Custom pattern

[atje]

Hi,

I am confused about how to use a custom pattern in Nagios Log Server.

Do I put a custom pattern in the /usr/local/nagioslogserver/etc/patterns on each server in the cluster and include this dir in my filter.
Or can I do this in the web interface in the filter section?

And will the my custom pattern survive a upgrade if I put it in /usr/local/nagioslogserver/etc/patterns

I want to use this grok pattern for postfix https://raw.githubusercontent.com/whysc ... stfix.grok
And this postfix filter https://raw.githubusercontent.com/whysc ... stfix.conf

So where I can put the grok pattern?

[jbrunkow]

Navigate to Configure using the top bar in LS > click Global Config on the left pane > then click on the plus sign next to a filter to expand the text field for editing.

Please refer to the following document for more detailed information on how to configure grok filters in Nagios Log Server.
NAGIOS LOG SERVER FILTERS

[atje]

But that is for a filter, and how about a pattern?

[atje]

So, how can I use patterns then?

like this?

# common postfix patterns
POSTFIX_QUEUEID ([0-9A-F]{6,}|[0-9a-zA-Z]{12,})
POSTFIX_CLIENT_INFO %{HOSTNAME:postfix_client_hostname}?\[%{IP:postfix_client_ip}\](:%{INT:postfix_client_port})?
POSTFIX_RELAY_INFO %{HOSTNAME:postfix_relay_hostname}?\[(%{IP:postfix_relay_ip}|%{DATA:postfix_relay_service})\](:%{INT:postfix_relay_port})?|%{WORD:postfix_relay_service}
POSTFIX_SMTP_STAGE (CONNECT|HELO|EHLO|STARTTLS|AUTH|MAIL( FROM)?|RCPT( TO)?|(end of )?DATA|RSET|UNKNOWN|END-OF-MESSAGE|VRFY|\.)
POSTFIX_ACTION (accept|defer|discard|filter|header-redirect|reject)
POSTFIX_STATUS_CODE \d{3}
POSTFIX_STATUS_CODE_ENHANCED \d\.\d\.\d
POSTFIX_DNSBL_MESSAGE Service unavailable; .* \[%{GREEDYDATA:postfix_status_data}\] %{GREEDYDATA:postfix_status_message};
POSTFIX_PS_ACCESS_ACTION (DISCONNECT|BLACKLISTED|WHITELISTED|WHITELIST VETO|PASS NEW|PASS OLD)
POSTFIX_PS_VIOLATION (BARE NEWLINE|COMMAND (TIME|COUNT|LENGTH) LIMIT|COMMAND PIPELINING|DNSBL|HANGUP|NON-SMTP COMMAND|PREGREET)
POSTFIX_TIME_UNIT %{NUMBER}[smhd]
POSTFIX_KEYVALUE_DATA [\w-]+=[^;]*
<snip>

[jbrunkow]

Those terms are actually pretty closely related. My understanding is that the term grok pattern refers to the syntax that is used to parse the data, while a filter is the part that parses the pattern and writes it to Logstash.

If you have already added the input source, and just need to add a new filter, you can click Add Filter and select Custom. Give the filter a name, and then paste the pattern in the text box that appears when you hit the + icon. Please see the adding a filter section in the following document for more specific instructions.
CONFIGURING LOG SERVER

You may also want to take a look at the grok reference linked below. This will tell you the exact syntax for how to write patterns.
LOGSTASH GROK REFERENCE

[atje]

This documentation states you can use a patters_dir setting, that is exactly what I want to use, but I like to know what is the supported way, and preserved in a upgrade.

You can add your own trivially. (See the patterns_dir setting)

[jbrunkow]

I believe that the patterns_dir setting just specifies what directory contains the grok patterns on your server.

To add another filter from the Log Server graphic interface, navigate to Configure using the bar on top > click Global Config under Global (All Instances) on the left pane > then click + Add Filter near the top right > select Custom from the dropdown > and enter your custom pattern inside the field provided. You may click the + (plus) and - (minus) on the top right of the filter to open and close the editor.