Filters question

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
Locked
Bitflogger
Posts: 226
Joined: Mon Oct 16, 2017 9:24 am

Filters question

Post by Bitflogger »

Hello, I am running the latest NLS, on a 64-bit VM, CentOS

Under Global Config, I see Inputs and Filters.

I would like to load old logs from Linux and Windows servers.

I looks like I need filters that correspond to some of the inputs.

Where can I get a standard filter for Windows event logs and Linux syslogs?

Earl
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Filters question

Post by cdienger »

What exactly are you trying to do with filters? Filters are not necessary to import data and the default syslog input can parse syslog data while the Windows Event Log input accepts data in the json format.

Here are the inputs in case you need them:

Code: Select all

syslog {
    type => 'syslog'
    port => 5544
}

Code: Select all

 tcp {
    type => 'eventlog'
    port => 3515
    codec => json
}
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Bitflogger
Posts: 226
Joined: Mon Oct 16, 2017 9:24 am

Re: Filters question

Post by Bitflogger »

Hello,

I'm trying to do something like this: cat ./old-windows-logs.txt | nc 127.0.0.1 3515

It does not seem to take it in.

Earl
Bitflogger
Posts: 226
Joined: Mon Oct 16, 2017 9:24 am

Re: Filters question

Post by Bitflogger »

Hello,

I found the log entries from using nc on the local host to send a file of logs entries from a different host. But they ended up in NLS identified with the localhost. And I had to open an older shard to see them in a query.

So if I have an old log server with 900 servers, and 1825 days of logs (files are per day), I have to move the files to the source server (which may not exist) and then send the logs to the correct port on NLS?

Earl
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Filters question

Post by cdienger »

That would be one option. Another would be to make sure the log entries have an entry for the host field that points to the original client's IP or hostname.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Bitflogger
Posts: 226
Joined: Mon Oct 16, 2017 9:24 am

Re: Filters question

Post by Bitflogger »

Hello,

I'm still having difficulty.

If I load logs from 2019-05-13, but my oldest registered shard is 2019-05-16, where does the information go?

I do not see a 2019-05-13 shard created.

Earl
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Filters question

Post by cdienger »

If the date is parsed out properly, then it should inserted into the corresponding index. Can you share a sample of the 2019-05-13 and the logstash configuration so I can take a closer look?
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Bitflogger
Posts: 226
Joined: Mon Oct 16, 2017 9:24 am

Re: Filters question

Post by Bitflogger »

Hello,

I think I understand this now.

Please lock it.

Earl
benjaminsmith
Posts: 5324
Joined: Wed Aug 22, 2018 4:39 pm
Location: saint paul

Re: Filters question

Post by benjaminsmith »

Please lock it.
Earl
We'll close this out. If you have any questions in the future, please feel free to open a new one.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
Locked