Found it, for anyone else attempting to do this you will need to define a unique mailSubject for each block or you end up with the mailSubject from the first block
On Fri, Dec 21, 2012 at 11:37 AM, Paul Fontenot <[email protected]>wrote: > I must be missing something then, when I add the additional blocks I > receive the emails as expected but the subject line is the same as the > first block. > > Here are the actual contents of 01-ommail.conf > > ### This should send email alerts for sudo events #### > > $ModLoad ommail > > $ActionMailSMTPServer <SERVER> > $ActionMailFrom <FROM> > $ActionMailTo <TO> > $template mailSubject,"%hostname% - SUDO alert" > $template mailBody,"RSYSLOG Alert from %hostname%\r\nmsg='%msg%'" > $ActionMailSubject mailSubject > > # the if ... then ... mailBody mus be on one line! > if $programname == 'sudo' and $msg contains 'COMMAND' then > :ommail:;mailBody > $ActionExecOnlyOnceEveryInterval 0 > > $ActionMailSMTPServer <SERVER> > $ActionMailFrom <FROM> > $ActionMailTo <TO> > $template mailSubject,"%hostname% - ROOT session opened" > $template mailBody,"RSYSLOG Alert from %hostname%\r\nmsg='%msg%'" > $ActionMailSubject mailSubject > > # the if ... then ... mailBody mus be on one line! > if $programname == 'su' and $msg contains 'session opened for user root' > then :ommail:;mailBody > $ActionExecOnlyOnceEveryInterval 0 > > $ActionMailSMTPServer <SERVER> > $ActionMailFrom <FROM> > $ActionMailTo <TO> > $template mailSubject,"%hostname% - ROOT session closed" > $template mailBody,"RSYSLOG Alert from %hostname%\r\nmsg='%msg%'" > $ActionMailSubject mailSubject > > # the if ... then ... mailBody mus be on one line! > if $programname == 'su' and $msg contains 'session closed for user root' > then :ommail:;mailBody > $ActionExecOnlyOnceEveryInterval 0 > > > On Fri, Dec 21, 2012 at 10:55 AM, Rainer Gerhards < > [email protected]> wrote: > >> yup >> >> >> Sent from phone, thus brief. >> >> Paul Fontenot <[email protected]> hat geschrieben: >> Thank you for the quick response, just for clarification if I do this >> >> $ModLoad ommail >> >> $ActionMailSMTPServer <SERVER> >> $ActionMailFrom <FROM_EMAIL> >> $ActionMailTo <TO_EMAIL> >> $template mailSubject,"%hostname% - Accepted publickey" >> $template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'" >> $ActionMailSubject mailSubject >> $ActionExecOnlyOnceEveryInterval 5 >> # the if ... then ... mailBody mus be on one line! >> if $msg contains 'Accepted publickey' then :ommail:;mailBody >> >> then multiple email notifications could be done like this >> >> $ModLoad ommail >> >> $ActionMailSMTPServer <SERVER> >> $ActionMailFrom <FROM_EMAIL> >> $ActionMailTo <TO_EMAIL> >> $template mailSubject,"%hostname% - Root session opened" >> $template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'" >> $ActionMailSubject mailSubject >> $ActionExecOnlyOnceEveryInterval 5 >> # the if ... then ... mailBody mus be on one line! >> if $msg contains 'session opened for user root' then :ommail:;mailBody >> >> $ActionMailSMTPServer <SERVER> >> $ActionMailFrom <FROM_EMAIL> >> $ActionMailTo <TO_EMAIL> >> $template mailSubject,"%hostname% - Root session closed" >> $template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'" >> $ActionMailSubject mailSubject >> $ActionExecOnlyOnceEveryInterval 5 >> # the if ... then ... mailBody mus be on one line! >> if $msg contains 'session closed for user root' then :ommail:;mailBody >> >> >> On Fri, Dec 21, 2012 at 10:04 AM, Rainer Gerhards >> <[email protected]>wrote: >> >> > Just repeat the complete action as often as you need. The "complete" >> > action is the action statement itself as well as all param settings in >> > front of it. >> > >> > rainer >> > >> > > -----Original Message----- >> > > From: [email protected] [mailto:rsyslog- >> > > [email protected]] On Behalf Of Paul Fontenot >> > > Sent: Friday, December 21, 2012 6:01 PM >> > > To: Rsyslog List >> > > Subject: [rsyslog] ommail configuration >> > > >> > > Using rsyslog-5.8.10-2.el6.x86_64 >> > > >> > > I currently have this working well for a single event, my question is >> > > can >> > > it be used for multiple events? Meaning, if I set it up to send email >> > > for >> > > messages that contain "session opened for root" with a subject of >> "Root >> > > session opened" can i also set it up for "session closed for root" >> with >> > > a >> > > subject of "Root session closed"? >> > > >> > > I have found numerous oinks that point to persons attempting something >> > > like >> > > this but no definitive answer on how to do it or if it even works. Any >> > > information would be greatly appreciated. >> > > _______________________________________________ >> > > rsyslog mailing list >> > > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > > http://www.rsyslog.com/professional-services/ >> > > What's up with rsyslog? Follow https://twitter.com/rgerhards >> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >> > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST >> > > if you DON'T LIKE THAT. >> > _______________________________________________ >> > rsyslog mailing list >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > http://www.rsyslog.com/professional-services/ >> > What's up with rsyslog? Follow https://twitter.com/rgerhards >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> > DON'T LIKE THAT. >> > >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
