Rsyslog mail module not working
Posted
by
Henry-Nicolas Tourneur
on Server Fault
See other posts from Server Fault
or by Henry-Nicolas Tourneur
Published on 2010-01-08T09:31:20Z
Indexed on
2012/03/24
5:32 UTC
Read the original article
Hit count: 447
I would like to email snort alerts from my Debian Lenny fw. Syslog is sending log messages from the firewalls to a central rsyslog.
On my central rsyslog, I got something like :
$ModLoad ommail
$ActionMailSMTPServer server.company.local
$ActionMailFrom [email protected]
$ActionMailTo [email protected]
$ActionExecOnlyOnceEveryInterval 1
$template mailSubject,"[SNORT] Alert from %hostname%"
$template mailBody,"Snort message\r\nmsg='%msg%'"
$ActionMailSubject mailSubject
if $msg regexp 'snort[[0-9]]: [[0-9]:[0-9]:[0-9]].*' then ommail:;mailBody
But I doesn't get any mails, I even can trigger snort with something like ping -s 1400, it logs things like following but still no mail !
2010-01-08T09:25:58+00:00 Hostname snort[4429]: [1:499:4] ICMP Large ICMP Packet [Classification: Potentially Bad Traffic] [Priority: 2]: {ICMP} ip_dest -> ip_src
Any idea ?
© Server Fault or respective owner