Windows events not showing up in log server

[tim.kroeger]

I'm starting to point all my devices to the log server. I have 11 devices pointed to it and Nagios is collecting logs from those hosts and everything is fine. I attempted to point 4 more windows hosts to send logs to the log server yesterday, but nagios isn't showing logs from those hosts. When I run tcpdump on the log server, I can see the logs coming in on port 3515 and I can see the log server acknowledging the traffic, but I dont see the logs when I query the server. Is there some kind of error log in Nagios that might tell me why they aren't being accepted? Thanks!

[cdienger]

Edit /etc/init.d/logstash and change line 64 from:

Code: Select all

DAEMON_OPTS="agent -f ${LS_CONF_DIR} -l ${LS_LOG_FILE} ${LS_OPTS}"

to:

Code: Select all

DAEMON_OPTS="agent -f ${LS_CONF_DIR} -l ${LS_LOG_FILE} ${LS_OPTS} --debug"

and restart the service with:

Code: Select all

systemctl daemon-reload
service logstash restart

Let this run just long enough to allow NLS to process some events from this host before reverting the config back. Debug logging will be saved to /var/log/logstash.log.

[tim.kroeger]

thanks for your help! The debug worked great. It helped me find the problem.

[scottwilkerson]

thanks for your help! The debug worked great. It helped me find the problem.

Great!

Locking thread