Querying data within a log message

[swilsongresh]

I have recently set up a Nagios LogServer trial and I now have the log server monitoring the log files for a particular application across mutilple nodes. This appears to be working well. As an example I have got the log server querying a particular log file on 2 server and returning all instance of "Successful load". I have then setup an alert so that when this appears an alert will be sent to Nagios XI. This is all working well.

The problem I have is that what I am particularly interested in is the data that is in that specific log message. If I take the above example the query will return entries in the log such as:

2015-07-24 09:30:28,746 INFO SystemEvents Successful load for feed ********* took 11094 ms, records read [63724] (duplicates removed before processing [0]), loaded records [63724] (new [0], updated [0], unchanged [63724])

What I am really looking to do is alert when the logs show "Successful load" and then, within Nagios XI (In the status information) return records read [63724], loaded records [63724]. In short I want to identify that a successful load has taken place, this will trigger and alert and pass across some of the data stored within that log message.

I can't see a way of doing this with Nagios Logserver. Is this possible?

[jolson]

I can't see a way of doing this with Nagios Logserver. Is this possible?

I haven't found a way to pass actual Nagios Log Server log data over to Nagios Core/XI. To my knowledge, the only result that gets passed over is the result of the alert command being run - e.g. OK: 0 matching entries found |logs=0;1;1.

I know that this is a feature that the developers are aware of, and you're certainly not the first person to make this request. I am hoping that the exporting of actual log data can be done in the future, but the implementation will be tricky.

How do you imagine this feature working, so that I can add your thoughts to the feature request?

[swilsongresh]

Thanks jolson

If you take the example that I used previously of:

2015-07-24 09:30:28,746 INFO SystemEvents Successful load for feed ********* took 11094 ms, records read [63724] (duplicates removed before processing [0]), records loaded [63724] (new [0], updated [0], unchanged [63724])

What we were really looking for was something similar to the following:

1. Nagios Log Server identifies that a message containing "INFO SystemEvents Successful load for feed" had been written to the log.
2. Nagios Log Server would send an alert to Nagios XI to trigger a "Warning" alert
3. As part of that alert Nagios Log Server we would be able to query the data so that we could also send over parts of the comment. In this case the alert would be triggered and "records read [63724] records loaded [63724]" would be sent to Nagios XI along with the alert which could then be used to populate the "Status Information".
4. In addition to point 3, and advancement on that would be for Nagios Log Server to query the log message and only alert if the value of records read and records loaded differed by +/- 10%

[jolson]

swilsongresh,

Thank you for your input - I have added it to the feature request in question (task ID 5072). Feel free to reference this task ID to any Nagios employee and we will check on the status of it for you. Thanks!