Let’s configure postfix first. In my environment, this was pretty simple. We are using Cisco IronPort appliances as mail gateways. I configured my Rancid box as host allowed to send through the IronPort. Once that was done, I just needed to configure postfix to use the IronPort as a relay. You should be able to use other mail systems (e.g. Exchange) in the same way.
To do that, edit the file /etc/postfix/main.cf.
- nano /etc/postfix/main.cf
- relayhost = mydomain.oom
- relayhost = FQDN or ip address of your gateway
- service postfix start
- telnet localhost 25
- ehlo mail
- mail from: email@example.com
- rcpt to: firstname.lastname@example.org
- Subject: Testing postfix
- Just testing postfix.
[root@rancid]# telnet localhost 25
Connected to localhost.
Escape character is '^]'.
220 rancid.mydomain.com ESMTP Postfix
mail from: email@example.com
250 2.1.0 Ok
rcpt to: firstname.lastname@example.org
250 2.1.5 Ok
354 End data with <CR><LF>.<CR><LF>subject: Testing postfix
Just testing postfix.
.250 2.0.0 Ok: queued as 8EF87C0F28quit221 2.0.0 Bye
Connection closed by foreign host.
If your gateway is configured correctly, you should get a message in your inbox. If not, the postfix logs at /var/log/ may provide clues to the problem, as well as the logs on your mail system.
Now we can configure triggers based on configuration changes on your devices. I am monitoring our Cisco routers, so I’ll walkthrough configuring the routers and SEC for Cisco.
We need to install Simple Event Correlator.
- yum install sec
- nano /etc/sec/cisco_config_change.sec
action=shellcmd /bin/su - rancid -c /usr/local/rancid/bin/rancid-run
With the action above, Rancid will run every time a config change is made. Alternately, SEC can be configured to only trigger the event every x seconds. Simply change type=SingleWithSuppress and add the line window=x where x is the number of seconds between triggers. For example, if you used 360, the action would only be fired if 360 seconds (5 minutes) had passed since the last trigger.
The firewall has to be modified to allow the syslog daemon to listen for the messages.
- nano /etc/sysconfig/iptables
- -A INPUT -m state --state NEW –m udp –p udp –-dport 514 –j ACCEPT
- service iptables restart
- Router(config)# logging on
- Router(config)# logging ip-address-of-rancid