External actions

To perform an external action when a message is triggered, for example, to send the message in an email, you have to route the generated messages to an external application using the program() destination.

Example: Sending triggered messages to external applications

The following sample configuration selects the triggered messages and sends them to an external script.

Set a field in the triggered message that is easy to identify and filter. For example:

    <values>
        <value name="MESSAGE">A log message from ${HOST} matched rule number $.classifier.rule_id</value>
        <value name="TRIGGER">yes</value>
    </values>

Create a destination that will process the triggered messages.

    destination d_triggers {
        program("/bin/myscript"; );
    };

Create a filter that selects the triggered messages from the internal source.

    filter f_triggers {
        match("yes" value ("TRIGGER") type(string));
    };

Create a logpath that selects the triggered messages from the internal source and sends them to the script:
```
    log { source(s_local); filter(f_triggers); destination(d_triggers); };
```

Create a script that will actually process the generated messages, for example:

    #!/usr/bin/perl
    while (<>) {
        # body of the script to send emails, snmp traps, and so on
    }

Last modified July 15, 2023: Patterndb chapter formatting fixes (f7dfdaa)