More from the config file:
The goal is to create a subject line with actionable verbage based on
content of original message, and send to a user.
module(load="imuxsock") # provides support for local system logging (e.g.
via logger command)
module(load="imklog") # provides kernel logging support (previously done
by rklogd)
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
$template TmplAuth, "/var/log/rsyslog_custom/%HOSTNAME%/%PROGRAMNAME%.log"
$template TmplMsg, "/var/log/rsyslog_custom/%HOSTNAME%/%PROGRAMNAME%.log"
#$template asalog, "/var/log/ASA9/%HOSTNAME%.log"
template(name="asachangelog" type="string"
string="/var/log/ASA9/%HOSTNAME%.change.log")
template(name="asalog" type="string" string="/var/log/ASA9/%HOSTNAME%.log")
if $msg contains '622001' then ?asachangelog
if $msg contains 'ASA' then ?asalog
*#[ THe above works to segregate messages containing 662001 into
hostASA.change.log file and the rest of the log messages from the ASA to
hostASA.log*
*What I want is to send email based on receipt of a new line in the
hostASA.change.log file.*
*Below, I can receive emails with built-in type directives. I want to
script some logic that will compose a subject line based on the content of
the original message.*
*Still working on the reinerspeak method. Legacy works.*
####
# Email alert section
#######
#module(load="ommail") # provides email capability
#template (name="mailSubject" type="string" string="%HOSTNAME% %msg%")
#if $msg contains "662001" then
# { action(type="ommail" server="mailman.cisco.com" port="25"
# mailfrom="root@%HOSTNAME%"
# #mailto="[email protected]"
# mailto="[email protected]"
# subject.template="mailSubject"
# action.execonlyonceeveryinterval="180")
# }
#############
#Legacy Mail Config
###########
$ModLoad ommail
$ActionMailSMTPServer mailman.cisco.com
#$ActionMailFrom rsyslog@%HOSTNAME%.cisco.com
$ActionMailFrom [email protected]
$ActionMailTo [email protected]
$ActionMailTo [email protected]
$ActionMailTo [email protected]
$ActionMailTo [email protected]
$template mailSubject, "'%HOSTNAME%' - '%TIMESTAMP%' - '%msg%'"
$ActionMailSubject mailSubject
$ActionMailEnableBody off
$ActionExecOnlyOnceEveryInterval 180
if $msg contains '622001' then :ommail:;mailSubject <-- *This works*.
-------------------------------------------------------------------------------------------
*This is where I hope to build the logic to create a new subject line based
on the message content. The below gives syntax errors. *
*The flow is:*
*If message contains 622001*
* If field 1 contains "Adding" && field 12 contains "outside" *
* build subject line "Adding route to Outside interface"*
* else*
* if field 1 contains "Removing" && field 12 contains "outside"*
* build subject line "Removed route from Outside interface"*
* else ...*
*fi*
*Send email with new subject line and $msg in body*
if $msg contains '622001' then :ommail:;newMailSubject
$template(name="addOrRemove" type="string" string="%msg:F,32:1%")
set $AorR = exec_template("addOrRemove")
$template(name="outOrBk" type="string" string="%msg:F,32:13%")
set $intName = exec_template("outOrBk")
$template newMailSubject, "'%HOSTNAME%' - '%TIMESTAMP%' - '%msg%' - '$AorR'"
$ActionExecOnlyOnceEveryInterval 0
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
