Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using syslog-ng to filter for critical events and send alert email

    Scheduled Pinned Locked Moved pfSense Packages
    2 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      peterglock
      last edited by peterglock

      I've put together a reasonably simple use case for raising an alert when a log message with a particular tag is send from a remote endpoint (in this case a raspberry Pi). Any suggestions for how to improve or extend this will be most welcome.

      1. Create a program for interfacing with the mail.php function of pfSense
      • SSH as admin to your pfSense instance and open a new file '/usr/local/sbin/sendalert.sh' (I have nano on my pfSense but vi works just as well)

      • Insert the following text:

      #!/bin/sh
      sendmail="/usr/local/bin/mail.php"
      subject="Alert from pfSense ${HOST}"
                   
      while true ; do
              while read line ; do
              echo $line | $sendmail -s"$subject"
              done
      done
      
      

      Note: the program will only quit when syslog-ng terminates it (see 7.17. program: Sending messages to external applications in guide for version 3.14)

      • Save the file and make it executable
      chmod a+x /usr/local/sbin/sendalert.sh
      
      1. From the pfSense GUI, install the package 'syslog-ng'
      2. Once installed, go to 'Services > syslog-ng'
      • list itemOn the 'General' tab, configure the interfaces you want to receive logs on (probably LAN and VPN) and the port number

      • list itemGo to the 'Advanced' tab and add the following:

      alt text
      alt text
      alt text

      1. Configure your remote system to send logs to your pfSense instance using the port configured in step 3 you should see them appear on the 'Services > Syslog-ng > log viewer' tab.

      2. Test by generating a log entry on your remote system.

      echo "[CRITICAL] This is a text message" | logger -p local3.crit
      

      After a few minutes you should receive an email at the address configured under 'System > Advanced > Notifications'

      In this example the tag is "CRITICAL". You could also use the level of the message for your filter e.g.

      { message ("CRITICAL") or level(crit..emerg)};
      

      would filter for the word CRITICAL or the level being critical or higher (see 8.4.6. Filter functions in in guide for version 3.14)

      1 Reply Last reply Reply Quote 0
      • D
        daisychain
        last edited by

        Hi peterglock! Very interesting post. Unfortunately your instructions to do in the "Advanced tab" are not longer available in the post (or at least I cannot see them). Can you please, share them again? thanks a lot!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.