Linux monitor logs and email alerts?

Posted on

A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about Linux monitor logs and email alerts? was one problem in server stack that need for a solution. Below are some tips in manage your linux server when you find problem about linux, log-files, alerts, logging, .

I have a server with a faulty power button that likes to reboot itself. Usually there are warning signs, like the acpid log file in /var/log starts spamming garbage for about 10hrs or so.

Is there an easy way I can have something monitor the acpid log and email me when it has new activity?

I wouldn’t consider myself extremely advanced so any “guides” you may have for accomplishing something like this would be very helpful and much appreciated. Thank you!

You could use something like LogWatch. Or even a simple script like this (it’s pseudo code you’ll need to modify it for your enviroment):

 #!/bin/bash
 GREP_STRING=`grep -c <error string> <acpid log location>`
 if [ $GREP_STRING -ne 0 ] 
 then
    <send email notification>
 fi

Put that in cron to run every hour or so and you should get an email letting you know when it’s getting wierd.

You can use OSSEC HIDS to set up rules on log files and, at the same time, get security information from your host.

Setting it up is very easy:

  • Download the source
  • Uncompress it and run ./install.sh
  • Choose local install
  • Answer the questions (email, checks, etc.)
  • Edit /var/ossec/rules/local_rules.xml as specified below
  • Start OSSEC with /var/ossec/bin/ossec-control start

local_rules.xml

<group name="local,syslog,">
  <rule id="100001" level="13">
    <regex>^.*Your string.*$</regex>
    <description>I've just picked up a fault in the AE35 unit. It's going to go 100% failure in 72 hours</description>
  </rule>
</group>

Rules can be very flexible and complex. See this table to get an idea of the parameters involved in a rule.

If you don’t want or need the other security features you can deactive them by removing the include lines under the rules tag.

I would suggest Nagios its what we run where I work for monitoring multiple machines with are network. Its very good i’ve not used it specifically for what your doing but you can certainly set it up to email you when errors occur.

There is a guide here for installing it on Ubuntu http://beginlinux.com/blog/2008/11/install-nagios-3-on-ubuntu-810/ and one here for installing on http://www.debianhelp.co.uk/nagiosinstall.htm.

And you can send it with something like this:

EMAILMSG="/tmp/logreport.$$"
echo "Something to put in the email" >> $EMAILMSG

cat $EMAILMSG | mail -s "Whatever Subject You Like" user@domain.com
rm -f $EMAILMGS

Leave a Reply

Your email address will not be published.