Hello, I am running the latest NLS, on a 64-bit VM, CentOS
Under Global Config, I see Inputs and Filters.
I would like to load old logs from Linux and Windows servers.
I looks like I need filters that correspond to some of the inputs.
Where can I get a standard filter for Windows event logs and Linux syslogs?
Earl
Filters question
Re: Filters question
What exactly are you trying to do with filters? Filters are not necessary to import data and the default syslog input can parse syslog data while the Windows Event Log input accepts data in the json format.
Here are the inputs in case you need them:
Here are the inputs in case you need them:
Code: Select all
syslog {
type => 'syslog'
port => 5544
}
Code: Select all
tcp {
type => 'eventlog'
port => 3515
codec => json
}
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
-
- Posts: 226
- Joined: Mon Oct 16, 2017 9:24 am
Re: Filters question
Hello,
I'm trying to do something like this: cat ./old-windows-logs.txt | nc 127.0.0.1 3515
It does not seem to take it in.
Earl
I'm trying to do something like this: cat ./old-windows-logs.txt | nc 127.0.0.1 3515
It does not seem to take it in.
Earl
-
- Posts: 226
- Joined: Mon Oct 16, 2017 9:24 am
Re: Filters question
Hello,
I found the log entries from using nc on the local host to send a file of logs entries from a different host. But they ended up in NLS identified with the localhost. And I had to open an older shard to see them in a query.
So if I have an old log server with 900 servers, and 1825 days of logs (files are per day), I have to move the files to the source server (which may not exist) and then send the logs to the correct port on NLS?
Earl
I found the log entries from using nc on the local host to send a file of logs entries from a different host. But they ended up in NLS identified with the localhost. And I had to open an older shard to see them in a query.
So if I have an old log server with 900 servers, and 1825 days of logs (files are per day), I have to move the files to the source server (which may not exist) and then send the logs to the correct port on NLS?
Earl
Re: Filters question
That would be one option. Another would be to make sure the log entries have an entry for the host field that points to the original client's IP or hostname.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
-
- Posts: 226
- Joined: Mon Oct 16, 2017 9:24 am
Re: Filters question
Hello,
I'm still having difficulty.
If I load logs from 2019-05-13, but my oldest registered shard is 2019-05-16, where does the information go?
I do not see a 2019-05-13 shard created.
Earl
I'm still having difficulty.
If I load logs from 2019-05-13, but my oldest registered shard is 2019-05-16, where does the information go?
I do not see a 2019-05-13 shard created.
Earl
Re: Filters question
If the date is parsed out properly, then it should inserted into the corresponding index. Can you share a sample of the 2019-05-13 and the logstash configuration so I can take a closer look?
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
-
- Posts: 226
- Joined: Mon Oct 16, 2017 9:24 am
Re: Filters question
Hello,
I think I understand this now.
Please lock it.
Earl
I think I understand this now.
Please lock it.
Earl
-
- Posts: 5324
- Joined: Wed Aug 22, 2018 4:39 pm
- Location: saint paul
Re: Filters question
We'll close this out. If you have any questions in the future, please feel free to open a new one.Please lock it.
Earl
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!