[logs] Re: swatchrc emailing works!!!!

From: Jeremy Mates (jmatesat_private)
Date: Tue Jan 07 2003 - 12:27:09 PST

  • Next message: Balazs Scheidler: "Re: [logs] EventLog library"

    * swatch swatch <swatch_5at_private> [2003-01-07T11:58-0800]:
    > # Bad login attempts
    > watchfor        /Failed/
    >                echo bold
    >                exec echo $0 | mail -s 'Authentication Failure' 
    > meat_private
    
    I currently use the following template for "important things" rules:
    
    watchfor /.../
      mail=user,subject=LW: CATEGORY (info|notice|warn): description
      throttle 30:00,use=regex
    
    LW is short for "Log Watch", which makes mail subject
    filtering/sorting easy for either humans or code.  CATEGORY is
    something like 'mail' or 'printing' or 'security' to easily
    distinguish messages into various large groups (mail, printing, etc.).
    The three levels provide additional rating to the message, and the
    description provides details of the match in the subject.  This leads
    to inbox contents along the lines of:
    
    LW: disk (notice): RAIDZONE drive warning
    LW: user (info): password update
    LW: security (warn): bad su
    
    I have found throttling very important, especially when something goes
    beserk and you end up with 10,000 new messages in your inbox come
    morning.  (Having your log notification service DoS your email service
    and thus generate additional email warnings could be a Bad Thing.)
    
    -- 
    Jeremy Mates                                        http://www.sial.org/
    
    OpenPGP: 0x11C3D628  (4357 1D47 FF78 24BB 0FBF 7AA8 A846 9F86 11C3 D628)
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Wed Jan 08 2003 - 08:49:07 PST