How can I make syslogd email certain log messages to me?

Here's a solution that uses named pipes. It is set up for Debian, but you should be able to modify it for BSD.

Notifications via syslogd(8)

On my OpenBSD server, I log and email important messages from my web applications, which use facility local1. Here is my /etc/syslog.conf to make it happen:

local1.err    /var/log/example.com
local1.err    |while read log; do echo "$log" | /usr/bin/mail -s SYSLOG [email protected]; done

Notice that the while loop infinitely reads each line from syslogd and then pipes it to mail via echo. This is important. Once echo outputs its line it terminates the pipe, sending mail an EOF so it can email the log message.

In other words, you can't pipe directly to mail via syslogd like so:

local1.err    |/usr/bin/mail -s SYSLOG [email protected]

because syslogd will continue writing to the pipe until it is itself terminated or sent a HUP signal, at which time mail would send the entire set of log messages in one big email.

Notifications via newsyslog(8)

Scheduling newsyslog in cron is another way to get messages at a slower rate or in bulk.

For example, if you wanted a daily email digest of the log messages, set the M flag and specifying a monitor email address in /etc/newsyslog.conf:

# logfile_name        owner:group  mode  count  size  when  flags  monitor
/var/log/example.com  root:wheel   640   7      *     24    M      [email protected]

Then schedule newsyslog in crontab:

# minute hour  mday  month  wday  command
0        *     *     *      *     /usr/bin/newsyslog
1-59     *     *     *      *     /usr/bin/newsyslog -m

The -m option for newsyslog(8) states:

Monitoring mode; only entries marked with an `M' in flags are processed. For each log file being monitored, any log output since the last time newsyslog was run with the -m flag is mailed to the user listed in the monitor notification section.