13.4.2. External actions

To perform an external action when a message is triggered, for example, to send the message in an e-mail, you have to route the generated messages to an external application using the program() destination.

Example 13.14. Sending triggered messages to external applications

The following sample configuration selects the triggered messages and sends them to an external script.

  1. Set a field in the triggered message that is easy to identify and filter. For example:

        <value name="MESSAGE">A log message from ${HOST} matched rule number $.classifier.rule_id</value>
        <value name="TRIGGER">yes</value>
  2. Create a destination that will process the triggered messages.

    destination d_triggers { program("/bin/myscript"; ); };
  3. Create a filter that selects the triggered messages from the internal source.

    filter f_triggers {match("yes" value ("TRIGGER") type(string));};
  4. Create a logpath that selects the triggered messages from the internal source and sends them to the script:

    log { source(s_local); filter(f_triggers); destination(d_triggers); };
  5. Create a script that will actually process the generated messages, for example:

    while (<>) {
            # body of the script to send emails, snmp traps, and so on