| 1 |
Apparently, though unproven, at 00:25 on Tuesday 23 November 2010, Alex |
| 2 |
Schuster did opine thusly: |
| 3 |
|
| 4 |
> Stroller writes: |
| 5 |
> > All I want is a simple email notification when $string appears in the |
| 6 |
> > log. |
| 7 |
> > |
| 8 |
> > I'm actually a little surprised that there isn't a syslogger which can |
| 9 |
> > parse stuff as it writes it out, and thus perform actions, such as |
| 10 |
> > mailing. I'm assuming there isn't, since no-one has mentioned it. |
| 11 |
> |
| 12 |
> If you only neet to filter for single lines, I'd think every syslogger can |
| 13 |
> do this. I have this in /etc/metalog.conf: |
| 14 |
|
| 15 |
Assuming that the thing you are monitoring actually logs to syslog. Many |
| 16 |
don't, and just write their own log files to some arb place. |
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
> |
| 22 |
> ISDN calls : |
| 23 |
> facility = "kern" |
| 24 |
> regex = "isdn_tty: call from" |
| 25 |
> logdir = "/var/log/callers" |
| 26 |
> command = "/usr/local/sbin/ring.sh" |
| 27 |
> |
| 28 |
> Password failures : |
| 29 |
> regex = "(password|login|authentication)\s+(fail|invalid)" |
| 30 |
> regex = "(failed|invalid)\s+(password|login|authentication|user)" |
| 31 |
> regex = "ILLEGAL ROOT LOGIN" |
| 32 |
> logdir = "/var/log/pwdfail" |
| 33 |
> # command = "/usr/local/sbin/mail_pwd_failures.sh" |
| 34 |
> |
| 35 |
> The scripts get the syslog line as argument. However, the |
| 36 |
> mail_pwd_failures.sh script would be called twice because I get two |
| 37 |
> matching lines when I give a wrong password (one by pam_unix, one by |
| 38 |
> pam_authenticate). |
| 39 |
> |
| 40 |
> Wonko |
| 41 |
|
| 42 |
-- |
| 43 |
alan dot mckinnon at gmail dot com |
Archives