Monitor logs on geo location basis

[Thanis]

Hi,

we have configured the cisco devices to push syslog to Nagios Log server as per the steps recommended.
Successfully , we are receiving the logs generated by the devices.

Instead of the host ip. we would like to view hostname in the UI for the ip's. what should we need to do ?

Moreover , we would like to monitor (dashboard) log on entity (or) location basis. for example floor wise or building wise

Please give us the solution to configure geoip, geoip.location wise to view the output

[mcapra]

Filters are the general answer to all of these use cases. Here is a primer on what filters are and how to configure some simple ones:
https://assets.nagios.com/downloads/nag ... ilters.pdf

Instead of the host ip. we would like to view hostname in the UI for the ip's. what should we need to do ?

A dns filter rule can do this, assuming all of your Nagios Log Server instances can properly reach your DNS server(s). Here's a thread where that is implemented:
https://support.nagios.com/forum/viewto ... 37&t=40770

And here's the very basic filter rule:

Code: Select all

dns {
    reverse => [ "host" ]
    action => [ "replace" ]
    add_tag => [ "dns" ]
}

This will replace the host field in all of your messages, converting it from an IP address to a DNS resolved hostname.

Moreover , we would like to monitor (dashboard) log on entity (or) location basis. for example floor wise or building wise

Without knowing exactly how you're identifying what floor/building a given machine's hostname/address is located in, I can't offer specific advice. You could leverage conditional mutate filters and tagging to, based on the hostname/address, flag messages with specific metadata.

In pseudocode, and assuming you had already figured out how to identify the specific building and floor a message came from, here's a filter rule that tags the 12th floor of the west building as "accounting":

Code: Select all

if [building] == 'west' and [floor] == 12 {
    mutate {
        add_tag => [ "accounting" ]
    }
}

Or, instead of tagging, you can leverage an entirely new field by using the add_field setting of the mutate filter. Perhaps something like "department" as the name and "accounting" as the value in the above case.

Please give us the solution to configure geoip, geoip.location wise to view the output

Here's a very basic filter rule that applies a geoip filter to the ip field:
https://support.nagios.com/forum/viewto ... 33#p173280

Your actual field name that contains the ip address might be named something other than ip though, like host. The filter will be slightly different depending on which field holds the ip address.

[Thanis]

Many thanks for your reply, will try tomorrow and let you know.again thanks for your guidance.

[cdienger]

Please let us know your results after you've had a chance to test : )

[Thanis]

Please let us know your results after you've had a chance to test : )

I have followed the DNS Filter Rule but it doesn't change ip to hostname.

I have checked nslookup PF output below
--------------------------------------------------------------------------------
Output
[root@CQ218MAA ~]# nslookup 10.24x.xx.xxx
Server: 10.2x4.xx.1x
Address: 10.2x4.xx.1x#53

** server can't find xxx.xx.24x.10.in-addr.arpa.: NXDOMAIN
---------------------------------------------------------------------------------
So, I resolved ip locally on adding line in /etc/hosts file. As of now I used two hosts to resolve.
the below picture depicts host report and queried output

Here, I would like to change the IP to hostname. even I tried the dns filter rule. which doesn't work out.
As per the report picture (1.PNG) you could find both ip and hostname in bracket after I resolved locally.
but at the same time when I look at dashboard and filtered query it show "ip" in host field.
Please provide the solution.advance thanks

[cdienger]

The DNS filter requires a dns sever that is able to do reverse lookups to get the hosts' IP address and a /etc/hosts entry will not work for this. The unique hosts works differently.

[Thanis]

Thanks for your reply let me try and let you know

And have you got any document to configure Cisco switch to send it's geoip or geoip location to
NLS.

[cdienger]

We don't have anything specific to that, but adding fields will likely cause it to break syslog format and require custom filters to have the logs parsed properly. Check out the logstash section at https://support.nagios.com/kb/article/n ... ew-98.html which has details on how this can be done.

[mcapra]

We don't have anything specific to that, but adding fields will likely cause it to break syslog format and require custom filters to have the logs parsed properly.

And to be clear, this is not a problem that is specific to Nagios Log Server. Certain network device vendors (like Cisco) take liberties with the syslog protocol.

[cdienger]

We don't have anything specific to that, but adding fields will likely cause it to break syslog format and require custom filters to have the logs parsed properly.

And to be clear, this is not a problem that is specific to Nagios Log Server. Certain network device vendors (like Cisco) take liberties with the syslog protocol.

Absolutely. Thanks for the clarification