syslog に出力されたメッセージを Fluentd でメール送信する設定

syslog に出力されたメッセージを必要に応じてメール送信する
syslog の出力書式を変更しているので、詳細は rsyslog の出力項目と書式を変更 を参照
構築は Fluentd を参照

設定本体と priority ごとに設定を記述してインクルードする
設定本体は基本設定を記述する
メール送信する syslog メッセージは Fluentd のログにも出力する
fluentd タグは、info 以外をメール送信する

設定ファイル本体 /etc/fluentd/fluentd.conf
panic 用設定ファイル /etc/fluentd/include_panic.conf
emerg 用設定ファイル /etc/fluentd/include_emerg.conf
alert 用設定ファイル /etc/fluentd/include_alert.conf
crit 用設定ファイル /etc/fluentd/include_crit.conf
err 用設定ファイル /etc/fluentd/include_err.conf
warn 用設定ファイル /etc/fluentd/include_warn.conf
notice 用設定ファイル /etc/fluentd/include_notice.conf
info 用設定ファイル /etc/fluentd/include_info.conf
debug 用設定ファイル /etc/fluentd/include_debug.conf

gem install fluent-plugin-mail
gem install fluent-plugin-ignore-filter
gem install fluent-plugin-rewrite-tag-filter

root@ubuntu:~# fluent-gem list

*** LOCAL GEMS ***

bigdecimal (default: 1.3.4)
cmath (default: 1.0.0)
concurrent-ruby (1.1.5)

~~~ 途中省略 ~~~

fiddle (default: 1.0.0)
fileutils (default: 1.0.2)
fluent-config-regexp-type (1.0.0)
fluent-plugin-ignore-filter (2.0.0)
fluent-plugin-mail (0.3.0)
fluent-plugin-rewrite-tag-filter (2.2.0)
fluentd (1.7.3)
gdbm (default: 2.0.0)
http_parser.rb (0.6.0)

~~~ 途中省略 ~~~

xmlrpc (0.3.0)
yajl-ruby (1.4.1)
zlib (default: 1.0.0)

構築される環境に応じて、適宜読み替えてください。

vi /etc/fluentd/fluentd.conf

<source>
  @type tail
  @id _LOGGING
  #
  path /var/log/syslog
  format /^(?<timestamp>[^ ]*\s*[^,]*),(?<fromhost>[^,]*),(?<hostname>[^,]*),(?<type>[^,]*),(?<syslogtag>[^,]*),"*(?<message>.*)"$/
  #
  tag syslog
  pos_file /var/log/fluentd.pos
</source>

<match syslog>
  @type rewrite_tag_filter
  <rule>
    key     type
    pattern /^(?=.*debug).*$/
    tag     syslog.debug
  </rule>
  <rule>
    key     type
    pattern /^(?=.*info).*$/
    tag     syslog.info
  </rule>
  <rule>
    key     type
    pattern /^(?=.*notice).*$/
    tag     syslog.notice
  </rule>
  <rule>
    key     type
    pattern /^(?=.*warn).*$/
    tag     syslog.warn
  </rule>
  <rule>
    key     type
    pattern /^(?=.*err).*$/
    tag     syslog.err
  </rule>
  <rule>
    key     type
    pattern /^(?=.*crit).*$/
    tag     syslog.crit
  </rule>
  <rule>
    key     type
    pattern /^(?=.*alert).*$/
    tag     syslog.alert
  </rule>
  <rule>
    key     type
    pattern /^(?=.*emerg).*$/
    tag     syslog.emerg
  </rule>
  <rule>
    key     type
    pattern /^(?=.*panic).*$/
    tag     syslog.panic
  </rule>
  <rule>
    key     type
    pattern /.*/
    tag     syslog.notification
  </rule>
</match>

@include include_debug.conf
@include include_info.conf
@include include_notice.conf
@include include_warn.conf
@include include_err.conf
@include include_crit.conf
@include include_alert.conf
@include include_emerg.conf
@include include_panic.conf

