audit log to file

[WillemDH]

Hello,

Just a few informative questions about this feature in XI 5:

Write Audit Log to file: When checked all audit log events will be written to /usr/local/nagiosxi/var/components/auditlog.log

Where are the audit logs located if they are not written to file? The mysql db? Is this auditlog.log file rotated? I'm guessing this done to be able to send it to NLS?
Is there someone who made a nice grok filter for this logfile yet?

Grtz

Willem

[jdalrymple]

Where are the audit logs located if they are not written to file? The mysql db?

nagiosxi database to be certain. Postgres in older versions, mysql in the new version.

Is there someone who made a nice grok filter for this logfile yet?

You'd think - not to the best of my knowledge. Try this though:

Code: Select all

filter {
  grok {
    match => { "message" => "%{TIMESTAMP_ISO8601} - %{GREEDYDATA:source} \[%{NUMBER:id}\] %{GREEDYDATA:username}:%{IP:ipaddress} - %{GREEDYDATA:message}" }
  }
}

[WillemDH]

JR,

I can confirm your grok filter works. made some small changes to it:

Code: Select all

if [type] == "nagios-audit" {
    grok {
            match => { "message" => "%{TIMESTAMP_ISO8601} - %{GREEDYDATA:nagiossource} \[%{NUMBER:nagiosid}\] %{GREEDYDATA:nagiosusername}:%{IP:workstationip} - %{GREEDYDATA:message}" }
            overwrite => [ "message" ]    
            add_tag => "grokked_file_nagios_audit"
    }
}

Thanks. Please close.