Syslog NG Email Configuration

Problem this snippet solves:

We describe here how to setup syslog-ng to send syslog messages via email. There is an AskF5 solution - SOL3667: Configuring SNMP trap alerts to send email notifications - which describes how to configure messages to be emailed via alertd and which is the only supported way. This procedure provides full control over the form of the email and the messages being sent, but is not supported. A supported alternative is to configure syslog-ng to forward messages to another server where you could apply any customizations you need, including what we describe here.

How to use this snippet:

Simply copy the configuration script source below to a text editor, edit to fit your environment, then install the configuration following the procedure detailed in this article: LTM 9.4.2+: Custom Syslog Configuration

Please note the following:


(Enable and disable by removing or inserting hash/comment marks at the beginning of the line.)

5.With a Postfix destination enabled, the Postfix server process will accept the mail and inject into the queue even if the Postfix system is unable to send mail. Next time Postfix is enabled, all queued mail will be delivered. If you've been testing without Postfix running, you might want to take advantage of these commands to manage the queue before bringing the service up:

  • To inspect the Postfix queue use the command: postqueu –p
  • To forcibly empty the queue: postsuper -dALL

How it works

When syslog-ng first parses the production version of this configuration, it starts the program specified in the d_email destination stanza (/usr/sbin/sendmail –bs), which is the Postfix SMTP server running in standalone daemon mode.

When a message arrives that matches the filter, syslog-ng will use the template to compose the message and feed it via SMTP to Postfix.

You have full access to every aspect of the email via the template. You can set the subject, the body, add any extra headers you wish, such as X-headers. You can insert any of the syslog-ng defined macros anywhere you like. For more information, please see the The syslog-ng Administrator Guide

If for whatever reason the SMTP server process exits, syslog-ng will restart it, but only one copy is ever executed concurrently.

Code :

syslog include "

template t_smtp {
 template_escape(no);
 template(\"NOOP
HELO localhost
MAIL From: 
RCPT To: 
DATA
Date: $R_STAMP
From: 
To: 
Subject: 

$S_DATE [$FACILITY:$PRIORITY] $MSG
.
\");

};

filter f_test {
  match(\"\") ;
};

# destination #1 - to logfile for initial stanza development
# Disable in production
destination d_logfile { 
  file(\"/var/log/syslog-email-config.log\"
  );
};

# destination #2 - to email with postfix logging for debugging mail transport issues
# Disable in production
#destination d_logfile_email {
#  program(\"/usr/sbin/sendmail -bs > /var/log/syslog-ng-sendmail.log 2>&1\"
#          ts_format(\"rfc3339\")
#          template(t_smtp)
#  );
#};

# destination #3 - to email for production
# Enable only after validating filters and mail transport are operating as expected
#destination d_email {
#  program(\"/usr/sbin/sendmail -bs\" ts_format(\"rfc3339\") template(t_smtp));
#};


log {
   source(local);source(s_bcm56xxd);source(s_tomcat4);source(s_tmm);
   destination(d_logfile);
#   destination(d_logfile_email);
#   destination(d_email);
   filter(f_test);
};
"
Published Mar 12, 2015
Version 1.0

Was this article helpful?

2 Comments

  • Is it still working? I'm trying to configure, but the program application is not being ran.

    EDIT: it conflicts somehow with the audit_forwarder and gives the following log lines:

    ... notice syslog-ng[18235]: Suspending write operation because of an I/O error; fd='44', time_reopen='60'

    I'm not trying to send email messages, but using the same destination/program directive for another task.