Looper - Alert Routing System.
Mohit Muthanna [mohit AT muthanna DOT com]

Adding Rules Files

This configuration will send e-mail based on messages received by syslogd. A rules file will be used to determine who gets the e-mail for what alert depending on the host where the alert came from. The rules file will also perform some filtering to allow only kernel errors.

Here's the conf file:

inputmodulepath = 'modules/input'
outputmodulepath = 'modules/output'
rulesfile = 'conf/rules/email.rules'
logfile = '/tmp/looper.log'

input in {
module = 'syslog_in'
debugmessages = '/tmp/syslog.looper.log'
logfile = '/var/log/messages.1.bak'
debugmode = '3'
sleeptime = '2'
output out {
module = 'email_out'
mailpath = '/bin/mail'
debugmode = '3'

And here's the relevant rules file:

%outputTokens = ();

%admins = (
prometheus => 'mohit@edgesolutions.ca',
melantho => 'mohit@edgesolutions.ca',
dope => 'weed@edgesolutions.ca'

# Ignore all weed logs
exit(0) if ( $inputTokens{node} eq "weed" );

# We only want kernel errors
exit(0) if ( $inputTokens{desc} !~ m/^kernel/);

# Send the logs
$outputTokens{mailto} = $admins{$inputTokens{node}};
$outputTokens{mailsubject} = "Alert at $inputTokens{date} ";
$outputTokens{mailbody} = "$inputTokens{desc}";

writeTo ("out");

First let's look at the configuration file. Everything looks familiar, except that the module named out uses the email_out plugin. This plugin uses the mail program specified by the mailpath parameter. A path to a rules file is also specified at the beginning of the file.

How rules files work

The rules file is basically perl code, with utility functions to simplify everything greatly. When the rules file is parsed, it gets fed Input Tokens that come from the input module (here syslog_in). These tokens are stored in the hash %inputTokens. The syslog_in module, for example, populates %inputTokens with the keys date, node and desc which contain the log date, log node and log description respectively.

Output Tokens are used to send data to the output module. These tokens are stored in the hash %outputTokens. On startup, the contents of %inputTokens are copied to %outputTokens; therefore it is sometimes necessary to clear the %outputTokens hash. Different output modules require different output tokens. In the example above, the mail_out module uses the tokens mailto, mailsubject and mailbody which denotes the mail address, subject text and body respectively (The body can contain newlines).

A standard rules file would first filter based on the input tokens; then setup the appropriate output tokens; then call the writeTo subroutine. This subroutine calls the specified output module and feeds it the appropriate data.

The Example

In the above code, first the output tokens are cleared. Then a hash called %admins is created to map node names to e-mail addresses. The next two lines are used to filter the events based on the node name and description. The exit command stops processing immediately. After that the output tokens are setup and writeTo() is called for the out module.

As you can see, building the rules file is really a piece of cake. You can realy tune things here and have all sorts of mappings going on. From here you can go ahead with the next article: More Rules Files.

Go to the Looper Event / Alert System home page: http://looper.sf.net.