Ok, so I told my XI to write the audit log to file and then attempted to send the file to NLS. I'm not seeing any entries, this was the output of configuring the file:
[root@iss-chi-nag05 ~]# bash setup-linux.sh -s xxxxxxxxx.com -p 5444 -f "/usr/local/nagiosxi/var/components/auditlog.log" -t XIAudit
Detected rsyslog 5.8.10
Detected rsyslog work directory /var/lib/rsyslog
Destination Log Server: xxxxxxxxxx.com:5444
Processing /usr/local/nagiosxi/var/components/auditlog.log file...
Creating /etc/rsyslog.d/90-nagioslogserver_usr_local_nagiosxi_var_components_auditlog.log.conf...
SELinux is disabled.
rsyslog configuration check passed.
Restarting rsyslog service with 'service'...
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Okay.
rsyslog is running with the new configuration.
Visit your Nagios Log Server dashboard to verify that logs are being received.
2 of XI5.6.14 Prod/DR/DEV - Nagios LogServer 2 Nodes
See my projects on the Exchange at BanditBBS - Also check out my Nagios stuff on my personal page at Bandit's Home and at github
TwitsBlog Show me a man who lives alone and has a perpetually clean kitchen, and 8 times out of 9 I'll show you a man with detestable spiritual qualities.
First off, I typo'd the setup and put 5444 and not 5544. I modified the config fiel and restarted rsyslog, still no XIAudit data.....now to your questions....
Yes data is being received but its the syslog data that i setup long ago to get sent there.
[root@iss-chi-nag05 components]# cat /etc/rsyslog.d/90-nagioslogserver_usr_local_nagiosxi_var_components_auditlog.log.conf
$ModLoad imfile
$InputFilePollInterval 10
$PrivDropToGroup adm
$WorkDirectory /var/lib/rsyslog
# Input for XIAudit
$InputFileName /usr/local/nagiosxi/var/components/auditlog.log
$InputFileTag XIAudit:
$InputFileStateFile nls-state-usr_local_nagiosxi_var_components_auditlog.log # Must be unique for each file being polled
# Uncomment the folowing line to override the default severity for messages
# from this file.
#$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor
# Forward to Nagios Log Server and then discard, otherwise these messages
# will end up in the syslog file (/var/log/messages) unless there are other
# overriding rules.
if $programname == 'XIAudit' then @@iss-chi-nag07.net.itciss.com:5544
if $programname == 'XIAudit' then ~
EDIT: Just got back from lunch and all is working....no clue....but its working!
2 of XI5.6.14 Prod/DR/DEV - Nagios LogServer 2 Nodes
See my projects on the Exchange at BanditBBS - Also check out my Nagios stuff on my personal page at Bandit's Home and at github
Just got back from lunch and all is working....no clue....but its working!
Good to hear! Are you sure you're seeing logs in near-real-time, or are they slightly in the future/past? It's possible that logs could be sending slightly in the future due to date discrepancies, which would cause the laggy behavior you noted.
TwitsBlog Show me a man who lives alone and has a perpetually clean kitchen, and 8 times out of 9 I'll show you a man with detestable spiritual qualities.
