Apparently, though unproven, at 00:25 on Tuesday 23 November 2010, Alex Schuster did opine thusly:
> Stroller writes: > > All I want is a simple email notification when $string appears in the > > log. > > > > I'm actually a little surprised that there isn't a syslogger which can > > parse stuff as it writes it out, and thus perform actions, such as > > mailing. I'm assuming there isn't, since no-one has mentioned it. > > If you only neet to filter for single lines, I'd think every syslogger can > do this. I have this in /etc/metalog.conf: Assuming that the thing you are monitoring actually logs to syslog. Many don't, and just write their own log files to some arb place. > > ISDN calls : > facility = "kern" > regex = "isdn_tty: call from" > logdir = "/var/log/callers" > command = "/usr/local/sbin/ring.sh" > > Password failures : > regex = "(password|login|authentication)\s+(fail|invalid)" > regex = "(failed|invalid)\s+(password|login|authentication|user)" > regex = "ILLEGAL ROOT LOGIN" > logdir = "/var/log/pwdfail" > # command = "/usr/local/sbin/mail_pwd_failures.sh" > > The scripts get the syslog line as argument. However, the > mail_pwd_failures.sh script would be called twice because I get two > matching lines when I give a wrong password (one by pam_unix, one by > pam_authenticate). > > Wonko -- alan dot mckinnon at gmail dot com
