Nagios Logserver integration : problem with filters

This support forum board is for support questions relating to Nagios XI, our flagship commercial network monitoring solution.
Locked
Johan159
Posts: 43
Joined: Mon Mar 30, 2015 8:05 am

Nagios Logserver integration : problem with filters

Post by Johan159 »

I have used the NagiosXI's wizard for Nagios Logserver to configure on Nagios XI an alert that I defined a while ago on Nagios LS.

Right now, the alert on Nagios LS is green (no match).

the query string on Nagios LS is :

Code: Select all

+SourceModuleName:HL7Processor +ERROR
Which means give me the records containing "ERROR" AND that are from the source "HL7Processor".

The wizard on Nagios XI generated this command :

Code: Select all

check_nagioslogserver.php --url='http://vipnagioslog/nagioslogserver/' --apikey='20f34782f619f1620246f87911573e9f77d26b78' --minutes='10' --warn='1' --crit='5' --query='{"query":{"filtered":{"query":{"bool":{"should":[{"query_string":{"query":"+SourceModuleName:HL7Processor +ERROR"}}]}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1430922548745,"to":1431008948746}}}]}}}}}'
The problem is that when this command check is fired, the "AND" logic seems to becom an "OR" logic.

It indeeds find about 1300 matching records, while it should report 0.

And if I launch the command with only "+SourceModuleName:HL7Processor" and then only "+ERROR", I respectively get about 1000 and 300 matching records.

So, the bottom line is that the "AND" logic is replaced by "OR" when using that command. Is there any kind of syntax I should use to correct that?
Top
jolson
Attack Rabbit
Posts: 2560
Joined: Thu Feb 12, 2015 12:40 pm

Re: Nagios Logserver integration : problem with filters

Post by jolson »

Try formatting your Lucene syntax in the following way:

Code: Select all

SourceModuleName:HL7Processor AND ERROR
You might add the '+' characters if they are indeed part of the string. The above worked for me on Nagios Log Server version 1.4.0 - let me know if it works for you. Thanks!
Twits Blog
Show me a man who lives alone and has a perpetually clean kitchen, and 8 times out of 9 I'll show you a man with detestable spiritual qualities.
Top
tmcdonald
Posts: 9117
Joined: Mon Sep 23, 2013 8:40 am

Re: Nagios Logserver integration : problem with filters

Post by tmcdonald »

Lemme clean this up a bit:

Code: Select all

check_nagioslogserver.php --url='http://vipnagioslog/nagioslogserver/' --apikey='20f34782f619f1620246f87911573e9f77d26b78' --minutes='10' --warn='1' --crit='5' --query='
{
  "query":{
    "filtered":{
      "query":{
        "bool":{
          "should":[
            {
              "query_string":{
                "query":"+SourceModuleName:HL7Processor +ERROR"
              }
            }
          ]
        }
      },
      "filter":{
        "bool":{
          "must":[
            {
              "range":{
                "@timestamp":{
                  "from":1430922548745,
                  "to":1431008948746
                }
              }
            }
          ]
        }
      }
    }
  }
}'
If you change the "should" to a "must" does that work? Or are you saying that the OR is taking place like "SourceModuleName:HL7Processor" OR "ERROR"? If that's the case, try keeping it as "should" and change the query to "SourceModuleName:HL7Processor" AND "ERROR".

Edit: Bah, Jesse beat me to it :)
Former Nagios employee
Top
Johan159
Posts: 43
Joined: Mon Mar 30, 2015 8:05 am

Re: Nagios Logserver integration : problem with filters

Post by Johan159 »

Indeed, jolson's formatting solved my issue.

Thanks a lot for your help! You can mark this thread as solved ;)
Top
bwallace
Posts: 1145
Joined: Tue Nov 17, 2015 1:57 pm

Re: Nagios Logserver integration : problem with filters

Post by bwallace »

Glad we were able to help. We'll lock this thread now and feel free to open another should you require assistance with anything else.
Be sure to check out the Knowledgebase for helpful articles and solutions!
Top
Locked

Return to “Nagios XI”