Regarding log file monitoring

[inas.labib]

Hi ,

We are monitoring the VPN tunnel connectivity using the logs from ASA firewall. These logs written into syslog server , under the location /var/log/ASA/syslog.log .To Monitor the logs we use check_logfiles (v3.6.2.1) @Nagios xi.

Below is the configuration file :

@searches = ({
tag => 'VPN_Tunnel_status',
logfile => '/var/log/ASA/syslog.log',

criticalpatterns => [ 'Crypto tunnel is DOWN' ],
okpatterns => [ 'Crypto tunnel is UP' ],

options => 'sticky'
});


Now the issue is , whenever there is a down and up log for a short period , Nagios considers it as "ok" since we use "sticky". (Glitch happens for 2 sec).
also the specific log line has to be sent along with notification

Please assist.

[rkennedy]

How often is your service checking the log file? Can you post the actual service definition that Nagios is using for this check so we can take a look at it?

I'm thinking we could lower the interval, which would help prevent the false positives.

[inas.labib]

Hi ,

Please find the service definition below . We have check_interval=1min . Can we set it in seconds ?

define service {
host_name log01server
service_description Test VPN Tunnel monitoring
use xiwizard_nrpe_service
check_command check_nrpe!check_logfiles!-a '-f /usr/local/etc/VPN_Tunnel_status.cfg' !!!!!!
max_check_attempts 1
check_interval 1
retry_interval 1
check_period xi_timeperiod_24x7
notification_interval 1
notification_period xi_timeperiod_24x7
notifications_enabled 0
contacts prasanna
_xiwizard linux-server
register 1
}

[rkennedy]

1 minute is going to be the lowest you can go.

The underlying issue is going to be this part as it's resetting the error counters on an OK log -

Code: Select all

–okpattern=<regexp> A pattern which resets the error counters.

Which will reset the error counters. Could you perhaps have the check only scan for the criticalpatterns? You could also set sticky= to a specific interval which will allow the exitcode to last until it expires, or it finds an okpattern.

Code: Select all

[no]sticky[=seconds] 	Controls whether an error is propagated through successive runs of check_logfiles. Once an error was found, the exitcode will be non-zero until an okpattern resets it or until the error expires after <second> seconds. Do not use this option until you know exactly what you do.

It sounds like this one is going to take some testing / playing around to get it working as you need it to. I read through the documentation and can't seem to find something that would do exactly what you're looking for unfortunately.

[inas.labib]

Hi ,

Thanks for the update . In this case we need to be notified for both "critical" and "ok" state.
Is there any other best way to monitor the vpn tunnel connections from firewall? Kindly advice.
(We use cisco ASA firewall)

Thanks,

[rkennedy]

Since you need to monitor for both strings, and they're counteracting each other, I recommend setting up an individual service for each word. This will ensure that you do not miss anything.

Another option is to monitor the VPN by checking the TCP/UDP port it uses, but it wouldn't be as accurate as the log files.

[inas.labib]

Can we go for "snmp traps" , will it provide details about the vpn connectivity

[rkennedy]

Yes, does the VPN support sending SNMP traps?