add *.* /var/log/rsyslog-props;RSYSLOG_DebugFormat
to the top of your rsyslog.conf, rerun your test and submit this file for review. Rainer On Tue, Oct 15, 2013 at 10:58 AM, marc dupont <[email protected]>wrote: > Hi, > > Here are two messages : > > # logger "Not enough disk space on the STUFF" > ==> OK > > if I try this one: > logger "2013-10-15T09:01:02+00:00 EditorServer UK01-ROFAP01: > UK-W-UID0027222,Not enough disk space on this STUFF.,Local: > 127.0.1.12,Local: 0035864B8D9C,Remote: ,Remote: 0.0.0.0,Remote: > 000000000000,Unknown,OTHERS,,Begin: 2013-10-15 08:59:52,End: 2013-10-15 > 08:59:52,Occurrences: 1,Application: ,Location: Office,User: > mr.miller,Domain: MYDOMAIN,Local Port 0,Remote Port 0,CIDS Signature ID: > 0,CIDS Signature string: ,CIDS Signature SubID: 0,Intrusion URL: ,Intrusion > Payload URL:" > ==> NOK !! > > > > > > 2013/10/10 Rainer Gerhards <[email protected]> > > > This strongly smells like the message is malformed, so that the msg field > > contains something different than what is expected. As a brute-force > cure, > > this could work: > > > > if $rawmsg contains 'Not enough disk space' then :ommail:;mailBody > > > > Rainer > > > > > > On Thu, Oct 10, 2013 at 6:26 PM, David Lang <[email protected]> wrote: > > > > > could you show us what works from logger and a sample of the log > message > > > that you would expect to not work? > > > > > > one quick thing, you should only define a template one time, you define > > > the template EDITOR-ONE multiple times > > > > > > David Lang > > > > > > > > > On Thu, 10 Oct 2013, marc dupont wrote: > > > > > > Hi, > > >> I'm trying to use the ommail module without success. > > >> I'm not able to have rsyslogd send an email when the message "Not > enough > > >> disk space" is seen in the logs ... > > >> (but I can generate an event with logger and this time it send an > email) > > >> > > >> -I'm able to send an email, so it's not an email problem => OK > > >> > > >> -I can do a "logger test" which generate a log entry in > /var/log/syslog > > >> and this is the only time that the rsyslogd see the pattern and send > an > > >> email using the appropriate template "70-ommail-settings.conf" > > >> below... BUT receiving the syslog messages do not send email... > > >> > > >> I'm trying to understand what is concerned ( log to local ? ("& ~") or > > >> other) ? > > >> I do not want to change the configuration *too much* in > > >> "/etc/rsyslog.conf" > > >> if possible because it's working and can generate dynamically the > > >> directories... > > >> > > >> What am i missing ? > > >> Thanks all for your answers !! > > >> > > >> Marc. > > >> NB: rsyslogd is installed from ubuntu 12.04. > > >> > > >> > > >> Here's my rsyslogd config : > > >> > > >> # cat /etc/rsyslog.conf |egrep -v '(^$|^#)' |more > > >> ------------------------------**------------------------------** > > >> ------------------------------**------------------- > > >> $ModLoad imuxsock > > >> $ModLoad imklog > > >> $ModLoad imudp > > >> $UDPServerRun 514 > > >> $template > > >> EDITOR-BIS,"/mnt/logs/EDITOR-**BIS/%HOSTNAME%/%$YEAR%/%$** > > >> MONTH%/%$DAY%/EDITOR-BIS.log" > > >> # <== here in this log > > >> :fromhost-ip, isequal, "XXX.XX.XX.XX" -?EDITOR-BIS > > >> & ~ > > >> $template > > >> EDITOR-ONE,"/mnt/logs/EDITOR-**ONE/%HOSTNAME%/%$YEAR%/%$** > > >> MONTH%/%$DAY%/EDITOR-ONE.log" > > >> :fromhost-ip, isequal, "XXX.XX.XX.XX" -?EDITOR-ONE > > >> & ~ > > >> $template > > >> EDITOR-ONE,"/mnt/logs/EDITOR-**ONE/%HOSTNAME%/%$YEAR%/%$** > > >> MONTH%/%$DAY%/EDITOR-ONE.log" > > >> :fromhost-ip, isequal, "XXX.XX.XX.XX" -?EDITOR-ONE > > >> & ~ > > >> $template > > >> EDITOR-ONE,"/mnt/logs/EDITOR-**ONE/%HOSTNAME%/%$YEAR%/%$** > > >> MONTH%/%$DAY%/EDITOR-ONE.log" > > >> :fromhost-ip, isequal, "XXX.XX.XX.XX" -?EDITOR-ONE > > >> & ~ > > >> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > >> $RepeatedMsgReduction on > > >> $FileOwner syslog > > >> $FileGroup adm > > >> $FileCreateMode 0640 > > >> $DirCreateMode 0755 > > >> $Umask 0022 > > >> $PrivDropToUser syslog > > >> $PrivDropToGroup syslog > > >> $WorkDirectory /var/spool/rsyslog > > >> $IncludeConfig /etc/rsyslog.d/*.conf > > >> ------------------------------**------------------------------** > > >> ------------------------------**------------------- > > >> > > >> Below the content of files i created too : > > >> > > >> # cat /etc/rsyslog.d/60-mail-**settings.conf |egrep -v '(^$|^#)' |more > > >> $ModLoad ommail > > >> $ActionMailSMTPServer XXX.XX.XX.XX > > >> $ActionMailSMTPPort 25 > > >> $ActionMailFrom [email protected] > > >> > > >> > > >> # cat /etc/rsyslog.d/70-ommail-**settings.conf |egrep -v '(^$|^#)' > |more > > >> $IncludeConfig /etc/rsyslog.d/60-mail-**settings.conf > > >> $ActionMailTo [email protected] > > >> $template mailSubject,"TEST Not enough disk space" > > >> $template mailBody,"Alert : Not enough disk space:\r\n%msg%" > > >> $ActionMailSubject mailSubject > > >> $**ActionExecOnlyOnceEveryInterva**l 5 > > >> if $msg contains 'Not enough disk space' then :ommail:;mailBody # <== > > >> what > > >> i want to 'grep'.. > > >> ______________________________**_________________ > > >> rsyslog mailing list > > >> http://lists.adiscon.net/**mailman/listinfo/rsyslog< > > http://lists.adiscon.net/mailman/listinfo/rsyslog> > > >> http://www.rsyslog.com/**professional-services/< > > http://www.rsyslog.com/professional-services/> > > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > >> DON'T LIKE THAT. > > >> > > >> ______________________________**_________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog< > > http://lists.adiscon.net/mailman/listinfo/rsyslog> > > > http://www.rsyslog.com/**professional-services/< > > http://www.rsyslog.com/professional-services/> > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > DON'T LIKE THAT. > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
