Hello everyone, I have the following conf file and it is working except that the mailBody template is not applied to outgoing emails. I searched the documentation and searched the Internet looking for a way to apply the mailBody template to the body of the email but found nothing. You can see I tried body.template but that didn't work. Does anyone have any suggestions?
# https://www.rsyslog.com/doc/configuration/modules/ommail.html # NOTE: the ommail module must be enabled in rsyslog.conf (MH) template (name="mailBody" type="string" string="RSYSLOG Alert\\r\\nmsg='%msg%'") template (name="mailSubjectAdmin" type="string" string="ALERT: We got an Admin login/logoff on %hostname%") if $msg contains 'logdesc="Admin' then { action(type="ommail" server="172.16.31.15" port="25" mailfrom="n...@wantegrity.com" mailto=["mhawk...@wantegrity.com", "r...@saturn.home"] subject.template="mailSubjectAdmin" # body.template="mailBody" action.execonlyonceeveryinterval="2" action.execOnlyWhenPreviousIsSuspended="off" ) } I get emails. But they don't contain the body template. Just the entire syslog message: 2025-01-08T15:44:38.820736-05:00 _gateway date=2025-01-08 time=12:50:22 devname="hub01" devid="FGVMELTM24013479" eventtime=1736369422622464713 tz="-0800" logid="0100032003" type="event" subtype="system" level="information" vd="root" logdesc="Admin logout successful" sn="1736368512" user="admin" ui="https(172.16.31.191)" method="https" srcip=172.16.31.191 dstip=172.16.31.1 action="logout" status="success" duration=910 state="Config-Changed" reason="exit" msg="Administrator admin logged out from https(172.16.31.191)" -- Wantegrity Inc. Michael A Hawkins, President Stamford, CT 06902 USA Mobile: 203-550-5502 On Wed, 2025-01-08 at 10:59 -0800, David Lang via rsyslog wrote: > if the sender doesn't break up the logs properly with TCP, there really isn't > anything you can do on the reciving end. > > If you can get UDP working, then each UDP packet is a separate message. > > Since you are running openwrt on the sending side, you could replace the > default > logging software with rsyslog there to fix the log format. > > David Lang > > On Wed, 8 Jan 2025, Alberto via rsyslog wrote: > > > Date: Wed, 8 Jan 2025 15:25:37 +0100 > > From: Alberto via rsyslog <rsyslog@lists.adiscon.com> > > To: 'rsyslog-users' <rsyslog@lists.adiscon.com> > > Cc: Alberto <albe...@bersol.info> > > Subject: [rsyslog] Remote log files without Line separator > > > > Hi everybody: > > > > I have a logserver in a Docker container with "oficial" image > > (Rsyslog/syslog_appliance_alpine) running succesfully, and getting logs from > > Physical hosts from my LAN and anothers Docker containers hosted locally. > > > > > > > > I having a problem with a Router TP-Link with Openwrt system that is sending > > logs to my Logserver. This is their configuration: > > > > > > > > root@wrt:~# cat /etc/config/system > > > > option hostname 'wrt' > > > > option log_hostname 'wrt' > > > > option zonename 'Europe/Madrid' > > > > #option timezone 'UTC' > > > > option timezone 'CET-1CEST,M3.5.0,M10.5.0/3' > > > > option log_ip 'IP HOST LOGSERVER' > > > > option log_port '514' > > > > option log_proto 'tcp' > > > > option log_remote '1' > > > > option cronloglevel '0' > > > > option conloglevel '8' > > > > option klogconloglevel '8' > > > > option log_prefix 'openwrt' > > > > option log_size 64 > > > > #option buffersize 1024 > > > > option log_trailer_null \0 > > > > option log_file '/var/log/messages' > > > > > > > > > > > > I've set TCP option because UDP isn't running (I don't know why). > > > > Logserver receive their all logs in one line, without separate any line, > > with this format: > > > > > > > > . > > > > openwrt: hostapd: wlan0: STA 1e:bf:ce:0c:54:a4 WPA: group key handshake > > completed (RSN)openwrt: hostapd: wlan0: STA 20:57:9e:6e:24:6b WPA: group key > > handshake completed (RSN)openwrt: hostapd: wlan0: STA 1e:bf:ce:0c:54:a4 WPA: > > group key