Source for Unique Hosts Report

[jaimie.livingston]

Hello...

What bit of code generates the unique hosts report? Is it a PHP or other modifiable script?

I have found that the report does not accurately identify the source of logs received through a relay server. The report shows a relay server as a single unique host, when it really should be reporting on the originating log sources being relayed through the relay host.

I'd also like to be able to modify how often the report runs and how the data is displayed.

Thanks,

Jaimie Livingston

[benjaminsmith]

Hi Jaimie,

I have found that the report does not accurately identify the source of logs received through a relay server. The report shows a relay server as a single unique host, when it really should be reporting on the originating log sources being relayed through the relay host.

I would have to submit a feature request on this functionality. However, if you want to take a look a the script, take a look at the following page in the shell on your server.

Code: Select all

 view /var/www/html/nagioslogserver/application/views/reports/hosts.ph

Keep in mind if you were to make any changes to this file, they would be overwritten on upgrades.

Also, you have the ability to schedule this report as needed if you want it to run more often than every 24 hours.

Let us know if you have more questions.

Benjamin

[jaimie.livingston]

Please do submit the feature request.

It would be very useful for administrators to select how "unique" hosts are identified.
For example, having the following options would cover most conditions.
* via the ip header (the current method)
* via the logsource/hostname field in the syslog message (probably the most useful)
* via the fromhost_ip field that can be injected into syslog messages coming from relay servers

Being able combine or expand on the idea using some logical construct along the lines of an input filter would be ideal.

Thanks,

Jaimie Livingston

[benjaminsmith]

Hi Jaimie,

For example, having the following options would cover most conditions.
* via the ip header (the current method)
* via the logsource/hostname field in the syslog message (probably the most useful)
* via the fromhost_ip field that can be injected into syslog messages coming from relay servers

Thank you for the detailed feedback here! I will get this submitted for you.

[jaimie.livingston]

For those who find this and need information on how to modify the Unique Hosts Report, I found this other SF thread:

https://support.nagios.com/forum/viewto ... 37&t=52166

I found it useful. YMMV.

[benjaminsmith]

HI Jaimie,

Thanks for the update.

Glad to hear that solution is working for you.

[jaimie.livingston]

This is not a solution, in any respect. It is a hack, and a poor one.

The hack to use the logsource.raw values from the syslog stream fixes the "unique" host report issue with relay servers, but breaks host assignment for multi-tenancy (which appears to use the unique host report as a source). Additionally, if a user does the obvious and clicks on a host in the "unique" list, the action tries to use the logsource as a the value for the host field in the query (host:...), rather than the IP address.

This has become an embarrassment for me (who recommended and got funding for NLS), has thrown a monkey wrench into my deployment plan, and may become a blocker for an upcoming NLS license renewal.

Jaimie Livingston

[benjaminsmith]

Hi Jamie,

We do appreciate your feedback and I can certainly understand your need for this feature in Nagiso Log Server. While I cannot provide any specifics on when or if the feature will be implemented, the request has been submitted.

Best Regards,
Benjamin