Tips for setting up email alerting
In a number of installations Trisul lives in a system where syslog is automatically forwarded to logging systems like an ELK stack, ELSA, or Splunk. This conflicts with Trisul’s built in email notification service. This quick blog post explains how you can solve this issue.
This post assumes you have configured email server information and have successfully sent a test email.
Flow
Alerts generated by the trisul daemon process flow as shown below as they are emailed out.
+--------+ +------------+ +-----------------+ +--------+
| trisul +------->| /var/log/ +--->| email_alerts.rb +-->|inbox |
| daemon | syslog | /messages | | notif service | | |
+--------+ +------------+ +-----------------+ +--------+
Redirect rsyslogd and configure notification service
The simplest way to solve this is to create a basic rsyslogd configuration where all messages from $programname==trisul are sent to a different file without disturbing your other configuration.
Create a rsyslogd config file
- Create a config file in rsyslog.d directory. If you already have files there remember that the files are processed in order. So name your file 01-default.conf to get ahead of the other files.
cd /etc/rsyslog.d
vim 01-default.confPut this line in 01-default.conf to tee (send) trisul logs to a new file in /tmp
if $programname == ‘trisul’ then /tmp/trisul-syslog.log
If you do not want to send trisul messages to your logging system add a stop marker &~.
if $programname == ‘trisul’ then /tmp/trisul-syslog.log
&~ Restart rsyslogd via service rsyslog restart
Point the email notification service to new file
- Open up /usr/local/share/webtrisul/config/initializers/emailalert_settings.rb
- Add the following lines if they dont exist
SYSLOG_DIRS= %w(/tmp/trisul_syslog.log /var/log/syslog /var/log/messages )
Restart the email notification service from Admin > Start/Stop/Tasks
Free Download Trisul 4.0
Trisul Network Analytics 4.0 is now available – sign up and download. Enjoy!