After demonstrating in part 2 the generation of alarm messages for certain events in the system log, we proceed in this blog post to the definition of emails and their configuration on the website.
As stated before in part 2, notifications per email need to be activated first in the server configuration.
How to achieve that, how this works and which parameters are required is described by Graylog:
These are the default settings in the example on the website:
- transport_email_enabled = false
- transport_email_hostname = mail.example.com
- transport_email_port = 587
- transport_email_use_auth = true
- transport_email_use_tls = true
• Enable SMTP with STARTTLS for encrypted connections.
- transport_email_use_ssl = false
• Enable SMTP over SSL (SMTPS) for encrypted connections.
- transport_email_auth_username = firstname.lastname@example.org
- transport_email_auth_password = secret
- transport_email_subject_prefix = [graylog]
- transport_email_from_email = email@example.com
It is recommended to keep the website open and to start the configuration of the Graylog server on the command line with the following command:
sudo nano /etc/graylog/server/server.conf
Using „CTRL+W“, one can search for transport_email.
These are the parameters for the email notification. However, these are still commented out. The number sign, also known as hashtag, serves to identify comments in configuration files. The following characters are therefore not used by the server. Nevertheless, a user can read these when editing.
Thus, a user can structure the file, give hints or activate respectively deactivate functions with this comment function.
In the command line window, this may look as shown here.
The password is blackened out here.
Save your modifications with „CTRL+O“ and close the editor with „CTRL+X“.
The service needs to be restarted for the modifications to take effect. Use this command in the command line:
sudo systemctl restart graylog-server.service
With the following command one can check if the service is running again:
sudo systemctl status graylog-server.service
Back on the website the configuration of the email notification can be completed. Create a new notification and pick email as notification type. As sender insert the email address given in server.conf (transport_email_from_email). In my case firstname.lastname@example.org. The subject and the content of the email remain unchanged. An arbitrary recipient can be defined for the notification. In my case it is my email address email@example.com.
When done, test the configuration with a test email.
Now the configuration is accomplished and the notification can be tested.
Now return to your SSH session and generate again 5 unauthorized attempts to access the device as Root. The data need to be transmitted first which requires some time.
You will receive the email after about half a minute!
This example shows very well what is possible with Graylog even without an enterprise licence.
Likewise, one can generate alarms in case of M-Bus meters defying readout, unsuccessful reports or dial-in in the mobile network.