Configs page empty??

bpizzutiWHI · Post by **bpizzutiWHI** » Thu Mar 22, 2018 2:25 pm

This is a little wierd. Looks like the log server's config pages are completely empty.

Global Config View:

# 
# Logstash Configuration File
# Dynamically created by Nagios Log Server
#
# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
#
# Created Thu, 22 Mar 2018 15:21:18 -0400
#

#
# Global inputs
#



#
# Local inputs
#



#
# Global filters
#



#
# Local filters
#



#
# Global outputs
#



#
# Local outputs
#

However, the listeners are still going, and the filters are still working. When this happened I noticed that the CONF files in /nagioslogserver/logstash/etc/conf.d/ had all been blanked, but I restored a recent backup there, and there's data. At this point should I just paste those files into new input and filter boxes? Seems like kind of a pain if so.

Post by **cdienger** » Fri Mar 23, 2018 11:04 am

Restarting the logstash service can automatically reload them:

service logstash restart

If that doesn't do the trick though then I would suggest updating it through the web UI in the method you described. It's usually just a few configs that need to be created so hopefully it isn't too painful. The filter{} wrapper is not needed when adding the filters eg:

Code: Select all

    if [program] == 'apache_access' {
        grok {
            match => [ 'message', '%{COMBINEDAPACHELOG}']
        }
        date {
            match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z', 'MMM dd HH:mm:ss', 'ISO8601' ]
        }
        mutate {
            replace => [ 'type', 'apache_access' ]
             convert => [ 'bytes', 'integer' ]
             convert => [ 'response', 'integer' ]
        }
    }

    if [program] == 'apache_error' {
        grok {
            match => [ 'message', '\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] \[%{WORD:class}\] \[%{WORD:originator} %{IP:clientip}\] %{GREEDYDATA:errmsg}']
        }
        mutate {
            replace => [ 'type', 'apache_error' ]
        }
    }

Instead of:

Code: Select all

filter {
    if [program] == 'apache_access' {
        grok {
            match => [ 'message', '%{COMBINEDAPACHELOG}']
        }
        date {
            match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z', 'MMM dd HH:mm:ss', 'ISO8601' ]
        }
        mutate {
            replace => [ 'type', 'apache_access' ]
             convert => [ 'bytes', 'integer' ]
             convert => [ 'response', 'integer' ]
        }
    }

    if [program] == 'apache_error' {
        grok {
            match => [ 'message', '\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] \[%{WORD:class}\] \[%{WORD:originator} %{IP:clientip}\] %{GREEDYDATA:errmsg}']
        }
        mutate {
            replace => [ 'type', 'apache_error' ]
        }
    }
}

bpizzutiWHI · Post by **bpizzutiWHI** » Fri Mar 23, 2018 11:30 am

Just FYI, restarting logstash didn't work. This wouldn't be a big deal except I have to go tweak one of the filters. Damn good thing I took a backup of the config files, but I do have quite a bit of custom stuff in there. Guess I'd better get started.

Post by **cdienger** » Fri Mar 23, 2018 3:39 pm

Another alternative would be to reload one of the backup configs found under Configure > Config Snapshots(download and review the config first to make sure it's a valid one). Hopefully it isn't a regular occurrence. I've seen this happen when there have been problems with the system - running out of memory or crashes.

Nagios Support Forum

Configs page empty??

Configs page empty??

Re: Configs page empty??

Re: Configs page empty??

Re: Configs page empty??