0

My log file contains the following 3 log entries:

2017-11-16 15:50:45 1eFLV7-0003so-Cd <= <> R=1eFLV7-0003sZ-4v U=Debian-exim P=local S=1853 T="Mail delivery failed: returning message to sender" from <>
2017-11-16 15:50:45 1eFLV7-0003so-Cd => [email protected] R=dnslookup T=remote_smtp H=smtp-51.xxx.com [xxx.xx.xx.xx] X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
2017-11-16 15:50:45 1eFLV7-0003so-Cd Completed

I want to have an email sent to me, when an entry "Mail delivery failed*[email protected]" appears in the log file.

How can I achieve this?

Maybe SEC - Simple Event Correlator can help me?

But the below configuration(pattern) does not working for me.

type=SingleWithThreshold
ptype=RegExp
pattern=Mail delivery failed: returning message to sender*[email protected]
desc=Problem with mail [email protected]
action=pipe '%s' /usr/bin/mail -s 'ERROR SEND MAIL' [email protected]
window=1
thresh=1
Tomáš Pospíšek
  • 624
  • 3
  • 12
debek
  • 237
  • 1
  • 3
  • 13

2 Answers2

1

You're using SingleWithThreshold and hoping the * will match two lines - it won't. Try Pair.

Something like (untested),

type=Pair
ptype=RegExp
pattern=Mail delivery failed: returning message to sender
ptype2=RegExp
[email protected]
desc2=Problem with mail [email protected]
action2=pipe '%s' /usr/bin/mail -s 'ERROR SEND MAIL' [email protected]
window=1

Anything you try needs to handle the fact that you have two lines of text, separated by a newline. Many text processing tools will work on individual lines, and the asterix character won't get around that by looking at the next line as well.

EightBitTony
  • 20,963
  • 4
  • 61
  • 62
0

As I understand, you want to match two consecutive lines that originate from the same input file. If that is the case, the easiest solution would be to use the RegExp2 pattern. In fact, SEC operates in multi-line mode at all times without any special command line switches, and the number of lines matched by any pattern is set with the 'ptype' keyword. Here is the rule that might be helpful for you:

type=Single
ptype=RegExp2
pattern=Mail delivery failed: returning message to sender.*\n.*admins@xxx\.com
desc=Problem with mail [email protected]
action=pipe '%s' /usr/bin/mail -s 'ERROR SEND MAIL' [email protected]

In this rule, 'RegExp2' means "a regular expression which matches 2 consecutive lines". By default, these lines have to originate from the same file, but --jointbuf command line option lifts that restriction. However, under normal circumstances you would not want to use this option, since it puts events from all sources into the same input buffer for multi-line matching, but the order of events is not determined.

In the above example rule, please also note the regular expression:

Mail delivery failed: returning message to sender.*\n.*admins@xxx\.com

Since by default .* does not match the newline, the expression also harnesses \n for matching the newline character.

Finally, I would also like to invite you to post further questions about SEC to its mailing list (https://sourceforge.net/p/simple-evcorr/mailman/simple-evcorr-users/), since a number of experienced users are following it who can promptly answer similar questions.

kind regards, risto

Risto Vaarandi
  • 16