MonitorWare Knowledge Base

I am aware of some software packages that can monitor system logs using tail, however one of the main reasons I am using rsyslog is to have the web interface/searching of the logs. I would like to set up a system where I am alerted/emailed when various expressions are found in the logs.

How can this be done with rsyslog using a MySQL DB as storage? I dont want to have to write to both a DB and plaintext files, as this is wasteful. I am sure a perl/php script could be written and put in crontab every n-minutes to search for expressions in the DB, however this would get increasingly taxing as the syslog db grows...

SO....the enmd question is, is there some kind of change to rsyslog out there, which would allow for realtime monitoring and alerting of the messages passing *though* rsyslog? Thanks

Well, its partly supported. There are some limitations with the current released. First of all, we can not yet do regular expression on the message text. If that's required, it currently is a no-go. If you just look for a message string, that's fine (e.g. "error" or something like that). The next thing is that email functionality is not directly supported (sounds like a nice add-on...). You can work around this by using the execute program action. I'll see that a get a few sample script lines - but as I am a really bad shell programmer, you need to make sure that it does not allow command execution/injection.

so what you can do is, use the property-based filters as follows

Code: Select all

:msg,contains,"error" ^path-to-mailscript


Then, mailscript is something like this(again, you need to check the security ):

Code: Select all

echo "$1" | mail -s "test syslogd" someone@example.net


I'll look into adding a send mail action, but it's currently a very busy time...

Rainer

well, the fact that I can at least do on-the-fly basic string checking is a great start. It can at least help to check for 'illegal' users and other common errors. I see what you mean about command injection... I will have to look into that myself as well.

This has been a good start, and an external mail script will work fine... no rush on the sendmail deal

So I tried your suggestion, and read the page on rsyslog.conf...however still having issues....the configured property filters were not sending any emails....so i modified the script to just dump tp a text file. i have repeatedly created errors or invalid users and reboots (and verified the events registered) however no output to text file. Any suggestions as to the simple thing i am missing...? Thanks



My rsyslog.conf
--------------------------------------------
# log all syslog messages from local host AND forwarding hosts to local MySQL instance (rsyslog)
*.* >127.0.0.1,rsyslog,rsyslog,#######DBPASS#######

:msg, contains, "invalid user" ^/usr/sbin/rsyslog_alerter
:msg, contains, "reboot" ^/usr/sbin/rsyslog_alerter
:msg, contains, "halt" ^/usr/sbin/rsyslog_alerter


My /usr/sbin/rsyslog_alerter
------------------------------------------

#!/bin/sh
if [ -z $* ]
then
exit
fi

echo "$*" >> /tmp/rsyslog.alerts

------------------------------------------

Anyone...? I must be missing something simple.

so after starting rsyslog with debug options....i recieve the following:

Starting system logger: Nov 1 10:39:04 (hostname) rsyslogd: unknown priority name ""

I know it has to do with the line: :msg, contains, "invalid user" ^/usr/sbin/rsyslog_alerter as the error used to read:
Starting system logger: Nov 1 10:39:04 (hostname) rsyslogd: unknown priority name "sh" before i renamed rsyslog_alerter.sh to just rsyslog_alerter

Obviously I have some syntax incorrect? Any ideas what?

Mmmh... Could you post a larger chunk of the debug output - I need some more context to understand what is going on. All in all, the configuration looks good...

Please also post the output of rsyslogd -v

Rainer

output of "rsyslogd -v" is "rsyslogd 1.0.1"...will get debug shortly

ah! That's the problem. You need the development branch. Use 1.12.0 Sorry, I forgot to mention...

Rainer

heh, yes that might explain the lines:
cfline(:msg,contains,"invalid" ^/usr/sbin/rsyslog_alerter)
symbolic name: Called logerr, msg: unknown priority name "" in my debug output.

I will try 1.12.0 and post how it goes.

compiled/installed 1.12.0........Works like a charm!..and was worth the wait. I have to say, this is one of the most useful setups I've come across: having syslog messages in a dynamic format such as mysql, and now being able to do on the fly alerts for specific words. It is going to make management a brease being able to manage past alerts with a web interface as well.

Thanks for your all your help with this.

I am glad it works! If you like it, help spread the word. I would also apprecite if you could take a short moment and rate rsyslog at freshmeat.net

Rainer