Page 1 of 1

Dude-Syslog - Email Notifications not working as expected

Posted: Thu Feb 12, 2009 11:31 pm
by sdischer
I'm using syslog server on Dude to collect from my Linux and RouterOS hosts/routers. I set up a Regex expression to snag logins and email me. When I set up the email notification, the standard fields for the email body are:
[probe.name] on [Device.Name] is now [Service.Status], etc.

When I get the actual email that something matched my regex expression, the email body is:
<86>sshd[10341]: Failed password for root from x.x.x.x port 1356 ssh2

Where is that line coming from? How can I configure that to be more useful like the IP of the machine that was ssh'd to, etc?

Re: Dude-Syslog - Email Notifications not working as expected

Posted: Fri Feb 13, 2009 5:26 am
by johnRBB
That line IS the syslog message...

<86> refers to the syslog priority the message came in with (both 6 & 8).
[10341] is the processID of the sshd process on the server that sent the syslog message.

I may be wrong, but I don't think The Dude can do exactly what you want without some additional help.

As far as I can tell, none of these fields: [probe.name], [Device.Name], [Service.Status] has anything to do with a syslog message... They are very likely fields if your notification came from another source (like a Dude monitored device goes down), but not from syslog.

Once the Dude rececives a syslog message, it is separated into three fields... Time (the time the message was received), Address (the address that sent the syslog message), and Event (the actual message).

IF there are dude variables for these, I'd think they'd be [Syslog.Time], [Syslog.Address], and [Syslog.Event]... I'm not in a place I can test that, and I haven't seen any such reference to those variables, so I I seriously doubt it.

If you want to change the behavior, I think you're going to have to create a notification with the type "execute on server", the write a script to parse, reformat, then e-mail out the data..

Documentation is a bit lacking on some things in The Dude, like the "execute on server"... I'm not exactly sure how you specify within the notification exactly *what* you're going to execute on the server, nor how you pass the message to the script...

Re: Dude-Syslog - Email Notifications not working as expected

Posted: Mon Feb 16, 2009 10:15 pm
by sdischer
Ok thanks!

Re: Dude-Syslog - Email Notifications not working as expecte

Posted: Thu Jan 29, 2015 9:47 pm
by tjcstuart
Did this ever get figured out. I too would like to get TheDude's syslog e-mails to include an IP address.
By going into the Syslog on TheDude I can see Address, but I'd like to have that included in the e-mail. How exactly would I have it execute on server to reformat the syslog message to include the IP. Or are there syslog variables in TheDude 3.6 that just aren't documented?

Re: Dude-Syslog - Email Notifications not working as expected

Posted: Mon Sep 25, 2017 10:01 am
by SharpKnife
Has anybody been able to insert device ip address into syslog email notifications?

Re: Dude-Syslog - Email Notifications not working as expected

Posted: Mon Sep 25, 2017 7:54 pm
by tjcstuart
I never found a solution to this. I'm still running Dude and getting the e-mails, but when I need to find out the IP that generated it I have to go back into the logs of Dude itself... Not ideal.