NagiosLog alarms if value is less than threshold

[gsl_ops_practice]

Hello,

We are currently using NagiosLogServer (v1.4) and NagiosXI (2014R2.7) together, it's a great package, NagiosLog is parsing Apache logs (and a large number of application logs), we are getting alarms from NagiosXI if we get more than a certain number of events per time period.

I need to create a monitor where I would get a warning event if we have fewer than 500 requests every 2 minutes, and critical if less than 50 every 2 minutes. Looking through the comments on this forum I was not able to come up with an answer, your assistance would be appreciated.

Sample check that works for values over what is expected, how to adjust for values less than expected?

Code: Select all

check_xi_service_nagioslogserver!--url='http://10.0.0.0/nagioslogserver/' --apikey='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' --minutes='2' --warn='1500' --crit='3000' --query='{"query":{"filtered":{"query":{"bool":{"should":[{"query_string":{"query":"*"}}]}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1455722741485,"to":1455723041485}}},{"fquery":{"query":{"query_string":{"query":"*apache_access*"}},"_cache":true}}],"must_not":[{"fquery":{"query":{"query_string":{"query":"*XXXXXXXX*"}},"_cache":true}}]}}}}}'!!!!!!!

Thanks,
Alex

[rkennedy]

Does it work if you use 500: for warning and 50: for critical? See this table for more of an explanation -
https://nagios-plugins.org/doc/guidelin ... HOLDFORMAT

[gsl_ops_practice]

No, this does not produce the expected behavior.

Setting Warning to 2000 and Critical to 500, I get a critical alert when monitor value is 700.

Can you please provide an example based on my first post's code so I can try it?

Thanks,
Alex

[rkennedy]

As it should. Your warning should be below your critical in which case it isn't. The way this check currently works, is if it meets the threshold or not.

What I'm asking you to try and use is 500: - the important thing there is the colon. This is the logic we need to use as it'll report if less than. Take a look at this table -

plugins-warncrit.PNG

Try this -

Code: Select all

check_xi_service_nagioslogserver!--url='http://10.0.0.0/nagioslogserver/' --apikey='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' --minutes='2' --warn='500:' --crit='500:' --query='{"query":{"filtered":{"query":{"bool":{"should":[{"query_string":{"query":"*"}}]}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1455722741485,"to":1455723041485}}},{"fquery":{"query":{"query_string":{"query":"*apache_access*"}},"_cache":true}}],"must_not":[{"fquery":{"query":{"query_string":{"query":"*XXXXXXXX*"}},"_cache":true}}]}}}}}'!!!!!!!

[gsl_ops_practice]

Thank you, that colon did the trick, I am now getting the correct behavior.

Please consider this request resolved.