[rsyslog-notify] Forum Thread: ActionMailTo Command Filtering - (Mode 'post')
noreply at adiscon.com
noreply at adiscon.com
Tue May 12 14:39:42 CEST 2015
User: thom
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25567#p25567
Message:
----------
Good Morning.
I have my rsyslog server up and running well and emailing me reports.
What I find is that some of my filtering is too broad and I am getting
hundreds of messages per day still.
I have a block of code that filters based on a stopped service. I would
like to tweak it to ignore some of the normal everyday windows services but
report on other critical services.
Here is my code.
[code:1cldct1y]# SERVICE STOPPED
#
$template mailSubject11,"Syslog Alert Message from %hostname% - Service
Stopped"
$template mailBody11,"Service Stop Detected\r\nmsg='%msg%'"
$ActionMailSubject mailSubject11
# make sure we receive a mail only once in six
# hours (21,600 seconds ;))
#$ActionExecOnlyOnceEveryInterval 21600
# the if ... then ... mailBody must be on one line!
$ActionMailTo user at email.com
if $msg contains 'service entered the stopped state' then
:ommail:;mailBody11[/code:1cldct1y]
So basically, I want to have a condition that is similar to the following,
but I don't know how to code.
[code:1cldct1y]if $msg contains 'service entered the stopped state' but
does not contain 'winhttp web proxy' or 'wmi performance' or 'option 3'
then :ommail:;mailBody11[/code:1cldct1y]
Is this possible? Once I have an example to work with, I can input all the
modifications to filter out normal services that start and stop.
Thank you.
More information about the rsyslog-notify
mailing list