# syslog.conf syntax to send email of logs



## a59303 (May 22, 2015)

Hello,

I have been trying to understand how to configure `syslogd`, or `syslog` to mail me log digests periodically.  I have discovered that the configuration file, syslog.conf(5), allows for piping to a command; i.e.

`[NOPARSE]mail address@server.com[/NOPARSE]`

I wonder if this is the conventional way to do it.  I appreciate also that one can mail to a local user and log to a remote system but I am hoping to set this up to email me.  I am not too up on the regular use of mail either so I would be interested in the syntax of that although I think my working syslog.conf line would look something like this line from the man page.

```
# Pipe all authentication messages to a filter.
auth.* |exec /usr/local/sbin/authfilter
```
In my specific case I would want to do something like this.

```
# Pipe all warning messages to mail.
auth.*  |exec /bin/mail ***at***.com
```

Thanks for any advice,

a5'


----------



## junovitch@ (May 22, 2015)

I would think that would result in too much email noise.  Personally, I use security/logcheck and I would think that getting changes batched up in periodic intervals would be more usable.

If it helps, here's my notes on setting up security/logcheck and ensuring it can access /var/log/auth.log.

```
pkg install security/logcheck
perl -pwi -e 'if (/auth\.log/) {s/auth\.log\t\t/auth.log\troot:logcheck/; s/600/640/; }' /etc/newsyslog.conf
chown root:logcheck /var/log/auth.log
chmod 640 /var/log/auth.log
cp /usr/local/share/examples/logcheck/crontab.in /var/cron/tabs/logcheck
chmod 600 /var/cron/tabs/logcheck
```


----------



## a59303 (May 22, 2015)

junovitch said:


> I would think that would result in too much email noise.



Thanks for the reply,

That is more or less what I expected.  Although I was hoping to use the syntax of syslog.conf to make digests or something similar.

Additionally I should mention that above I had mistyped, below should be changed to

```
warn.* | exec /bin/mail ***at***.com
```
.


a59303 said:


> In my specific case I would want to do something like this.
> 
> ```
> # Pipe all warning messages to mail.
> ...



More than that, this is a very simple server, and one that will likely not send much mail.  Sounds to me like this is not recommended though, and another piece of software may be needed.


----------



## Oko (May 22, 2015)

junovitch said:


> I would think that would result in too much email noise.  Personally, I use security/logcheck and I would think that getting changes batched up in periodic intervals would be more usable.


Any chance that you share configuration settings. Two years ago when I moved to my current Lab I inherited logwatch and it was just spamming me whole day with useless e-mails. It was very difficult to see anything in them. 
I am eager to have some intelligent parser on my centralized login server


----------



## junovitch@ (May 23, 2015)

a59303, it's certainly doable if you don't think the volume would be that high and it wouldn't bother you.

Oko, I made a how to for everybody in Thread 51736. Unfortunately I lost a bunch of regex's for various services when my SSD died on my NAS that had the OS on an SSD and data on a RAIDZ pool.  At work it's just disparate things so this is just the configuration I use for all my stuff on my LAN.  I hope that helps.  If you come up with any useful examples for ignoring services please feel free to add a post to that how to.


----------



## a59303 (May 23, 2015)

junovitch,

In that case, do you know of any other good sources for examples of syslog.conf(5) other than the handbook entry (https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/configtuning-syslog.html)... and of course the how to you created, which I will be looking at now.

Thank You,

a5'


----------



## junovitch@ (May 28, 2015)

I can't think of any specific examples outside of that documentation.


----------



## a59303 (May 28, 2015)

OK,

Well, thanks for the reply. I have to kind of put something together for it.  Probably will post it here... possibly for suggestions.

Have a good night,

a5'


----------

