rsyslog

# Add severity to default rsyslog. It seems strange for me, that default config doesn't contain it.
template(name="alexlinux" type="string"
         string="%timegenerated% %HOSTNAME% %syslogseverity-text%  %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
        )

*.info;mail.none;authpriv.none;cron.none                /var/log/messages;alexlinux

# TEMPLATE JSON FORMAT FOR SEND TO LOGSTASH
template(name="ls_json" type="list" option.json="on")
   { constant(value="{")
     constant(value="\"@timestamp\":\"")         property(name="timegenerated" dateFormat="rfc3339")
     constant(value="\",\"message\":\"")         property(name="msg")
     constant(value="\",\"host\":\"")            property(name="fromhost")
     constant(value="\",\"host_ip\":\"")         property(name="fromhost-ip")
     constant(value="\",\"logsource\":\"")       property(name="fromhost")
     constant(value="\",\"severity_label\":\"")  property(name="syslogseverity-text")
     constant(value="\",\"severity\":\"")        property(name="syslogseverity")
     constant(value="\",\"facility_label\":\"")  property(name="syslogfacility-text")
     constant(value="\",\"facility\":\"")        property(name="syslogfacility")
     constant(value="\",\"program\":\"")         property(name="programname")
     constant(value="\",\"pid\":\"")             property(name="procid")
     constant(value="\",\"rawmsg\":\"")          property(name="rawmsg")
     constant(value="\",\"syslogtag\":\"")       property(name="syslogtag")
     constant(value="\"}\n")
   }

=================================================================
/srv/scripts/logserver/logserver.sh

# THIS SCRIPT CHECK IMPORTANT CHENGES IN LOG FILES, IF CHANGES APPEARS, EMAIL WILL BE SEND

# AGGREGATE LOGS TO ONE FILE
cat /var/log/logserver/apps/yum/yum.log /var/log/logserver/apps/iptables/iptables.log /var/log/logserver/severity/emerg/emerg.log /var/log/logserver/severity/alert/alert.log /var/log/logserver/severity/crit/crit.log /var/log/logserver/severity/error/error.log /var/log/logserver/severity/warning/warning.log > /tmp/summary.log


cat /tmp/summary.log | sort > /tmp/summary.log.sorted
cat /tmp/summary.log.sorted > /tmp/summary.log

# CHECK FOR DIFFERENCE BETWEEN CURRENT AND PREVIOUS LOGS, IF CHANGES APPEARS, EMAIL WILL BE SEND
diff -c /tmp/summary.log.prev /tmp/summary.log > /dev/null 2>&1
if [ "$?" -ne "0" ]
then
    # CREATE DIFF FOR EMAIL
    diff -u /tmp/summary.log.prev /tmp/summary.log | grep "^+[A-Z]" | sed s'/+//'g > /tmp/summary.txt
    cat /tmp/summary.log > /tmp/summary.log.prev
    pygmentize -f html /tmp/summary.txt | mutt -s "warn diff" -e "set envelope_from=yes" -e "set content_type=text/html" -e "set from=log@alexlinux.com" -e "my_hdr From: log@leomax.ru<log@alexlinux.com>" you@domain.ru
else
    >/tmp/summary.txt
fi

/etc/rsyslog.conf
[/bash]
*.* /var/log/logserver/all/all.log

*.emerg /var/log/logserver/severity/emerg/emerg.log
*.alert /var/log/logserver/severity/alert/alert.log
*.crit /var/log/logserver/severity/crit/crit.log
*.error /var/log/logserver/severity/error/error.log
*.warning /var/log/logserver/severity/warning/warning.log
*.notice /var/log/logserver/severity/notice/notice.log
*.info /var/log/logserver/severity/info/info.log
*.debug /var/log/logserver/severity/debug/debug.log
[/bash]

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>