<match syslog.discard>
  @type null
</match>

<match syslog.notification>
  @type copy
  <store>
    @type stdout
    @id _STDOUT
  </store>
  <store>
    @type mail
    @id _MAIL_REPORT
    #
    host smtp.hogehoge.jp
    port 587
    #
    user hoge@hogehoge.jp
    password ********
    #
    from hoge@hogehoge.jp
    to hoge@hogehoge.jp
    subject "[ubuntu] syslog report"
    out_keys timestamp, fromhost, hostname, type, syslogtag, message
  </store>
</match>

<filter fluent.**>
  @type record_transformer
  <record>
    tag ${tag}
  </record>
</filter>

<match fluent.**>
  @type rewrite_tag_filter
  <rule>
    key     tag
    pattern /^(?=.*info).*$/
    tag     fluentd.discard
  </rule>
  <rule>
    key     tag
    pattern /.*/
    tag     fluentd.notification
  </rule>
</match>

<match fluentd.discard>
  @type null
</match>

<match fluentd.notification>
  @type mail
  @id _MAIL_FLUENTD
    #
    host smtp.hogehoge.jp
    port 587
    #
    user hoge@hogehoge.jp
    password ********
    #
    from hoge@hogehoge.jp
    to hoge@hogehoge.jp
  subject "[ubuntu] fluetnd report"
  out_keys tag, error, line, timestamp, fromhost, hostname, type, syslogtag, message
</match>

vi /etc/fluentd/include_panic.conf

<match syslog.panic>
    @type rewrite_tag_filter
    <rule>
        key     type
        pattern .*
        tag     syslog.notification
    </rule>
</match>

vi /etc/fluentd/include_emerg.conf

<match syslog.emerg>
    @type rewrite_tag_filter
    <rule>
        key     type
        pattern .*
        tag     syslog.notification
    </rule>
</match>

vi /etc/fluentd/include_alert.conf

<match syslog.alert>
    @type rewrite_tag_filter
    <rule>
        key     type
        pattern .*
        tag     syslog.notification
    </rule>
</match>

vi /etc/fluentd/include_crit.conf

<match syslog.crit>
    @type rewrite_tag_filter
    <rule>
        key     type
        pattern .*
        tag     syslog.notification
    </rule>
</match>

vi /etc/fluentd/include_err.conf

<match syslog.err>
    @type rewrite_tag_filter
    <rule>
        key     type
        pattern .*
        tag     syslog.notification
    </rule>
</match>

vi /etc/fluentd/include_warn.conf

<match syslog.warn>
    @type rewrite_tag_filter
    <rule>
        key     syslogtag
        pattern /systemd/
        tag     syslog.warn.tag.systemd
    </rule>
    <rule>
        key     type
        pattern .*
        tag     syslog.notification
    </rule>
</match>

<match syslog.warn.tag.systemd>
    @type rewrite_tag_filter
    <rule>
        key     message
        pattern /Current command vanished from the unit file,/
        tag     syslog.discard
    </rule>
    <rule>
        key     type
        pattern .*
        tag     syslog.notification
    </rule>
</match>

vi /etc/fluentd/include_notice.conf

<match syslog.notice>
    @type rewrite_tag_filter
    <rule>
        key     hostname
        pattern /ROOTER/
        tag     syslog.notice.host.rooter
    </rule>
    <rule>
        key     syslogtag
        pattern /kernel:/
        tag     syslog.notice.tag.kernel
    </rule>
    <rule>
        key     type
        pattern .*
        tag     syslog.notification
    </rule>
</match>

<match syslog.notice.host.rooter>
    @type rewrite_tag_filter
    <rule>
        key     message
        pattern /NTP:/
        tag     syslog.discard
    </rule>
    <rule>
        key     type
        pattern .*
        tag     syslog.notification
    </rule>
</match>

