1 |
Stroller writes: |
2 |
|
3 |
> All I want is a simple email notification when $string appears in the |
4 |
> log. |
5 |
> |
6 |
> I'm actually a little surprised that there isn't a syslogger which can |
7 |
> parse stuff as it writes it out, and thus perform actions, such as |
8 |
> mailing. I'm assuming there isn't, since no-one has mentioned it. |
9 |
|
10 |
If you only neet to filter for single lines, I'd think every syslogger can |
11 |
do this. I have this in /etc/metalog.conf: |
12 |
|
13 |
ISDN calls : |
14 |
facility = "kern" |
15 |
regex = "isdn_tty: call from" |
16 |
logdir = "/var/log/callers" |
17 |
command = "/usr/local/sbin/ring.sh" |
18 |
|
19 |
Password failures : |
20 |
regex = "(password|login|authentication)\s+(fail|invalid)" |
21 |
regex = "(failed|invalid)\s+(password|login|authentication|user)" |
22 |
regex = "ILLEGAL ROOT LOGIN" |
23 |
logdir = "/var/log/pwdfail" |
24 |
# command = "/usr/local/sbin/mail_pwd_failures.sh" |
25 |
|
26 |
The scripts get the syslog line as argument. However, the |
27 |
mail_pwd_failures.sh script would be called twice because I get two |
28 |
matching lines when I give a wrong password (one by pam_unix, one by |
29 |
pam_authenticate). |
30 |
|
31 |
Wonko |