Hi,
I am confused about how to use a custom pattern in Nagios Log Server.
Do I put a custom pattern in the /usr/local/nagioslogserver/etc/patterns on each server in the cluster and include this dir in my filter.
Or can I do this in the web interface in the filter section?
And will the my custom pattern survive a upgrade if I put it in /usr/local/nagioslogserver/etc/patterns
I want to use this grok pattern for postfix https://raw.githubusercontent.com/whysc ... stfix.grok
And this postfix filter https://raw.githubusercontent.com/whysc ... stfix.conf
So where I can put the grok pattern?
Custom pattern
Custom pattern
Last edited by atje on Tue Jun 30, 2020 2:07 am, edited 1 time in total.
Re: Custom pattern
Navigate to Configure using the top bar in LS > click Global Config on the left pane > then click on the plus sign next to a filter to expand the text field for editing.
Please refer to the following document for more detailed information on how to configure grok filters in Nagios Log Server.
NAGIOS LOG SERVER FILTERS
Please refer to the following document for more detailed information on how to configure grok filters in Nagios Log Server.
NAGIOS LOG SERVER FILTERS
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: Custom pattern
But that is for a filter, and how about a pattern?
Re: Custom pattern
So, how can I use patterns then?
like this?
# common postfix patterns
POSTFIX_QUEUEID ([0-9A-F]{6,}|[0-9a-zA-Z]{12,})
POSTFIX_CLIENT_INFO %{HOSTNAME:postfix_client_hostname}?\[%{IP:postfix_client_ip}\](:%{INT:postfix_client_port})?
POSTFIX_RELAY_INFO %{HOSTNAME:postfix_relay_hostname}?\[(%{IP:postfix_relay_ip}|%{DATA:postfix_relay_service})\](:%{INT:postfix_relay_port})?|%{WORD:postfix_relay_service}
POSTFIX_SMTP_STAGE (CONNECT|HELO|EHLO|STARTTLS|AUTH|MAIL( FROM)?|RCPT( TO)?|(end of )?DATA|RSET|UNKNOWN|END-OF-MESSAGE|VRFY|\.)
POSTFIX_ACTION (accept|defer|discard|filter|header-redirect|reject)
POSTFIX_STATUS_CODE \d{3}
POSTFIX_STATUS_CODE_ENHANCED \d\.\d\.\d
POSTFIX_DNSBL_MESSAGE Service unavailable; .* \[%{GREEDYDATA:postfix_status_data}\] %{GREEDYDATA:postfix_status_message};
POSTFIX_PS_ACCESS_ACTION (DISCONNECT|BLACKLISTED|WHITELISTED|WHITELIST VETO|PASS NEW|PASS OLD)
POSTFIX_PS_VIOLATION (BARE NEWLINE|COMMAND (TIME|COUNT|LENGTH) LIMIT|COMMAND PIPELINING|DNSBL|HANGUP|NON-SMTP COMMAND|PREGREET)
POSTFIX_TIME_UNIT %{NUMBER}[smhd]
POSTFIX_KEYVALUE_DATA [\w-]+=[^;]*
<snip>
like this?
# common postfix patterns
POSTFIX_QUEUEID ([0-9A-F]{6,}|[0-9a-zA-Z]{12,})
POSTFIX_CLIENT_INFO %{HOSTNAME:postfix_client_hostname}?\[%{IP:postfix_client_ip}\](:%{INT:postfix_client_port})?
POSTFIX_RELAY_INFO %{HOSTNAME:postfix_relay_hostname}?\[(%{IP:postfix_relay_ip}|%{DATA:postfix_relay_service})\](:%{INT:postfix_relay_port})?|%{WORD:postfix_relay_service}
POSTFIX_SMTP_STAGE (CONNECT|HELO|EHLO|STARTTLS|AUTH|MAIL( FROM)?|RCPT( TO)?|(end of )?DATA|RSET|UNKNOWN|END-OF-MESSAGE|VRFY|\.)
POSTFIX_ACTION (accept|defer|discard|filter|header-redirect|reject)
POSTFIX_STATUS_CODE \d{3}
POSTFIX_STATUS_CODE_ENHANCED \d\.\d\.\d
POSTFIX_DNSBL_MESSAGE Service unavailable; .* \[%{GREEDYDATA:postfix_status_data}\] %{GREEDYDATA:postfix_status_message};
POSTFIX_PS_ACCESS_ACTION (DISCONNECT|BLACKLISTED|WHITELISTED|WHITELIST VETO|PASS NEW|PASS OLD)
POSTFIX_PS_VIOLATION (BARE NEWLINE|COMMAND (TIME|COUNT|LENGTH) LIMIT|COMMAND PIPELINING|DNSBL|HANGUP|NON-SMTP COMMAND|PREGREET)
POSTFIX_TIME_UNIT %{NUMBER}[smhd]
POSTFIX_KEYVALUE_DATA [\w-]+=[^;]*
<snip>
Re: Custom pattern
Those terms are actually pretty closely related. My understanding is that the term grok pattern refers to the syntax that is used to parse the data, while a filter is the part that parses the pattern and writes it to Logstash.
If you have already added the input source, and just need to add a new filter, you can click Add Filter and select Custom. Give the filter a name, and then paste the pattern in the text box that appears when you hit the + icon. Please see the adding a filter section in the following document for more specific instructions.
CONFIGURING LOG SERVER
You may also want to take a look at the grok reference linked below. This will tell you the exact syntax for how to write patterns.
LOGSTASH GROK REFERENCE
If you have already added the input source, and just need to add a new filter, you can click Add Filter and select Custom. Give the filter a name, and then paste the pattern in the text box that appears when you hit the + icon. Please see the adding a filter section in the following document for more specific instructions.
CONFIGURING LOG SERVER
You may also want to take a look at the grok reference linked below. This will tell you the exact syntax for how to write patterns.
LOGSTASH GROK REFERENCE
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: Custom pattern
This documentation states you can use a patters_dir setting, that is exactly what I want to use, but I like to know what is the supported way, and preserved in a upgrade.
You can add your own trivially. (See the patterns_dir setting)
Re: Custom pattern
I believe that the patterns_dir setting just specifies what directory contains the grok patterns on your server.
To add another filter from the Log Server graphic interface, navigate to Configure using the bar on top > click Global Config under Global (All Instances) on the left pane > then click + Add Filter near the top right > select Custom from the dropdown > and enter your custom pattern inside the field provided. You may click the + (plus) and - (minus) on the top right of the filter to open and close the editor.
To add another filter from the Log Server graphic interface, navigate to Configure using the bar on top > click Global Config under Global (All Instances) on the left pane > then click + Add Filter near the top right > select Custom from the dropdown > and enter your custom pattern inside the field provided. You may click the + (plus) and - (minus) on the top right of the filter to open and close the editor.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!