send specifec log using syslog-ng

[reaky]

 Hi friends
I have a syslog-ng v 3.0 server running on RHEL% server and gathering al logs from all servers and network devices from my network,
Now I want to send the logs of a specific IP as a first step that have severity from 4 --> 0 to alert me by email.
Could you please help me how to do that ?
The following is my conf file
=======================================
# configuration file for syslog-ng, customized for remote logging

source s_internal { internal(); };
destination d_syslognglog { file("/var/log/syslog-ng.log"); };
log { source(s_internal); destination(d_syslognglog); };

# Remote logging
source s_remote {
tcp(ip(0.0.0.0) port(514));
udp(ip(0.0.0.0) port(514));
};

destination d_separatedbyhosts {
file("/var/log/syslog-ng/servers/$HOST/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));
};

log { source(s_remote); destination(d_separatedbyhosts); };

options {

# Number of syslog lines stored in memory before being written to files
flush_lines (0);

# Syslog-ng uses queues
log_fifo_size (1000);

# Create log directories as needed
create_dirs (yes);

# Make the group "logs" own the log files and directories
group (logs);
dir_group (logs);

# Set the file and directory permissions
perm (0640);
dir_perm (0750);

# Check client hostnames for valid DNS characters
check_hostname (yes);

# Specify whether to trust hostname in the log message.
# If "yes", then it is left unchanged, if "no" the server replaces
# it with client's DNS lookup value.
keep_hostname (yes);

# Use DNS fully qualified domain names (FQDN)
# for the names of log file folders
use_fqdn (yes);
use_dns (yes);

# Cache DNS entries for up to 1000 hosts for 12 hours
dns_cache (yes);
dns_cache_size (1000);

# messages and label it "d_localhost"
source s_localhost {
pipe ("/proc/kmsg" program_override("kernel: "));
unix-stream ("/dev/log");
internal();
};

# Define the destination "d_localhost" log directory
destination d_localhost {
file ("/var/log/syslog-ng/localhost/$FACILITY.log");
};

# Define all the sources of network generated syslog
# messages and label it "d_network"
source s_network {
tcp(max-connections(5000));
udp();
};

# Define the destination "d_network" log directory
destination d_network {
file ("/var/log/syslog-ng/$YEAR.$MONTH.$DAY/$HOST/$FACILITY.log");
};

# Any logs that match the "s_localhost" source should be logged
# in the "d_localhost" directory

log { source(s_localhost);
destination(d_localhost);
};
================================================== ===========
Edit/Delete Message

[reaky]

It worked now successfuly
with the following

=============
source sme {file (/var/log/syslog-ng/servers/Central.mc.tedata.net/authpriv.log); };


destination maillog { program ("/usr/local/bin/syslog-mail-perl" );
 };
log {source(sme); destination(maillog); };
===============
Thanks for help

[reaky]

Dears, I still have a small problem that
When It tried to send emails I found that I must restart syslog every time to send the mails to sendmail, In another word it buffer the emails tell I restart syslog-ng then It forwerd it to send mail and can see it in the mail log.
Do you have any idea for that ?
Thanks



The perl script like the following:
+++++++++++++++++++++++++++++++++++=
#!/usr/bin/perl -n
# thanks to Brian Dowling for an example with security in mind.

$TO = 'reaky@domain.com';
$FROM = $TO;

s/^//;

open(MAIL, "|/usr/sbin/sendmail -t");

print MAIL "EOT";
To: $TO
From: $FROM
Subject: SME Log Alert: $_

$_

EOT

close(MAIL);
+++++++++++++++++++++++++++++++++++++++