handshake completed (RSN)openwrt: hostapd: wlan0: STA > > 20:57:9e:6e:24:6b WPA: group key handshake completed (RSN) > > > > . > > > > > > > > With this template: > > > > > > > > template(name="tFileFormatwrt" type="list") { > > > > property(name="timereported" dateformat="year") > > > > property(name="timereported" dateformat="month") > > > > property(name="timereported" dateformat="day") > > > > constant(value="-") > > > > property(name="timereported" dateformat="hour") > > > > constant(value=":") > > > > property(name="timereported" dateformat="minute") > > > > constant(value=":") > > > > property(name="timereported" dateformat="second") > > > > constant(value=" ") > > > > #property(name="syslogtag") > > > > property(name="app-name") > > > > constant(value=" ") > > > > property(name="msg") > > > > constant(value="\n") > > > > } > > > > > > > > And if I set Debug with this template: > > > > > > > > template(name="tLogDEBUG" type="list") { > > > > constant(value="Debug line with all properties:\nFROMHOST: '") > > > > property(name="fromhost") > > > > constant(value="'\nHOSTNAME: '") > > > > property(name="hostname" caseConversion="lower") > > > > constant(value="'\nPROGRAMNAME: '") > > > > property(name="programname" caseConversion="lower") > > > > constant(value="'\nFROMHOST-IP: '") > > > > property(name="fromhost-ip" caseConversion="lower") > > > > constant(value="'\nSYSLOGTAG: '") > > > > property(name="syslogtag" caseConversion="lower") > > > > constant(value="-") > > > > constant(value="'\nAPP-NAME: '") > > > > property(name="app-name" caseConversion="lower") > > > > constant(value="'\nPROCID: '") > > > > property(name="procid" caseConversion="lower") > > > > constant(value="'\nMSGID: '") > > > > property(name="msgid" caseConversion="lower") > > > > constant(value="'\nINPUTNAME: '") > > > > property(name="inputname" caseConversion="lower") > > > > constant(value="'\nPRI: '") > > > > property(name="pri") > > > > constant(value="'\nSTRUCTURED-DATA: ") > > > > property(name="structured-data") > > > > constant(value="',\nMSG: '") > > > > property(name="msg" controlcharacters="drop") > > > > constant(value="',\nRAWMSG: '") > > > > property(name="rawmsg") > > > > constant(value="\n\n") > > > > } > > > > > > > > I receive in this format: > > > > > > > > Debug line with all properties: > > > > FROMHOST: '172.20.0.1' > > > > HOSTNAME: '172.20.0.1' > > > > PROGRAMNAME: 'openwrt' > > > > FROMHOST-IP: '172.20.0.1' > > > > SYSLOGTAG: 'openwrt:-' > > > > APP-NAME: 'openwrt' > > > > PROCID: '-' > > > > MSGID: '-' > > > > INPUTNAME: 'imtcp' > > > > PRI: '13' > > > > STRUCTURED-DATA: -', > > > > MSG: ' logread[749]: Logread connected to 192.168.5.10:514openwrt: hostapd: > > wlan0: STA 1e:bf:ce:0c:54:a4 WPA: group key handshake completed > > (RSN)openwrt: hostapd: wlan1: STA 20:57:9e:6e:24:6b WPA: group key handshake > > completed (RSN)openwrt: netifd: lan (885): Sending renew...openwrt: netifd: > > lan (885): Lease of 192.168.5.11 obtained, lease time 3600openwrt: syslog: - > > shutdown -', > > > > RAWMSG: 'openwrt: logread[749]: Logread connected to > > 192.168.5.10:514openwrt: hostapd: wlan0: STA 1e:bf:ce:0c:54:a4 WPA: group > > key handshake completed (RSN)openwrt: hostapd: wlan1: STA 20:57:9e:6e:24:6b > > WPA: group key handshake completed (RSN)openwrt: netifd: lan (885): Sending > > renew...openwrt: netifd: lan (885): Lease of 192.168.5.11 obtained, lease > > time 3600openwrt: syslog: - shutdown - > > > > > > > > I don't know how to save logs from this host, with the Line separator in > > each real line, because source host don't look send it. > > > > > > > > Any idea? > > > > > > > > Thank you > > > > Best Regards, > > > > > > > > Alberto > > > > _______________________________________________ > > rsyslog mailing list > > https://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE > > UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE > UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
