Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using syslog-ng to filter for critical events and send alert email

    Scheduled Pinned Locked Moved
    pfSense Packages
    2
    2
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      peterglock
      last edited by peterglock

      I've put together a reasonably simple use case for raising an alert when a log message with a particular tag is send from a remote endpoint (in this case a raspberry Pi). Any suggestions for how to improve or extend this will be most welcome.

      1. Create a program for interfacing with the mail.php function of pfSense

      • SSH as admin to your pfSense instance and open a new file '/usr/local/sbin/sendalert.sh' (I have nano on my pfSense but vi works just as well)

      • Insert the following text:

      #!/bin/sh
sendmail="/usr/local/bin/mail.php"
subject="Alert from pfSense ${HOST}"
             
while true ; do
        while read line ; do
        echo $line | $sendmail -s"$subject"
        done
done

      Note: the program will only quit when syslog-ng terminates it (see 7.17. program: Sending messages to external applications in guide for version 3.14)

      • Save the file and make it executable
      chmod a+x /usr/local/sbin/sendalert.sh
      1. From the pfSense GUI, install the package 'syslog-ng'
      2. Once installed, go to 'Services > syslog-ng'

      • list itemOn the 'General' tab, configure the interfaces you want to receive logs on (probably LAN and VPN) and the port number

      • list itemGo to the 'Advanced' tab and add the following:

      alt text
      alt text
      alt text

      1. Configure your remote system to send logs to your pfSense instance using the port configured in step 3 you should see them appear on the 'Services > Syslog-ng > log viewer' tab.

      2. Test by generating a log entry on your remote system.

      echo "[CRITICAL] This is a text message" | logger -p local3.crit

      After a few minutes you should receive an email at the address configured under 'System > Advanced > Notifications'

      In this example the tag is "CRITICAL". You could also use the level of the message for your filter e.g.

      { message ("CRITICAL") or level(crit..emerg)};

      would filter for the word CRITICAL or the level being critical or higher (see 8.4.6. Filter functions in in guide for version 3.14)

      1 Reply Last reply Reply Quote 0
      • D
        daisychain
        last edited by

        Hi peterglock! Very interesting post. Unfortunately your instructions to do in the "Advanced tab" are not longer available in the post (or at least I cannot see them). Can you please, share them again? thanks a lot!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post