[syslog-ng] Send a specific log by email
Reaky Rok
reakyrok at hotmail.com
Sun Jul 5 22:38:04 CEST 2009
Dear
I don't know if the problem in me or what :)
As I understood you send me configration related with which interface I'll use to receive logs, But this's not the problem, The problem is that I want when I receive logs from the remote server that It's IP is 163.121.189.131 to send the logs of this server to my email,I's sorry if I used a configration in wronge way make you not understand me.
Any way , I'm trying now some kind of solution , I don't know if it can be a way to do what I want or not,
I did the following:
========================================================================================
source sme {file (/var/log/syslog-ng/servers/163.121.189.131/local7.log); };
destination maillog { program ("/usr/local/bin/syslog-mail-perl" );
};
log {source(sme); destination(maillog); };
========================================================================================
As you see I try to make the sourse is the file that contain the logs of the remote server 163.121.189.131
And try to send it to a script that mail it to me, But When I try nothing happened.
I'll attache the full configuration file to you and the mail script, I make it send to root for example in the first
configuaration file:
=================================================================
# configuration file for syslog-ng, customized for remote logging
#
source s_internal { internal(); };
destination d_syslognglog { file("/var/log/syslog-ng.log"); };
log { source(s_internal); destination(d_syslognglog); };
# Remote logging
source s_remote {
tcp(ip(0.0.0.0) port(514));
udp(ip(0.0.0.0) port(514));
};
destination d_separatedbyhosts {
file("/var/log/syslog-ng/servers/$HOST/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));
};
log { source(s_remote); destination(d_separatedbyhosts); };
# This is the new part that I did
source sme {file (/var/log/syslog-ng/servers/172.31.250.68/local7.log); };
destination maillog { program ("/usr/local/bin/syslog-mail-perl" );
};
log {source(sme); destination(maillog); };
options {
# Number of syslog lines stored in memory before being written to files
flush_lines (0);
# Syslog-ng uses queues
log_fifo_size (1000);
# Create log directories as needed
create_dirs (yes);
# Make the group "logs" own the log files and directories
group (logs);
dir_group (logs);
# Set the file and directory permissions
perm (0640);
dir_perm (0750);
# Check client hostnames for valid DNS characters
check_hostname (yes);
# Specify whether to trust hostname in the log message.
# If "yes", then it is left unchanged, if "no" the server replaces
# it with client's DNS lookup value.
keep_hostname (yes);
# Use DNS fully qualified domain names (FQDN)
# for the names of log file folders
use_fqdn (yes);
use_dns (yes);
# Cache DNS entries for up to 1000 hosts for 12 hours
dns_cache (yes);
dns_cache_size (1000);
dns_cache_expire (43200);
};
# Define all the source
source s_localhost {
pipe ("/proc/kmsg" program_override("kernel: "));
unix-stream ("/dev/log");
internal();
};
# Define the destination "d_localhost" log directory
destination d_localhost {
file ("/var/log/syslog-ng/localhost/$FACILITY.log");
};
#================================
#================================
# Define all the sources of network generated syslog
# messages and label it "d_network"
source s_network {
tcp(max-connections(5000));
udp();
};
# Define the destination "d_network" log directory
destination d_network {
file ("/var/log/syslog-ng/$YEAR.$MONTH.$DAY/$HOST/$FACILITY.log");
};
#=======================
#=======================
# Any logs that match the "s_localhost" source should be logged
# in the "d_localhost" directory
log { source(s_localhost);
destination(d_localhost);
};
#=======================
===========================================================================
and the following is the mail script
++++++++++++++++++++++++++++++++++++++++=====
#!/usr/bin/perl -n
# thanks to Brian Dowling for an example with security in mind.
$TO = 'root';
$FROM = $TO;
s/^<\d{1,2}>//;
open(MAIL, "|/usr/sbin/sendmail -t");
print MAIL <<"EOT";
To: $TO
From: $FROM
Subject: SME Log Alert: $_
$_
EOT
close(MAIL);
+++++++++++++++++++++++++++++++++++++++++++++++
Thanks for your patience and help
Reaky
> Date: Sat, 4 Jul 2009 13:02:37 +0200
> From: Sandor.Geller at morganstanley.com
> To: syslog-ng at lists.balabit.hu
> Subject: Re: [syslog-ng] Send a specific log by email
>
> ...and to provide actual help: use filters based on hostname or the IP address
>
> filter f_myhostname {
> host("^myhostname$"); # this is a regexp, not a simple string
> }
>
> filter f_myipaddress {
> netmask("127.0.0.1/32");
> }
>
> later in your log definitions just use the filters:
>
> log {
> source(...);
> filter(...);
> destination(...);
> flags(final); # so the logs won't get processed by further log definitions
> }
>
> In the admin guide you can find more details about the configuration
> possibilities.
>
> hth,
>
> Sandor
>
> On Sat, Jul 4, 2009 at 12:48 PM, Sandor Geller<sandorg at morganstanley.com> wrote:
> > Hi,
> >
> > Local means that the host syslog-ng is running on has the IP address
> > configured on one of the network interfaces. Apps can bind only to
> > 0.0.0.0 or to local IP addresses, not to remote addresses. I think
> > you're after filtering based on the remote host's IP address, not
> > binding to the IP address.
> >
> > Regards,
> >
> > Sandor
> >
> > 2009/7/4 Reaky Rok <reakyrok at hotmail.com>:
> >> Dear What u mean of local IP ? DO u mean It's in the same subbnet ? Any way
> >> IT's routed IP not in the same subnet of the syslog server,
> >> But any way what the right option to filter the requests fom this IP only
> >> ???
> >>
> >>
> >>> From: bazsi at balabit.hu
> >>> To: syslog-ng at lists.balabit.hu
> >>> Date: Fri, 3 Jul 2009 15:57:08 +0200
> >>> Subject: Re: [syslog-ng] Send a specific log by email
> >>>
> >>> On Thu, 2009-07-02 at 11:34 +0300, Reaky Rok wrote:
> >>> > I modefied it and it gave me the following result after restarting :
> >>> >
> >>> > Error binding socket; addr='AF_INET(163.121.189.131:514)',
> >>> > error='Cannot assign requested address (99)'
> >>> > Error initializing source driver; source='s_remote', id='s_remote#0'
> >>> > Error initializing message pipeline;
> >>> > [FAILED]
> >>> >
> >>> > I s it possible that this's becuese I used the same source name in the
> >>> > first part of configuration ?
> >>> >
> >>>
> >>> Is 163.121.189.131 a local IP address? The ip() option of source drivers
> >>> specify the bind address, not the address to accept messages from.
> >>>
> >>> --
> >>> Bazs i
> >>>
> >>>
> >>>
> >>> ______________________________________________________________________________
> >>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >>> Documentation:
> >>> http://www.balabit.com/support/documentation/?product=syslog-ng
> >>> FAQ: http://www.campin.net/syslog-ng/faq.html
> >>>
> >>
> >> ________________________________
> >> Windows Live™: Keep your life in sync. Check it out!
> >> ______________________________________________________________________________
> >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >> Documentation:
> >> http://www.balabit.com/support/documentation/?product=syslog-ng
> >> FAQ: http://www.campin.net/syslog-ng/faq.html
> >>
> >>
> >>
> >
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
_________________________________________________________________
Show them the way! Add maps and directions to your party invites.
http://www.microsoft.com/windows/windowslive/products/events.aspx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090705/1d3a78f6/attachment.htm
More information about the syslog-ng
mailing list