%LINK-3-UPDOWN, %LINEPROTO-5-UPDOWN Not showing up in logs

[ssavaso]

These are logs from the switch that are not showing up in the log server but you can see that they were sent to the log server.

Logging to x.x.x.x, 281 message lines logged
.Apr 1 09:27:29: %LINK-3-UPDOWN: Interface GigabitEthernet5/18, changed state to down
.Apr 1 09:29:05: %LINK-3-UPDOWN: Interface GigabitEthernet5/18, changed state to up
.Apr 1 09:29:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/18, changed state to up

[jolson]

Are any logs from the switch showing up in Nagios Log Server? If so, we may have to define a filter to get these logs to show.

[ssavaso]

Yes they are. Just not the ones that I posted. Here is one that came from that same switch below.

2015-04-02T17:50:36.597-05:00 x.x.x.x syslog <189>6461: .Apr 2 16:50:34: %SYS-5-CONFIG_I: Configured from console by xxxxxxxx onvty0 (x.x.x.x)

[jolson]

Can you please give me some full examples of logs that are not working properly? They might not be in the 'syslog' format, which could cause them to be dropped. Are the following logs full entries?

Code: Select all

.Apr 1 09:27:29: %LINK-3-UPDOWN: Interface GigabitEthernet5/18, changed state to down
.Apr 1 09:29:05: %LINK-3-UPDOWN: Interface GigabitEthernet5/18, changed state to up
.Apr 1 09:29:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/18, changed state to up

[ssavaso]

Yes these are full log entries and these seem to be the only ones not showing up.

[jolson]

You will need to define a filter to get these displaying properly. Can you post your logstash configs so that I can see what we are working with? I also want to know which input these logs are arriving on - I assume syslog/514?

Code: Select all

cat /usr/local/nagioslogserver/logstash/etc/conf.d/*

[ssavaso]

#
# Logstash Configuration File
# Dynamically created by Nagios Log Server
#
# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
#
# Created Wed, 01 Apr 2015 13:08:01 -0600
#

#
# Global inputs
#



#
# Local inputs
#

input {
syslog {
type => 'syslog'
port => 514
}
}
#
# Logstash Configuration File
# Dynamically created by Nagios Log Server
#
# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
#
# Created Wed, 01 Apr 2015 13:08:01 -0600
#

#
# Global filters
#

filter {
if [program] == 'apache_access' {
grok {
match => [ 'message', '%{COMBINEDAPACHELOG}']
}
date {
match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
}
mutate {
replace => [ 'type', 'apache_access' ]
convert => [ 'bytes', 'integer' ]
convert => [ 'response', 'integer' ]
}
}

if [program] == 'apache_error' {
grok {
match => [ 'message', '\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] \[%{WORD:class}\] \[%{WORD:originator} %{IP:clientip}\] %{GREEDYDATA:errmsg}']
}
mutate {
replace => [ 'type', 'apache_error' ]
}
}
}

#
# Local filters
#


#
# Logstash Configuration File
# Dynamically created by Nagios Log Server
#
# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
#
# Created Wed, 01 Apr 2015 13:08:01 -0600
#

#
# Required output for Nagios Log Server
#

output {
elasticsearch {
cluster => '81d8dd31-4078-4c51-a8d3-9d102bb9cd6c'
host => 'localhost'
index_type => '%{type}'
node_name => '474fc199-f9b8-4f20-ad18-e65d39bb7345'
protocol => 'transport'
workers => 4
}
}

#
# Global outputs
#



#
# Local outputs
#


[root@localhost ~]#

[jolson]

Note that you are using an input type of 'syslog'. The logs that get through:

Code: Select all

2015-04-02T17:50:36.597-05:00 x.x.x.x syslog <189>6461: .Apr 2 16:50:34: %SYS-5-CONFIG_I: Configured from console by xxxxxxxx onvty0 (x.x.x.x)

Are in syslog format.

The logs that do not:

Code: Select all

.Apr 1 09:27:29: %LINK-3-UPDOWN: Interface GigabitEthernet5/18, changed state to down
.Apr 1 09:29:05: %LINK-3-UPDOWN: Interface GigabitEthernet5/18, changed state to up
.Apr 1 09:29:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/18, changed state to up

Are not in syslog format. This means that you'll have to define some custom filters to catch these logs.

You will want to study up on regex before you define a filter - here is a good post I made earlier that will help you get started:
http://support.nagios.com/forum/viewtop ... 37&t=32221

Let me know if you have questions. Thanks!