Hari,
the problem you have can be easily solved, and I will post some examples
at the end of this mail. The reason you are not seeing much in the list
archives is that many sites are still using the standard UNIX syslog
daemon. The standard syslogd has one widely-known deficiency -- although
you can configure various processing schemes in /etc/syslog.conf based
on message facility and level, the facility and level are *not* included
in the final log message! This deficiency has been discussed in many
papers about syslog, and I suppose that many example rules in the
mailing list archive have been written for UNIX standard syslog.
However, syslog-ng software suite (which is a well-known replacement for
standard syslog) allows for configuring custom log message formats, and
with the 'template' directive you can tell syslog-ng daemon to include
facility and level in final log messages:
destination my_messages { file("/var/log/messages" template("$DATE $HOST
[$FACILITY.$PRIORITY] $MSG\n")); };
The following SEC rule matches all kernel-messages with crit, alert and
emerg levels from the syslog-ng file described above, and sends a mail
to the local root user. Note that repeated messages with the same level,
host, and text are suppressed for 15 minutes, so your mailbox will not
be flooded.
type=SingleWithSuppress
ptype=RegExp
pattern=([\w\-\.]+)\s+\[kern\.(crit|alert|emerg)\]\s+(.+)
desc=$2-level kernel message from host $1: $3
action=pipe '%s' /bin/mail -s '$2 kernel message from $1' [EMAIL PROTECTED]
window=900
Hope that this example helps :)
br,
risto
Hari Sekhon wrote:
> Hi,
>
> I'm using Sec in conjunction with my logserver. Over the last couple
> of years I've used a couple of different methods of alerting, one of
> which allowed me to filter by facility and priority such that anything
> that was marked as as facility of auth with a priority of warning or
> greater was sent to me.
>
> I'd like to implement something similar with sec (in addition to a tonne
> of rules as a catchall) and was thinking of doing the maths on the
> Syslog codes for this except then I noticed that the alerts I currently
> get from Sec don't show the syslog codes (<xx>) at the beginning of each
> log. My older methods of alerting used to be passed these codes at the
> beginning of every log (which I then stripped out in code) so I know
> that the logserver must be passing them to sec, but I'm not sure if I
> can use them with sec seeing as I've done nothing to filter them and yet
> sec doesn't show them in alerts and reports when working with $0.
>
> I've had a browse back through the archives for a couple of years but
> didn't see anything on this. Technically you're not matching patterns as
> much as matching syslog facilities and priorities but these in fact come
> out to a prefix which you can pattern match.
>
> Can anyone offer any feedback on filtering by specific facility and
> priority combinations in sec?
>
> -h
>
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
