MonitorWare Knowledge Base

Hello,

I would like to ask why if i enable the email alert configuration there we're no data inject to mysql database. Anyone encountered this problem?

Actually, I can receive an email alert but no logs can be display in phplogcon (web) the same what i've received from email

Please give me an idea on how to. Here's my configuration:
==========================
# for help with rsyslog configuration, visit
# http://www.rsyslog.com or the wiki at
# http://wiki.rsyslog.com

# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!
# You may need to set the module load path if modules are not found.

# Enable e-mail notification module with ommail
$ModLoad ommail.so
$ActionMailSMTPServer 123.123.123.123
$ActionMailFrom root@syslogmoh.com
$ActionMailTo operator@syslogmoh.com
$template mailSubject,"MOH Alert on %hostname%"
$template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
$ActionMailSubject mailSubject
# make sure we receive a mail only once in six
# hours (21,600 seconds ;))
#$ActionExecOnlyOnceEveryInterval 21600
$ActionExecOnlyOnceEveryInterval 60
# the if ... then ... mailBody must be on one line!
if $msg contains 'disk error then :ommail:;mailBody

# Enable MySQL module with ommysql
$ModLoad ommysql.so
$template phpsyslog,"insert into SystemEvents(host, facility, priority, level, tag, datetime, msg, seq) values ('%HOSTNAME%',%syslogfacility%,%syslogpriority%, '%sysloglevel%', '%syslogtag%', '%timereported:::date-mysql%', '%msg%', '%seq%')", SQL
$template phpsyslog,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",sql


*.* :ommysql:127.0.0.1,phpsyslog,username,password

$ModLoad immark.so # provides --MARK-- message capability
$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so # kernel logging (formerly provided by rklogd)


# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /rsyslog/spool # where to place spool files
#$ActionQueueFileName uniqName # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
#$WorkDirectory /var/log/rsyslog/ # default location for work (spool) files
#$MainMsgQueueFileName mainq # set file name, also enables disk mode



# ######### Receiving Messages from Remote Hosts ##########
# TCP Syslog Server:
# provides TCP syslog reception and GSS-API (if compiled to support it)
$ModLoad imtcp.so # load module
$InputTCPServerRun 514 # start up TCP listener at port 514

# UDP Syslog Server:
$ModLoad imudp.so # provides UDP syslog reception
$UDPServerRun 514 # start a UDP syslog server at standard port 514

*.* ~ # discards everything

=======

Thank you in advanced.

--coroy


MODERATOR EDIT: turned off smilies for better readibility

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

Seems like you are missing a ' after 'disk error

I've also noticed that if you have the database statements after mail events they don't seem to want to work correctly. After putting all my database related config in front of the mailing, everything started working again. But, maybe I'm just missing something.

Just my 2¢

MPH

rgerhards wrote:do you see any error messages from rsyslogd itself in your logs (a quick look does not find anything wrong...)?

Thank you for all your reply.

Yes, i did a manual error logging from the remote pc that send error to rsyslog server. But, it wouldn't send an error messages to my databases. Eventually, the local message log from rsyslog server itself can inject data to mysql and also send an email. But from the error message coming from remote client can't inject to mysql, only sent an email directly.

This was i did a manual sending an error message to remote rsyslog server. I did this in my remote client pc.

# logger -t dhcpd -p error "error on DHCPD"

The error after the 'disk error', i already fix on it but it doesn't function to inject data to mysql.

Thanks

--coroy

froh wrote:Seems like you are missing a ' after 'disk error

Yes, i already fix but the same problem i have encountered.

Thank you

Coroy,
I had to adjust the order on my config file to get it to work the way I expected. I also was not finding any errors, just no input into my database.
Basically I'm doing the same thing with mine as you're doing with yours,
Double check me here, I haven't been using this all too long, but the jist of what I'm trying to get across is:
1) Load all modules first.
2) Define logging specific commands.
3) Define and initiate SQL related commands.
4) Define and initiate email related commands.
With that in mind, Try something like this:

Code: Select all

# for help with rsyslog configuration, visit
# http://www.rsyslog.com or the wiki at
# http://wiki.rsyslog.com

# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!
# You may need to set the module load path if modules are not found.

