[syslog-ng] email alert on timeout
Gregg Nicholas
gnichola at berriencounty.org
Thu Oct 31 12:56:28 UTC 2019
I'm new to syslog-ng OSE. I've been able to follow the samples, and
configured an email alert when a syslog message is received.
Now I'm trying to configure an email alert when it has been too long since
I've received a particular syslog message.
First, I configured a destination:
destination d_heartbeat {
file("/var/log/heartbeat.log"
mark-freq(60) mark-mode(dst-idle) );
};
Then, I configured a filter and log:
filter f_heartbeat {
match("I am still here" value("MESSAGE) );
};
Log { source(s_network); filter(f_heartbeat);
destination(d_heartbeat); };
I was pleasantly surprised that this worked. The heartbeat.log file
received the message, and 60 seconds later it received the "syslog -- MARK
--"
Since I wanted an email alert, I defined a new source, to grab the output
of my heartbeat.log as input:
source s_heartbeat { file(""/var/log/heartbeat.log"); };
destination d_smtp { smtp(
host("10.10.10.25") port(25)
from("syslog-ng" "noreply at mydomain.com
<mailto:noreply at mydomain.com> ")
to("me" "myemail at mydomain.com
<mailto:myemail at mydomain.com> ")
subject("host is down")
body("no heartbeat received from the
program on host\n")
); };
filter f_timeout { match ("MARK --" value("MESSAGE")); };
log { source(s_heartbeat); filter(f_timeout);
destination(d_smtp); };
This seemed to work when I tested it with a single heartbeat followed by
timeout, but I'm still misunderstanding something. If it gets more than
one message written to heartbeat.log, then the timeout MARK doesn't
happen.
What am I missing? Is there a better way to accomplish this alert?
Thanks,
Gregg
(running syslog-ng v3.19.1-5 on debian 10)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20191031/a041feab/attachment.html>
More information about the syslog-ng
mailing list