<match syslog.notice.tag.kernel>
    @type rewrite_tag_filter
    <rule>
        key     message
        pattern /\[ {3,}/
        tag     syslog.discard
    </rule>
    <rule>
        key     message
        pattern /apparmor=\"STATUS\"/
        tag     syslog.discard
    </rule>
    <rule>
        key     type
        pattern .*
        tag     syslog.notification
    </rule>
</match>

vi /etc/fluentd/include_info.conf

<match syslog.info>
    @type rewrite_tag_filter
    <rule>
        key     type
        pattern .*
        tag     syslog.discard
    </rule>
</match>

vi /etc/fluentd/include_debug.conf

<match syslog.debug>
    @type rewrite_tag_filter
    <rule>
        key     type
        pattern .*
        tag     syslog.discard
    </rule>
</match>

root@ubuntu:~# fluentd --dry-run -c /etc/fluentd/fluentd.conf
2019-10-23 13:08:36 +0900 [info]: parsing config file is succeeded path="/etc/fluentd/fluentd.conf"
2019-10-23 13:08:36 +0900 [info]: starting fluentd-1.7.3 as dry run mode ruby="2.5.5"
2019-10-23 13:08:36 +0900 [info]: adding rewrite_tag_filter rule: type [#, /^(?=.*debug).*$/, "", "syslog.debug"]
2019-10-23 13:08:36 +0900 [info]: adding rewrite_tag_filter rule: type [#, /^(?=.*info).*$/, "", "syslog.info"]
2019-10-23 13:08:36 +0900 [info]: adding rewrite_tag_filter rule: type [#, /^(?=.*notice).*$/, "", "syslog.notice"]
2019-10-23 13:08:36 +0900 [info]: adding rewrite_tag_filter rule: type [#, /^(?=.*warn).*$/, "", "syslog.warn"]

~~~ 途中省略 ~~~

2019-10-23 13:08:36 +0900 [info]: adding rewrite_tag_filter rule: type [#, /.*/, "", "syslog.notification"]
2019-10-23 13:08:36 +0900 [info]: adding rewrite_tag_filter rule: type [#, /.*/, "", "syslog.notification"]
2019-10-23 13:08:36 +0900 [info]: adding rewrite_tag_filter rule: type [#, /.*/, "", "syslog.notification"]
2019-10-23 13:08:36 +0900 [info]: adding rewrite_tag_filter rule: tag [#, /^(?=.*info).*$/, "", "fluentd.discard"]
2019-10-23 13:08:36 +0900 [info]: adding rewrite_tag_filter rule: tag [#, /.*/, "", "fluentd.notification"]
エラーや警告のメッセージが表示されないこと

root@ubuntu:~# systemctl reload fluentd
root@ubuntu:~# systemctl status fluentd
● fluentd.service - Fluentd: Open Source Data Collector.
   Loaded: loaded (/lib/systemd/system/fluentd.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2019-10-23 16:38:35 JST; 3s ago
     Docs: https://www.fluentd.org/
  Process: 7387 ExecStart=/usr/local/bin/fluentd $BIN_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 7408 (fluentd)
    Tasks: 8 (limit: 4535)
   Memory: 45.6M
   CGroup: /system.slice/fluentd.service
           tq7408 /usr/bin/ruby2.5 /usr/local/bin/fluentd --log /var/log/fluentd --daemon /run/fluentd.pid
           mq7413 /usr/bin/ruby2.5 -Eascii-8bit:ascii-8bit /usr/local/bin/fluentd --log /var/log/fluentd --daemon /run/fluentd.p

Oct 23 16:38:34 ubuntu systemd[1]: Starting Fluentd: Open Source Data Collector....
Oct 23 16:38:35 ubuntu systemd[1]: Started Fluentd: Open Source Data Collector..

logger -p user.err test

From hoge@hogehoge.jp
To hoge@hogehoge.jp

timestamp: 2019/10/23 16:49:15
fromhost: ubuntu
hostname: ubuntu
type: {user.err}
syslogtag: hoge:
message:  test

こんなメールが送信されること

コメントを入力:
 
  • linux/operation/mail
  • 最終更新: 2019/11/04
  • by chibatono