Trigger alert when keyword found in remote server logs

hainesy · December 5, 2023, 1:09pm

I’m trying to configure HA to fire a Pushover alert when a specific keyword is found in the DNS logs of my AdGuard home server. I’ve setup passwordless ssh access to it and have created the following sensor:

command_line:
  - sensor:
      name: adguard_logs
      command: "ssh -i /config/.ssh/id_rsa -o StrictHostKeyChecking=no [email protected] 'cat /opt/AdGuardHome/data/querylog.json'"
      scan_interval: 60

I’ve created an automation that looks for the keyword and fires alert if found - but it doesn’t fire when I test it

alias: Flag Blacklist
description: ""
trigger:
  - platform: state
    entity_id: sensor.adguard_logs
condition:
  - condition: template
    value_template: "{{ 'BLACKLIST' in trigger.to_state.state }}"
action:
  - service: notify.pushover
    data:
      message: Found the BLACKLIST string in the log file!

Any suggestions where I’m going wrong please?

hawksj · December 5, 2023, 2:28pm

What do you have in your traces? Is the automation running at all? Or is it failing the condition?

You might also check the command line sensor entity to make sure it actually has the content you expect it to.

hainesy · December 5, 2023, 6:45pm

Thanks for getting back to me. Trace stopped because a condition failed.
How do I check the command line sensor?

{
  "trace": {
    "last_step": "condition/0",
    "run_id": "b4de2fd5673928706684fd7159010c9b",
    "state": "stopped",
    "script_execution": "failed_conditions",
    "timestamp": {
      "start": "2023-12-05T13:26:10.647158+00:00",
      "finish": "2023-12-05T13:26:10.647282+00:00"
    },
    "domain": "automation",
    "item_id": "1701778200024",
    "trigger": "state of sensor.adguard_logs",
    "trace": {
      "trigger/0": [
        {
          "path": "trigger/0",
          "timestamp": "2023-12-05T13:26:10.647191+00:00",
          "changed_variables": {
            "this": {
              "entity_id": "automation.new_automation_2",
              "state": "on",
              "attributes": {
                "id": "1701778200024",
                "last_triggered": "2023-12-05T13:04:17.675839+00:00",
                "mode": "single",
                "current": 0,
                "friendly_name": "WIP Flag Blacklist"
              },
              "last_changed": "2023-12-05T13:04:36.430105+00:00",
              "last_updated": "2023-12-05T13:04:36.430105+00:00",
              "context": {
                "id": "01HGX1952E75TZX6YBGYYP36VB",
                "parent_id": null,
                "user_id": null
              }
            },
            "trigger": {
              "id": "0",
              "idx": "0",
              "alias": null,
              "platform": "state",
              "entity_id": "sensor.adguard_logs",
              "from_state": null,
              "to_state": {
                "entity_id": "sensor.adguard_logs",
                "state": "unknown",
                "attributes": {},
                "last_changed": "2023-12-05T13:26:10.516276+00:00",
                "last_updated": "2023-12-05T13:26:10.516276+00:00",
                "context": {
                  "id": "01HGX2GMTM5S5MWNVGAQT1DGG1",
                  "parent_id": null,
                  "user_id": null
                }
              },
              "for": null,
              "attribute": null,
              "description": "state of sensor.adguard_logs"
            }
          }
        }
      ],
      "condition/0": [
        {
          "path": "condition/0",
          "timestamp": "2023-12-05T13:26:10.647208+00:00",
          "result": {
            "result": false,
            "entities": []
          }
        }
      ]
    },
    "config": {
      "id": "1701778200024",
      "alias": "WIP Flag Blacklist",
      "description": "",
      "trigger": [
        {
          "platform": "state",
          "entity_id": "sensor.adguard_logs"
        }
      ],
      "condition": [
        {
          "condition": "template",
          "value_template": "{{ 'blahblahblah' in trigger.to_state.state }}"
        }
      ],
      "action": [
        {
          "service": "notify.pushover",
          "data": {
            "message": "Found the specific string in the log file!"
          }
        }
      ]
    },
    "blueprint_inputs": null,
    "context": {
      "id": "01HGX2GMYQNQFV6K1J62YG6903",
      "parent_id": "01HGX2GMTM5S5MWNVGAQT1DGG1",
      "user_id": null
    }
  },
  "logbookEntries": []
}

hawksj · December 6, 2023, 10:14am

In the sidebar, go to Developer Tools, then States, then search for your entity. You should be able to see the entire contents of the entity there. It will look something like this where the State of the sensor is the middle column and additional attributes are in the last column:

You are likely going to be looking in the State column. If it doesn’t look how you are expecting or you can’t find the string you are searching for then you may need to diagnose your command line sensor.

Unfortunately I haven’t used the command line integration so I can’t help too much there! Hopefully this helps.

hainesy · December 6, 2023, 12:08pm

That’s the issue then - I’m getting ‘unknown’ as the filter state. I guess there’s some issue with the ssh remote access from within the docker container or something, it’s annoying though as the command I’m using works from the cli itself.

hawksj · December 12, 2023, 1:15pm

Nothing in your HA logs about errors setting the sensor?

Sorry that I can’t help with the syntax of the commandline integration. Could always try the github?

mobile.andrew.jones · December 12, 2023, 1:23pm

Looking at your command, it looks like you are trying to store the entire output of the log in the state of the sensor. You can’t do that. States have a very small size limit. I wouldn’t recommend storing the log in the attributes either, that will be huge.