --------------------------------------------------------
> >> This e-mail, including any attachments, may be confidential,
> privileged or otherwise legally protected. If you have received this
e-
> mail in error, or from someone who was not authorized to send it to
> you, do not disseminate, copy or otherwise use this e-mail or its
> attachments. Please notify the sender immediately if you have received
> this e-mail by mistake, and delete it from your system.
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog