Hi, Here are two messages :
# logger "Not enough disk space on the STUFF" ==> OK if I try this one: logger "2013-10-15T09:01:02+00:00 EditorServer UK01-ROFAP01: UK-W-UID0027222,Not enough disk space on this STUFF.,Local: 127.0.1.12,Local: 0035864B8D9C,Remote: ,Remote: 0.0.0.0,Remote: 000000000000,Unknown,OTHERS,,Begin: 2013-10-15 08:59:52,End: 2013-10-15 08:59:52,Occurrences: 1,Application: ,Location: Office,User: mr.miller,Domain: MYDOMAIN,Local Port 0,Remote Port 0,CIDS Signature ID: 0,CIDS Signature string: ,CIDS Signature SubID: 0,Intrusion URL: ,Intrusion Payload URL:" ==> NOK !! 2013/10/10 Rainer Gerhards <[email protected]> > This strongly smells like the message is malformed, so that the msg field > contains something different than what is expected. As a brute-force cure, > this could work: > > if $rawmsg contains 'Not enough disk space' then :ommail:;mailBody > > Rainer > > > On Thu, Oct 10, 2013 at 6:26 PM, David Lang <[email protected]> wrote: > > > could you show us what works from logger and a sample of the log message > > that you would expect to not work? > > > > one quick thing, you should only define a template one time, you define > > the template EDITOR-ONE multiple times > > > > David Lang > > > > > > On Thu, 10 Oct 2013, marc dupont wrote: > > > > Hi, > >> I'm trying to use the ommail module without success. > >> I'm not able to have rsyslogd send an email when the message "Not enough > >> disk space" is seen in the logs ... > >> (but I can generate an event with logger and this time it send an email) > >> > >> -I'm able to send an email, so it's not an email problem => OK > >> > >> -I can do a "logger test" which generate a log entry in /var/log/syslog > >> and this is the only time that the rsyslogd see the pattern and send an > >> email using the appropriate template "70-ommail-settings.conf" > >> below... BUT receiving the syslog messages do not send email... > >> > >> I'm trying to understand what is concerned ( log to local ? ("& ~") or > >> other) ? > >> I do not want to change the configuration *too much* in > >> "/etc/rsyslog.conf" > >> if possible because it's working and can generate dynamically the > >> directories... > >> > >> What am i missing ? > >> Thanks all for your answers !! > >> > >> Marc. > >> NB: rsyslogd is installed from ubuntu 12.04. > >> > >> > >> Here's my rsyslogd config : > >> > >> # cat /etc/rsyslog.conf |egrep -v '(^$|^#)' |more > >> ------------------------------**------------------------------** > >> ------------------------------**------------------- > >> $ModLoad imuxsock > >> $ModLoad imklog > >> $ModLoad imudp > >> $UDPServerRun 514 > >> $template > >> EDITOR-BIS,"/mnt/logs/EDITOR-**BIS/%HOSTNAME%/%$YEAR%/%$** > >> MONTH%/%$DAY%/EDITOR-BIS.log" > >> # <== here in this log > >> :fromhost-ip, isequal, "XXX.XX.XX.XX" -?EDITOR-BIS > >> & ~ > >> $template > >> EDITOR-ONE,"/mnt/logs/EDITOR-**ONE/%HOSTNAME%/%$YEAR%/%$** > >> MONTH%/%$DAY%/EDITOR-ONE.log" > >> :fromhost-ip, isequal, "XXX.XX.XX.XX" -?EDITOR-ONE > >> & ~ > >> $template > >> EDITOR-ONE,"/mnt/logs/EDITOR-**ONE/%HOSTNAME%/%$YEAR%/%$** > >> MONTH%/%$DAY%/EDITOR-ONE.log" > >> :fromhost-ip, isequal, "XXX.XX.XX.XX" -?EDITOR-ONE > >> & ~ > >> $template > >> EDITOR-ONE,"/mnt/logs/EDITOR-**ONE/%HOSTNAME%/%$YEAR%/%$** > >> MONTH%/%$DAY%/EDITOR-ONE.log" > >> :fromhost-ip, isequal, "XXX.XX.XX.XX" -?EDITOR-ONE > >> & ~ > >> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > >> $RepeatedMsgReduction on > >> $FileOwner syslog > >> $FileGroup adm > >> $FileCreateMode 0640 > >> $DirCreateMode 0755 > >> $Umask 0022 > >> $PrivDropToUser syslog > >> $PrivDropToGroup syslog > >> $WorkDirectory /var/spool/rsyslog > >> $IncludeConfig /etc/rsyslog.d/*.conf > >> ------------------------------**------------------------------** > >> ------------------------------**------------------- > >> > >> Below the content of files i created too : > >> > >> # cat /etc/rsyslog.d/60-mail-**settings.conf |egrep -v '(^$|^#)' |more > >> $ModLoad ommail > >> $ActionMailSMTPServer XXX.XX.XX.XX > >> $ActionMailSMTPPort 25 > >> $ActionMailFrom [email protected] > >> > >> > >> # cat /etc/rsyslog.d/70-ommail-**settings.conf |egrep -v '(^$|^#)' |more > >> $IncludeConfig /etc/rsyslog.d/60-mail-**settings.conf > >> $ActionMailTo [email protected] > >> $template mailSubject,"TEST Not enough disk space" > >> $template mailBody,"Alert : Not enough disk space:\r\n%msg%" > >> $ActionMailSubject mailSubject > >> $**ActionExecOnlyOnceEveryInterva**l 5 > >> if $msg contains 'Not enough disk space' then :ommail:;mailBody # <== > >> what > >> i want to 'grep'.. > >> ______________________________**_________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/**mailman/listinfo/rsyslog< > http://lists.adiscon.net/mailman/listinfo/rsyslog> > >> http://www.rsyslog.com/**professional-services/< > http://www.rsyslog.com/professional-services/> > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >> DON'T LIKE THAT. > >> > >> ______________________________**_________________ > > rsyslog mailing list > > http://lists.adiscon.net/**mailman/listinfo/rsyslog< > http://lists.adiscon.net/mailman/listinfo/rsyslog> > > http://www.rsyslog.com/**professional-services/< > http://www.rsyslog.com/professional-services/> > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
