• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Using syslog-ng to filter for critical events and send alert email

Scheduled Pinned Locked Moved pfSense Packages
2 Posts 2 Posters 1.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    peterglock
    last edited by peterglock Dec 8, 2019, 7:23 PM Dec 6, 2019, 2:48 PM

    I've put together a reasonably simple use case for raising an alert when a log message with a particular tag is send from a remote endpoint (in this case a raspberry Pi). Any suggestions for how to improve or extend this will be most welcome.

    1. Create a program for interfacing with the mail.php function of pfSense

    • SSH as admin to your pfSense instance and open a new file '/usr/local/sbin/sendalert.sh' (I have nano on my pfSense but vi works just as well)

    • Insert the following text:

    #!/bin/sh
sendmail="/usr/local/bin/mail.php"
subject="Alert from pfSense ${HOST}"
             
while true ; do
        while read line ; do
        echo $line | $sendmail -s"$subject"
        done
done

    Note: the program will only quit when syslog-ng terminates it (see 7.17. program: Sending messages to external applications in guide for version 3.14)

    • Save the file and make it executable
    chmod a+x /usr/local/sbin/sendalert.sh
    1. From the pfSense GUI, install the package 'syslog-ng'
    2. Once installed, go to 'Services > syslog-ng'

    • list itemOn the 'General' tab, configure the interfaces you want to receive logs on (probably LAN and VPN) and the port number

    • list itemGo to the 'Advanced' tab and add the following:

    alt text
    alt text
    alt text

    1. Configure your remote system to send logs to your pfSense instance using the port configured in step 3 you should see them appear on the 'Services > Syslog-ng > log viewer' tab.

    2. Test by generating a log entry on your remote system.

    echo "[CRITICAL] This is a text message" | logger -p local3.crit

    After a few minutes you should receive an email at the address configured under 'System > Advanced > Notifications'

    In this example the tag is "CRITICAL". You could also use the level of the message for your filter e.g.

    { message ("CRITICAL") or level(crit..emerg)};

    would filter for the word CRITICAL or the level being critical or higher (see 8.4.6. Filter functions in in guide for version 3.14)

    1 Reply Last reply Reply Quote 0
    • D
      daisychain
      last edited by Dec 10, 2022, 2:05 PM

      Hi peterglock! Very interesting post. Unfortunately your instructions to do in the "Advanced tab" are not longer available in the post (or at least I cannot see them). Can you please, share them again? thanks a lot!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        [[user:consent.lead]]
        [[user:consent.not_received]]