| 1 |
Stroller writes: |
| 2 |
|
| 3 |
> All I want is a simple email notification when $string appears in the |
| 4 |
> log. |
| 5 |
> |
| 6 |
> I'm actually a little surprised that there isn't a syslogger which can |
| 7 |
> parse stuff as it writes it out, and thus perform actions, such as |
| 8 |
> mailing. I'm assuming there isn't, since no-one has mentioned it. |
| 9 |
|
| 10 |
If you only neet to filter for single lines, I'd think every syslogger can |
| 11 |
do this. I have this in /etc/metalog.conf: |
| 12 |
|
| 13 |
ISDN calls : |
| 14 |
facility = "kern" |
| 15 |
regex = "isdn_tty: call from" |
| 16 |
logdir = "/var/log/callers" |
| 17 |
command = "/usr/local/sbin/ring.sh" |
| 18 |
|
| 19 |
Password failures : |
| 20 |
regex = "(password|login|authentication)\s+(fail|invalid)" |
| 21 |
regex = "(failed|invalid)\s+(password|login|authentication|user)" |
| 22 |
regex = "ILLEGAL ROOT LOGIN" |
| 23 |
logdir = "/var/log/pwdfail" |
| 24 |
# command = "/usr/local/sbin/mail_pwd_failures.sh" |
| 25 |
|
| 26 |
The scripts get the syslog line as argument. However, the |
| 27 |
mail_pwd_failures.sh script would be called twice because I get two |
| 28 |
matching lines when I give a wrong password (one by pam_unix, one by |
| 29 |
pam_authenticate). |
| 30 |
|
| 31 |
Wonko |
Archives