Determining which Alerts are Disabled because of User Action

[MikeMAN987]

Hi All,

I wanted to ask if there was a way to determine from either the configuration files or another way to find out all services/hosts that have notifications disabled due to user action and not a template? I know i can look back on the audit log and find out what action was taken (we use this often for historical items), however we have lots of servers that we are monitoring and NOT alerting on by default (i.e our test/rd environments where we simply want to capture data) as the template disables the alerting, so without a way to find which ones were user initiated it would be a lot (11,000+ checks) to sift through.

Thanks for any insight!!

Regards,
Mike

[benjaminsmith]

Hi Mike,

I wanted to ask if there was a way to determine from either the configuration files or another way to find out all services/hosts that have notifications disabled due to user action and not a template?

The audit log provides a record of changes to the system such as changes to which host or template, but not that level of detail. However, if it helps, you can query the database to determine which hosts or services have notifications enabled or disabled. The configuration is stored in the nagiosql database.

Let me know if you have any other questions.

[SteveBeauchemin]

If you want to start from this point going forward, you could monitor your log file.

I just started doing this so it is fresh in my mind. I am concerned about turning off notifications, which is permanent, versus Ack'ing alerts which makes more sense as it clears itself after recovery. So I started using a plugin to keep an eye on the log.
From the consol labs site I found check_logfiles and found it to be very useful.

This config file can be tailored to get emails when someone does the bad thing.

Code: Select all

$options = 'report=long';
$scriptpath = '/bin';
$protocolretention = '3';
$postscript = 'mailx';
$postscriptparams = '-s Nagios_Audit nagiosalerts@<your-email>.com < $CL_PROTOCOLFILE$';
@searches = ({
  tag => 'audit',
  logfile => '/usr/local/nagiosxi/var/components/auditlog.log',
  criticalpatterns => [
    'Pattern is Critical',              # place holder
  ],
  warningpatterns => [
    #'Pattern is Warning',   # place holder
    #'ACKNOWLEDGE',          # Ack a Service of Host issue
    'NOTIFICATIONS',        # Nagios Notification disabled or enabled
    #'FORCED',               # Nagios Force a check to run
    #'asqueraded',           # User is Masquerading
    #'applied a new configuration',   # Updated the Configuration
    #'account has not been setup',    # User login attempt but has no account
    #'nvalid username or password',   # User login attempt failure
    #'ser logged out',       # User manually logged out
  ],
  okpatterns => [
    'Pattern is Okay',       # This will override previous critical or warning matches - place holder
  ],
  criticalexceptions => [
    'Pattern is not Critical after all',   # This was seen as critical but is not - place holder
  ],
  warningexceptions => [
    'Pattern is not Warning after all',    # This was seen as warning but is not - place holder
  ],
  options => 'noperfdata',
});

In my case I actually grab the emails and feed the items I care about to a database so I can open a web page on it.

Service Config Name

Code: Select all

svc-NRPE-Linux-Check-Logfile-Scrape-Nagios_Audit

Description

Code: Select all

Check_Log_Nagios_Audit

Check Command

Code: Select all

/usr/local/nagios/libexec/check_nrpe --unknown-timeout --timeout 120:3 --host $HOSTADDRESS$ --command $ARG1$ $ARG2$ $ARG3$ $ARG4$ $ARG5$ $ARG6$ $ARG7$ $ARG8$

Code: Select all

$ARG1$ = check_logfiles
$ARG2$ = -a nagios-auditlog.cfg

nrpe ini entry

Code: Select all

command[check_logfiles]=/usr/local/nagios/libexec/check_logfiles.pl --config /usr/local/nagios/libexec/cfg.d/$ARG1$ $ARG2$

I hope this helps.

Steve B

[benjaminsmith]

Thanks @SteveBeauchemin!

Let us know if you have any other questions.

[MikeMAN987]

Thank you all for the help.

[MikeMAN987]

Where is the default location on the filesystem for the audit log? I read the documentation and can only see it in the Web UI.

[benjaminsmith]

Hi Mike,

The audit log is stored in the xi_auditlog table in the nagiosxi database. The following command will pull everything from the audit log if you'd like to output this to a file.

Code: Select all

echo "SELECT * FROM xi_users\G;" | mysql -uroot -pnagiosxi nagiosxi

Let me know if you have any other questions.

[SteveBeauchemin]

Admin tab > System Settings > General tab > at the bottom you will see "Write Audit Log to file:"

And a location.

Steve B

[benjaminsmith]

Thanks again @SteveBeauchemin!

Let me know if you have any other questions.

[MikeMAN987]

Thank you both! Feel free to lock/close this one.