I must be missing something then, when I add the additional blocks I receive the emails as expected but the subject line is the same as the first block.
Here are the actual contents of 01-ommail.conf ### This should send email alerts for sudo events #### $ModLoad ommail $ActionMailSMTPServer <SERVER> $ActionMailFrom <FROM> $ActionMailTo <TO> $template mailSubject,"%hostname% - SUDO alert" $template mailBody,"RSYSLOG Alert from %hostname%\r\nmsg='%msg%'" $ActionMailSubject mailSubject # the if ... then ... mailBody mus be on one line! if $programname == 'sudo' and $msg contains 'COMMAND' then :ommail:;mailBody $ActionExecOnlyOnceEveryInterval 0 $ActionMailSMTPServer <SERVER> $ActionMailFrom <FROM> $ActionMailTo <TO> $template mailSubject,"%hostname% - ROOT session opened" $template mailBody,"RSYSLOG Alert from %hostname%\r\nmsg='%msg%'" $ActionMailSubject mailSubject # the if ... then ... mailBody mus be on one line! if $programname == 'su' and $msg contains 'session opened for user root' then :ommail:;mailBody $ActionExecOnlyOnceEveryInterval 0 $ActionMailSMTPServer <SERVER> $ActionMailFrom <FROM> $ActionMailTo <TO> $template mailSubject,"%hostname% - ROOT session closed" $template mailBody,"RSYSLOG Alert from %hostname%\r\nmsg='%msg%'" $ActionMailSubject mailSubject # the if ... then ... mailBody mus be on one line! if $programname == 'su' and $msg contains 'session closed for user root' then :ommail:;mailBody $ActionExecOnlyOnceEveryInterval 0 On Fri, Dec 21, 2012 at 10:55 AM, Rainer Gerhards <[email protected]>wrote: > yup > > > Sent from phone, thus brief. > > Paul Fontenot <[email protected]> hat geschrieben: > Thank you for the quick response, just for clarification if I do this > > $ModLoad ommail > > $ActionMailSMTPServer <SERVER> > $ActionMailFrom <FROM_EMAIL> > $ActionMailTo <TO_EMAIL> > $template mailSubject,"%hostname% - Accepted publickey" > $template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'" > $ActionMailSubject mailSubject > $ActionExecOnlyOnceEveryInterval 5 > # the if ... then ... mailBody mus be on one line! > if $msg contains 'Accepted publickey' then :ommail:;mailBody > > then multiple email notifications could be done like this > > $ModLoad ommail > > $ActionMailSMTPServer <SERVER> > $ActionMailFrom <FROM_EMAIL> > $ActionMailTo <TO_EMAIL> > $template mailSubject,"%hostname% - Root session opened" > $template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'" > $ActionMailSubject mailSubject > $ActionExecOnlyOnceEveryInterval 5 > # the if ... then ... mailBody mus be on one line! > if $msg contains 'session opened for user root' then :ommail:;mailBody > > $ActionMailSMTPServer <SERVER> > $ActionMailFrom <FROM_EMAIL> > $ActionMailTo <TO_EMAIL> > $template mailSubject,"%hostname% - Root session closed" > $template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'" > $ActionMailSubject mailSubject > $ActionExecOnlyOnceEveryInterval 5 > # the if ... then ... mailBody mus be on one line! > if $msg contains 'session closed for user root' then :ommail:;mailBody > > > On Fri, Dec 21, 2012 at 10:04 AM, Rainer Gerhards > <[email protected]>wrote: > > > Just repeat the complete action as often as you need. The "complete" > > action is the action statement itself as well as all param settings in > > front of it. > > > > rainer > > > > > -----Original Message----- > > > From: [email protected] [mailto:rsyslog- > > > [email protected]] On Behalf Of Paul Fontenot > > > Sent: Friday, December 21, 2012 6:01 PM > > > To: Rsyslog List > > > Subject: [rsyslog] ommail configuration > > > > > > Using rsyslog-5.8.10-2.el6.x86_64 > > > > > > I currently have this working well for a single event, my question is > > > can > > > it be used for multiple events? Meaning, if I set it up to send email > > > for > > > messages that contain "session opened for root" with a subject of "Root > > > session opened" can i also set it up for "session closed for root" with > > > a > > > subject of "Root session closed"? > > > > > > I have found numerous oinks that point to persons attempting something > > > like > > > this but no definitive answer on how to do it or if it even works. Any > > > information would be greatly appreciated. > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > > > if you DON'T LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
