Risto,
The problem I have is that previously I could see the syslog code
being prefixed to the message as it's passed out, the actual code, not a
string representation of it in the form:
<\d+> $DATE $HOST $MSG
This must have changed when I updated the syslog server but I've applied
a template to get it back to the above format for sec's purposes.
Now I can filter based on syslog codes which I am fine with.
Thanks
-h
Risto Vaarandi wrote:
> Hari,
>
> the problem you have can be easily solved, and I will post some
> examples at the end of this mail. The reason you are not seeing much
> in the list archives is that many sites are still using the standard
> UNIX syslog daemon. The standard syslogd has one widely-known
> deficiency -- although you can configure various processing schemes in
> /etc/syslog.conf based on message facility and level, the facility and
> level are *not* included in the final log message! This deficiency has
> been discussed in many papers about syslog, and I suppose that many
> example rules in the mailing list archive have been written for UNIX
> standard syslog.
>
> However, syslog-ng software suite (which is a well-known replacement
> for standard syslog) allows for configuring custom log message
> formats, and with the 'template' directive you can tell syslog-ng
> daemon to include facility and level in final log messages:
>
> destination my_messages { file("/var/log/messages" template("$DATE
> $HOST [$FACILITY.$PRIORITY] $MSG\n")); };
>
> The following SEC rule matches all kernel-messages with crit, alert
> and emerg levels from the syslog-ng file described above, and sends a
> mail to the local root user. Note that repeated messages with the same
> level, host, and text are suppressed for 15 minutes, so your mailbox
> will not be flooded.
>
> type=SingleWithSuppress
> ptype=RegExp
> pattern=([\w\-\.]+)\s+\[kern\.(crit|alert|emerg)\]\s+(.+)
> desc=$2-level kernel message from host $1: $3
> action=pipe '%s' /bin/mail -s '$2 kernel message from $1' [EMAIL PROTECTED]
> window=900
>
> Hope that this example helps :)
> br,
> risto
>
>
> Hari Sekhon wrote:
>> Hi,
>>
>> I'm using Sec in conjunction with my logserver. Over the last
>> couple of years I've used a couple of different methods of alerting,
>> one of which allowed me to filter by facility and priority such that
>> anything that was marked as as facility of auth with a priority of
>> warning or greater was sent to me.
>>
>> I'd like to implement something similar with sec (in addition to a
>> tonne of rules as a catchall) and was thinking of doing the maths on
>> the Syslog codes for this except then I noticed that the alerts I
>> currently get from Sec don't show the syslog codes (<xx>) at the
>> beginning of each log. My older methods of alerting used to be passed
>> these codes at the beginning of every log (which I then stripped out
>> in code) so I know that the logserver must be passing them to sec,
>> but I'm not sure if I can use them with sec seeing as I've done
>> nothing to filter them and yet sec doesn't show them in alerts and
>> reports when working with $0.
>>
>> I've had a browse back through the archives for a couple of years but
>> didn't see anything on this. Technically you're not matching patterns
>> as much as matching syslog facilities and priorities but these in
>> fact come out to a prefix which you can pattern match.
>>
>> Can anyone offer any feedback on filtering by specific facility and
>> priority combinations in sec?
>>
>> -h
>>
>
>
--
Hari Sekhon
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
