Community discussions

MikroTik App
 
User avatar
sdischer
Trainer
Trainer
Topic Author
Posts: 128
Joined: Wed Jan 26, 2005 4:58 pm

Dude-Syslog - Email Notifications not working as expected

Thu Feb 12, 2009 11:31 pm

I'm using syslog server on Dude to collect from my Linux and RouterOS hosts/routers. I set up a Regex expression to snag logins and email me. When I set up the email notification, the standard fields for the email body are:
[probe.name] on [Device.Name] is now [Service.Status], etc.

When I get the actual email that something matched my regex expression, the email body is:
<86>sshd[10341]: Failed password for root from x.x.x.x port 1356 ssh2

Where is that line coming from? How can I configure that to be more useful like the IP of the machine that was ssh'd to, etc?
Steve Discher
LearnMikroTik.com, USA
RouterOS Training and Consulting
Get Certified!
http://www.LearnMikroTik.com
 
johnRBB
just joined
Posts: 11
Joined: Tue Dec 02, 2008 2:42 pm

Re: Dude-Syslog - Email Notifications not working as expected

Fri Feb 13, 2009 5:26 am

That line IS the syslog message...

<86> refers to the syslog priority the message came in with (both 6 & 8).
[10341] is the processID of the sshd process on the server that sent the syslog message.

I may be wrong, but I don't think The Dude can do exactly what you want without some additional help.

As far as I can tell, none of these fields: [probe.name], [Device.Name], [Service.Status] has anything to do with a syslog message... They are very likely fields if your notification came from another source (like a Dude monitored device goes down), but not from syslog.

Once the Dude rececives a syslog message, it is separated into three fields... Time (the time the message was received), Address (the address that sent the syslog message), and Event (the actual message).

IF there are dude variables for these, I'd think they'd be [Syslog.Time], [Syslog.Address], and [Syslog.Event]... I'm not in a place I can test that, and I haven't seen any such reference to those variables, so I I seriously doubt it.

If you want to change the behavior, I think you're going to have to create a notification with the type "execute on server", the write a script to parse, reformat, then e-mail out the data..

Documentation is a bit lacking on some things in The Dude, like the "execute on server"... I'm not exactly sure how you specify within the notification exactly *what* you're going to execute on the server, nor how you pass the message to the script...
 
User avatar
sdischer
Trainer
Trainer
Topic Author
Posts: 128
Joined: Wed Jan 26, 2005 4:58 pm

Re: Dude-Syslog - Email Notifications not working as expected

Mon Feb 16, 2009 10:15 pm

Ok thanks!
Steve Discher
LearnMikroTik.com, USA
RouterOS Training and Consulting
Get Certified!
http://www.LearnMikroTik.com
 
tjcstuart
just joined
Posts: 5
Joined: Tue Aug 12, 2014 10:27 pm

Re: Dude-Syslog - Email Notifications not working as expecte

Thu Jan 29, 2015 9:47 pm

Did this ever get figured out. I too would like to get TheDude's syslog e-mails to include an IP address.
By going into the Syslog on TheDude I can see Address, but I'd like to have that included in the e-mail. How exactly would I have it execute on server to reformat the syslog message to include the IP. Or are there syslog variables in TheDude 3.6 that just aren't documented?
 
SharpKnife
just joined
Posts: 1
Joined: Mon Sep 25, 2017 9:53 am

Re: Dude-Syslog - Email Notifications not working as expected

Mon Sep 25, 2017 10:01 am

Has anybody been able to insert device ip address into syslog email notifications?
 
tjcstuart
just joined
Posts: 5
Joined: Tue Aug 12, 2014 10:27 pm

Re: Dude-Syslog - Email Notifications not working as expected

Mon Sep 25, 2017 7:54 pm

I never found a solution to this. I'm still running Dude and getting the e-mails, but when I need to find out the IP that generated it I have to go back into the logs of Dude itself... Not ideal.

Who is online

Users browsing this forum: No registered users and 9 guests