DNS translation and Severity logging

[Enamejko]

Hello,

I would like to ask you for a help here. I have setup Nagios log server and curently collecting logs from cisco switches in our company.

First thing i wanted to solve was DNS resolution for Host which is not working currently. I have created filter, checked reverse dns lookup all looks fine but no go with FQDN under host

Code: Select all

dns {
reverse => [ "host" ]
action => [ "replace" ]
add_tag => [ "dns" ]
}

Second thing is that all the logs from cisco are translated by Nagios incorectly
Severity for all is Emergency and even facility is not visible... see attachment

Thank you!

[rkennedy]

I just tested your filter, and it was applied without issue. Do you have other GROK patterns being applied before it that would affect it? The other thing it could be, is the NLS machine cannot resolve. Are you able to run nslookup ip.here of the ip that isn't resolving? It may just need your local DNS resolvers to use.

nls-dnsfilter.PNG

As for the Cisco logs, could you show us all of your inputs currently configured on the machine? I suspect you're using the default syslog input, which is applying the default syslog filtering. What we'll need to do is alter this, and define a custom grok filter specifically for Cisco.

[Enamejko]

I have only default GROK patterns. nslookup working correct with the FQDN as well with IP address.
I was checking the settings and found that IP and Hostname is not correct for my instance could it be the issue? How can I change it?

20-10-2016 11-42-18.gif

INPUT:

20-10-2016 11-48-27.gif

Code: Select all

syslog {
    type => 'syslog'
    port => 514
}

Filters:

20-10-2016 11-48-40.gif

APACHE

Code: Select all

if [program] == 'apache_access' {
    grok {
        match => [ 'message', '%{COMBINEDAPACHELOG}']
    }
    date {
        match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z', 'MMM dd HH:mm:ss', 'ISO8601' ]
    }
    mutate {
        replace => [ 'type', 'apache_access' ]
         convert => [ 'bytes', 'integer' ]
         convert => [ 'response', 'integer' ]
    }
}
 
if [program] == 'apache_error' {
    grok {
        match => [ 'message', '\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] \[%{WORD:class}\] \[%{WORD:originator} %{IP:clientip}\] %{GREEDYDATA:errmsg}']
    }
    mutate {
        replace => [ 'type', 'apache_error' ]
    }
}

DNS_Name

Code: Select all

dns {
reverse => [ "host" ]
action => [ "replace" ]
add_tag => [ "dns" ]
}

[rkennedy]

Is nslookup working correctly from the NLS machine or from a different one? Just making sure it's using your local resolves vs. online resolvers. This is usually the culprit which is why I ask.

As for the Cisco logs, this is the issue. Using the syslog as an input, applies a filter to it by default. I would change your inputs to be the following -

Code: Select all

tcp {
    port => 514
    type => cisco
    }
udp {
    port => 514
    type => cisco
    }

Then, for your Cisco logs, apply this GROK filter -

Code: Select all

  if [type] == "cisco" {
    grok {
      match => { "message" => "<%{POSINT:pri}>: %{SYSLOGTIMESTAMP:timestamp}: %{GREEDYDATA:systype}: %{GREEDYDATA:sysuer} : %{GREEDYDATA:syslog_message}" }
    }

You may have to modify the match pattern, so that we can get all of your variables -> fields, but I would try this to see what it succeeds in doing. Post a screenshot back after you've made these changes to show us what is being inputted to the message field now, as it should be closer to being proper.

[Enamejko]

DNS started to work. Dont know what was the issue but now it is working fine.

Changes i have done to Inputs:

20-10-2016 18-25-34.gif

Changes i have done to filters:

20-10-2016 18-26-25.gif

For the Events still the same:

20-10-2016 18-29-18.gif

Thank you

[mcapra]

I revised the filter a bit and was able to match the sample message successfully:

Code: Select all

if [type] == 'cisco' {
    grok {
      match => [ "message", "\<%{POSINT:pri}\>%{NUMBER:aux_id}: %{SYSLOGTIMESTAMP:timestamp}: %{GREEDYDATA:systype}: %{GREEDYDATA:syslog_message}" ]
    }
}

2016_10_20_12_59_54_Dashboard_Nagios_Log_Server.png

[Enamejko]

Thank you looks like it is working fine now i was even able to crack correct grok code for my devices.

Now I am fighting with LDAP and Alerts.

For the LDAP do you have some best practice guide to get it working?
I tried few manuals i found on internet but no success. Until now i had no issues with LDAP configuration for other tools...

For the Alerts, looks everything works fine. I am just no sure if I can use only macros which are available under email Templates -> View Macros

Thank you for you answer

[rkennedy]

Could you show us the screenshots for errors you're having? Usually it works, we do not have any further documentation on it specifically for NLS. There is a guide available for XI, which won't exactly relate, but may help you out slightly. https://assets.nagios.com/downloads/nag ... ios-XI.pdf

You can use all those macros listed under the View Macros part. There are not any additional ones at this time.

[Enamejko]

Please find screenshot with error and settings of LDAP

03-11-2016 18-28-14.gif

03-11-2016 18-30-46.gif

THank you.

[rkennedy]

What sort of LDAP server are you using in the backend? Are you seeing any logs on the authenticating side that would help track down the issue?