Configuring syslog-ng to email messages

How to use it?

   Simply copy all the syslog-ng configuration directives that follow as-is, to a text editor, then edit them to fit your environment, then put the resulting text on the BigIP under /config, as a file named for example: /config/syslog-ng-email.inc. You then would need to add that configuration to syslog-ng by running the following command: bpsh < /config/syslog-ng-email.inc  That also restarts syslog-ng, so the new configuration is applied right away. For detailed information about customizing syslog-ng via bpsh and syslog include, please refer to this article: <wiki article>

How does it work?

   When syslog-ng first parses this configuration, it will start the program we specified in our d_email destination stanza. The program in question is /usr/sbin/sendmail –bs, which is no B.S! It is actually the Postfix SMTP server, which would be started in standalone daemon mode. Later when a message arrives that matches our filter, syslog-ng will use the template to feed the mail via SMTP protocol to Postfix. You have full access to every aspect of the email, via the template. You can set the subject, the body, add any extra headers you wish, such as: X-headers. You can insert any of the syslog-ng defined macros, anywhere you  like. For more information, please see the The syslog-ng Administrator Guide. If for whatever reason the SMTP server process exits, syslog-ng will restart it, but only one copy is ever executed, no matter how many messages are being emailed.

Please note the following:

  1. All double-quotes in the configuration file should be escaped with a back-slash, except for the very first one and the very last one. Of course this escaping is only needed because we are submitting the configuration via bpsh.
  2. The sources listed in the log stanza might be incomplete, you need to find and add any missing sources from your BigIP’s /etc/syslog-ng/syslog-ng.conf. If you do not, you would miss all the messages that would originate from those other sources.
  3. The example filter applied here simply matches any log messages containing the string: monitor. You should replace it to be any valid syslog-ng filter you need.
  4. We highly recommend that you comment out the d_email destination in your log stanza during development of your stanzas, and instead use d_log_file destination. Only enable the email destination when have confirmed that your filter catches exactly the messages that you need it to catch and no more. Imagine a filter that catches every message, that would cause an email to be sent for every syslog message the system receives, furthermore, every email sent would cause Postfix to generate several syslog messages! Very quickly, thousands of emails would be generated and your mail server admins would be knocking at your door. d_log_file could be defined like this:

destination d_log_file { file(\"/var/log/syslog-email-config.log\"); };

  1. We are starting our program with shell redirection, so we capture its standard output, and more importantly, its standard error output. Postfix will send all its responses our SMTP commands to its standard error output. So look at that file, in this case: /var/log/syslog-ng-sendmail.log, while developing your configuration. Remove the shell redirection before going live, as that file will grow big very quickly, and there are no configurations in place to rotate or clean it up. The destination stanza would then be:

destination d_email {
  program(\"/usr/sbin/sendmail -bs\" ts_format(\"rfc3339\") template(t_smtp));
};

6.       The Postfix server process will accept the mail and inject into the queue even if the Postfix system is down. Next time Postfix is started, all queued mail will be delivered, so be careful.

o    To inspect the Postfix queue use the command: postqueu –p

o    To forcibly empty the queue:  postsuper -dALL

The configuration (Please replace <TEXT> as appropriate):

syslog include "

template t_smtp {
 template_escape(no);
 template(\"NOOP
HELO localhost
MAIL From: <FROM ADDRESS>
RCPT To: <TO ADDRESS>
DATA
Date: $R_STAMP
From: <FROM ADDRESS>
To: <TO ADDRESS>
Subject: <THE SUBJECT OF THE EMAIL>

$S_DATE [$FACILITY:$PRIORITY] $MSG
.
\");

};

filter f_test {
  match(\"monitor\") ;
};

destination d_email {
  program(\"/usr/sbin/sendmail -bs > /var/log/syslog-ng-sendmail.log 2>&1\"
          ts_format(\"rfc3339\")
          template(t_smtp)
  );
};

log {
   source(local);source(s_bcm56xxd);source(s_tomcat4);source(s_tmm);
   destination(d_email);
   filter(f_test);
};
"

Published Apr 25, 2008
Version 1.0
news
tech tip

Was this article helpful?

No CommentsBe the first to comment