Send specific log with specific pharse to my mail

Question

I want to send specific log which has specific phrase to my mail.

For example:

ERROR LOG SOMETHING.COM IP XX.XXX.XXX.XXX PORT:2343 Bad XXXXXXX

And if upper log has phase SOMETHING.COM, send me this log to email.

Is it possible in logwatch or kibana? Or maybe something else?

*send me this log* - do you want the whole log file to be sent? — RomanPerekhrest, Dec 08 '17 at 14:54
@Xalorous there’s not much point just editing the title — your edit would be much more useful if you fixed up the question too. — Stephen Kitt, Dec 08 '17 at 15:43

score 0 · Accepted Answer · answered Dec 08 '17 at 15:02

This can be done with the simple event correlator and a configuration file along the lines of

type=SingleWithThreshold
ptype=SubStr
pattern=SOMETHING.COM
desc=SOMETHING.COM
action=pipe '%s' /usr/bin/mail -s 'SOMETHING.COM' [email protected]
window=86400
thresh=1

And sec told to use the file containing the above against the file that the log appears in (this will vary depending on how sec is installed, whether there's a vendor package, etc).

The window is rather important unless you like dealing with hundreds or thousands of email messages for each and every log line matched; sec has other means of rolling up or summarizing results; see the documentation.

Send specific log with specific pharse to my mail

1 Answers1