Rsyslog mail module not working

Posted by Henry-Nicolas Tourneur on Server Fault See other posts from Server Fault or by Henry-Nicolas Tourneur
Published on 2010-01-08T09:31:20Z Indexed on 2012/03/24 5:32 UTC
Read the original article Hit count: 447

Filed under:
|

I would like to email snort alerts from my Debian Lenny fw. Syslog is sending log messages from the firewalls to a central rsyslog.

On my central rsyslog, I got something like :
$ModLoad ommail
$ActionMailSMTPServer server.company.local
$ActionMailFrom [email protected]
$ActionMailTo [email protected]
$ActionExecOnlyOnceEveryInterval 1

$template mailSubject,"[SNORT] Alert from %hostname%"
$template mailBody,"Snort message\r\nmsg='%msg%'"
$ActionMailSubject mailSubject
if $msg regexp 'snort[[0-9]]: [[0-9]:[0-9]:[0-9]].*' then ommail:;mailBody

But I doesn't get any mails, I even can trigger snort with something like ping -s 1400, it logs things like following but still no mail !

2010-01-08T09:25:58+00:00 Hostname snort[4429]: [1:499:4] ICMP Large ICMP Packet [Classification: Potentially Bad Traffic] [Priority: 2]: {ICMP} ip_dest -> ip_src

Any idea ?

© Server Fault or respective owner

Related posts about email

Related posts about alerts