sendin nagios core logs to the logserver

[benhank]

ok original file was 90 mb so I cut out sections

[cdienger]

Was that 90mb when compressed? I'm not finding the events in the snippets provided so if you could provide the full log that would be best.

[benhank]

man do I feel dumb , here is the file

[benhank]

Oh I failed to mention that I have two servers that are configured to send the logs from nagios and the os.
Both servers are sending the logs from the OS but im getting no data from nagios parsed and displayed in the nagios dashboards.

[cdienger]

The events are not going through the filters for some reason that isn't made immediately clear. Let's get a copy of the settings index from the NLS machine and I'll be able to take a closer look at the config. This can be gathered by running:

Code: Select all

curl -XPOST http://localhost:9200/nagioslogserver/_export?path=/tmp/nagioslogserver.tar.gz

The file it creates is /tmp/nagioslogserver.tar.gz. Please PM this file to me.

[benhank]

sent

[cdienger]

The issue here is that the "syslog" inputs are actually using tcp or udp inputs. For example, the default syslog input looks like:

Code: Select all

syslog {
    type => 'syslog'
    port => 5544
}

But your config uses:

Code: Select all

tcp {
    type => 'syslog'
    port => 5544
}
udp {
 type => 'syslog'
    port => 5544
}

I think the 'nagios_core' program name is not getting parsed as a result which is allowing the logs to bypass the filter. Try changing the first line of the filter config from:

Code: Select all

if [program] == 'nagios_core' {

to:

Code: Select all

if [host] == 'xxx.xxx.xxx.xxx' and [message] =~ "nagios_core {

where xxx.xxx.xxx.xxx is the IP address of your XI server.

[benhank]

ok but before I do it that verbatim or is the "~" a typo? just being sure man =D

[benhank]

ok the apply config worked. now Im just waiting to see if any data comes in

[benhank]

ok after making the adjustments the dashboards are still blank