# Load All Modules Up Front.
# Enable e-mail notification module with ommail
$ModLoad ommail.so
# Enable MySQL module with ommysql
$ModLoad ommysql.so
$ModLoad immark.so # provides --MARK-- message capability
$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so # kernel logging (formerly provided by rklogd)
$ModLoad imtcp.so # load module
# UDP Syslog Server:
$ModLoad imudp.so # provides UDP syslog reception
$UDPServerRun 514 # start a UDP syslog server at standard port 514

# Setup Logging.
# ######### Receiving Messages from Remote Hosts ##########
# TCP Syslog Server:
# provides TCP syslog reception and GSS-API (if compiled to support it)
$InputTCPServerRun 514 # start up TCP listener at port 514

# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /rsyslog/spool # where to place spool files
#$ActionQueueFileName uniqName # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
#$WorkDirectory /var/log/rsyslog/ # default location for work (spool) files
#$MainMsgQueueFileName mainq # set file name, also enables disk mode

# Setup and initiate database commands.
$template phpsyslog,"insert into SystemEvents(host, facility, priority, level, tag, datetime, msg, seq) values ('%HOSTNAME%',%syslogfacility%,%syslogpriority%, '%sysloglevel%', '%syslogtag%', '%timereported:::date-mysql%', '%msg%', '%seq%')", SQL
$template phpsyslog,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",sql

*.* :ommysql:127.0.0.1,phpsyslog,username,password

# ######### Setup Email Events. ##########
$ActionMailSMTPServer 123.123.123.123
$ActionMailFrom root@syslogmoh.com
$ActionMailTo operator@syslogmoh.com
$template mailSubject,"MOH Alert on %hostname%"
$template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
$ActionMailSubject mailSubject
# make sure we receive a mail only once in six
# hours (21,600 seconds ;))
#$ActionExecOnlyOnceEveryInterval 21600
$ActionExecOnlyOnceEveryInterval 60
# the if ... then ... mailBody must be on one line!
if $msg contains 'disk error' then :ommail:;mailBody

*.* ~ # discards everything

Thank you very much MPH for your reply,

I'll try to do this procedure by then.

BTW, any idea on how to trap multiple messages coming from remote client? Like for example if i want my rsyslog server detect from remote client sending a messages to rsyslog server like 'dhcpd error', 'ip conflict', 'httpd error', etc.

Cause now in my rsyslog server, sometimes i received an error message from remote client even it is not a 'disk error' message it will send an email to me, but all the error.

I hope you can give some of idea on how to do this.

Thank you very much.

--coroy

rgerhards wrote:Could you provide me a sample with an order that does not work? I would like to see what causes the problem - most often the order issue turns out to be statements mixed together which should not go together. But if statements are used consistently, where a rule occurs should not make any difference (provided all modules are loaded).

Thanks,
Rainer

Rainer,
I can't right now. The only instance I have of rsyslog is on a production server for the firewall logs and I can't risk losing any more log entries. As soon as I can, I'll install it on another machine and play with it. I can tell you, to the best of my knowledge, I had the modules loaded at the top, the syslog statements, database, email in that order. Then I moved the email above the database and it quit logging to the database. I very well could have missed something, However, after re-arranging it to it's current state, I find it much easier to read, and maintain.

Best Regards,
MPH

coroy wrote:BTW, any idea on how to trap multiple messages coming from remote client? Like for example if i want my rsyslog server detect from remote client sending a messages to rsyslog server like 'dhcpd error', 'ip conflict', 'httpd error', etc.

Cause now in my rsyslog server, sometimes i received an error message from remote client even it is not a 'disk error' message it will send an email to me, but all the error.

There's more than one way to do this. For this purpose I will assume you don't care which remote machine it is. But you can parse it something like this:

Code: Select all

if $msg contains 'disk error' or $msg contains 'dhcpd error' or $msg contains 'ip conflict' or $msg contains 'httpd error' then :ommail:;mailBody

or like this:

Code: Select all

if $msg contains 'error' and ($msg contains 'dhcpd' or $msg contains 'httpd' or $msg contains 'disk') or $msg contains 'ip conflict' then :ommail:;mailBody

Your best bet is to read the documentation. It has some very good examples on how to do most anything you want. With a little reading and a little imagination, you'll soon be making it sing and dance.