Config check

Post by **WillemDH** » Thu May 14, 2015 11:00 am

Wouldn't it be a nice feature if NLS could compare the config to be saved with the actual config in /usr/local/nagioslogserver/logstash/etc/conf.d/* and showing some kind of error?

I seemed to have missed a komma somewhere in a filter resulting in me finding this out several changes later, making it kind of not easy to pinpoint the problem. This shouldn't be too much work and could prevent many headaches for your NLS customers?

Grtz

WIllem

jolson · Post by **jolson** » Thu May 14, 2015 11:51 am

Did the 'verify config' button display any errors when you clicked it? If it did not, could you post the configuration that didn't work? I have already submitted the feature request, but it would be good to have a working example ready for when the devs take a look at this.

Post by **WillemDH** » Thu May 14, 2015 11:56 am

Jesse,

Try this:

Code: Select all

if [type] == "eventlog" {
    mutate {
        remove => [ "SourceModuleType", "EventTimeWritten", "EventTime", "EventReceivedTime", "EventType" ]
        rename => [ "Severity", "severity_label" ]
        lowercase => [ "severity_label" ]
        rename => [ "SeverityValue", "severity" ]
        rename => [ "Hostname", "hostname" ]
        lowercase => [ "hostname" ]
        gsub => [ 
            "severity_label", "info", "informational",
        ]
    }
}

The error is in the komma behind informational.

To be honest I just discovered the Verify button. Wouldn't it make more sense if config was verified each time after save and apply?

EDIT 1: Seems like something is still wrong with the above, just noticed the gsub isn't working.. Investigating...

EDIT 2: Hmm I'm not sure why my gsub in this example isn't working. In my f5 filter I have it working perfectly. Verified config. It's written fine. Tried:

Code: Select all

    if [type] == "eventlog" {
        mutate {
            gsub => [
                "Severity", "info", "informational"
            ]
            remove => [ "SourceModuleType", "EventTimeWritten", "EventTime", "EventReceivedTime", "EventType" ]
            rename => [ "Severity", "severity_label" ]
            lowercase => [ "severity_label" ]
            rename => [ "SeverityValue", "severity" ]
            rename => [ "Hostname", "hostname" ]
            lowercase => [ "hostname" ]
        }
    }

Putting the gsub in the beginning on Severity (before I renamed the field). Do you happen to see something missing? I'm getting kind of tired.. Gonna take a break..

Grtz

jolson · Post by **jolson** » Thu May 14, 2015 12:01 pm

Let me know what you find out - I've added to the feature request to include a run of 'Verify' before the 'Apply Configuration' takes place.

Post by **WillemDH** » Fri May 15, 2015 7:34 am

Code: Select all

if [type] == "eventlog" {
    mutate {
        remove => [ "SourceModuleType", "EventTimeWritten", "EventTime", "EventReceivedTime", "EventType" ]
        rename => [ "Severity", "severity_label" ]
        lowercase => [ "severity_label" ]
        rename => [ "SeverityValue", "severity" ]
        rename => [ "Hostname", "hostname" ]
        lowercase => [ "hostname" ]
        gsub => [ 
            "severity_label", "info", "informational"
        ]
    }
}

The above is not working. I don't know why, I suspect it has something to do with renaming the field I'm trying to gsub. (although I also tried with the original field name)

The only way I could make it work was by splitting the gsub from the rename in a separate filter:

Code: Select all

    if [type] == "eventlog" {
        mutate {
            remove => [ "SourceModuleType", "EventTimeWritten", "EventTime", "EventReceivedTime", "EventType" ]
            rename => [ "Severity", "severity_label" ]
            lowercase => [ "severity_label" ]
            rename => [ "SeverityValue", "severity" ]
            rename => [ "Hostname", "hostname" ]
            lowercase => [ "hostname" ]
        }
    }

    if [type] == "eventlog" {
        mutate {
            gsub => [
                "severity_label", "info", "informational"
            ]
        }
    }

Or in a separate mutate in the same filter:

Code: Select all

if [type] == "eventlog" {
    mutate {
        remove => [ "SourceModuleType", "EventTimeWritten", "EventTime", "EventReceivedTime", "EventType" ]
        rename => [ "Severity", "severity_label" ]
        lowercase => [ "severity_label" ]
        rename => [ "SeverityValue", "severity" ]
        rename => [ "Hostname", "hostname" ]
        lowercase => [ "hostname" ]
    }
    mutate {
        gsub => [ 
            "severity_label", "info", "informational"
        ]
    }
}

You can close this thread if you want. Tx for the feature request.

jolson · Post by **jolson** » Fri May 15, 2015 9:24 am

No problem - glad you got your filter working properly. Interesting that gsub doesn't appear to be active unless it's separated from the other parameters. Thanks for letting us know - I'll lock it up.

Nagios Support Forum

Config check

Config check

Re: Config check

Re: Config check

Re: Config check

Re: Config check

Re: Config check