No logs

[melani morales]

Hi!

I don't get any log

I reset the config log, but nothing

I need your help.

2.PNG

1.PNG

[cdienger]

Please send me a private message with a profile from the system. It can be gathered under Admin > System > System Status > Download System Profile or from the command line with:

Code: Select all

/usr/local/nagioslogserver/scripts/profile.sh

This will create /tmp/system-profile.tar.gz.

Note that this file can be very large and may not be able to be uploaded in a PM. You can split the file into smaller files with the split command on the NLS(or other Linux machine) command line:

Code: Select all

split -b 5000000 /tmp/system-profile.tar.gz system-profile- -d

The above command will split the system-profile.tar.gz into 5MB segments and save them to files with the naming convention system-profile​-nn.

[melani morales]

Hi!

I'm sorry, Did you get the message?

[cdienger]

Logstash is starting and then stopping right away and it appears to be because of the pfsense filter under Configure > Global Config. You can disable this filter for the time being while we determine why it is causing the logstash process to crash.

[cdienger]

Did you create a patterns file for the pfsense logs under /usr/local/nagioslogserver/etc/patterns/ ? The logstash process will crash if it doesn't have the patterns that the match uses. Use the patterns at https://raw.githubusercontent.com/patri ... se2-4.grok to create a patterns file under /usr/local/nagioslogserver/etc/patterns/. See also https://support.nagios.com/forum/viewto ... 38&t=60444 where I point out a modification I needed to make to get parsing to work properly - you may or may not need to do this depending on your log.

[melani morales]

Hi!

Thank you and i´m sorry but do you know where I can find that folder? I can't find that url path

[cdienger]

You would find the directories on the NLS command line:

Code: Select all

ll /usr/local/nagioslogserver/etc/

If it doesn't exist there then you can create it:

Code: Select all

mkdir /usr/local/nagioslogserver/etc/patterns/
chown nagios:nagios /usr/local/nagioslogserver/etc/patterns/

[melani morales]

Hello!

even though I remove pfsense, it still doesn't show me alerts

Best regards
Melani

[cdienger]

Are you able to apply the configuration and does logstash stay running? Run:

Code: Select all

systemctl status logstash -l

and restart it if needed:

Code: Select all

systemctl restart logstash

and again check the status after 30 seconds.

[melani morales]

Execute the commands but I keep getting this message

'No results There were no results because no indices were found that match your selected time span'

The filters are not applied because I get the following error

{:timestamp=>"2020-12-17T08:53:01.581000-0300", :message=>"The given configuration is invalid. Reason: Expected one of #, => at line 96, column 20 (byte 2036) after filter {\n if [program] == 'apache_access' {\n grok {\n match => [ 'message', '%{COMBINEDAPACHELOG}']\n }\n date {\n match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z', 'MMM d HH:mm:ss', 'MMM dd HH:mm:ss', 'ISO8601' ]\n }\n mutate {\n replace => [ 'type', 'apache_access' ]\n convert => [ 'bytes', 'integer' ]\n convert => [ 'response', 'integer' ]\n }\n }\n \n if [program] == 'apache_error' {\n grok {\n match => [ 'message', '\\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\\] \\[%{WORD:class}\\] \\[%{WORD:originator} %{IP:clientip}\\] %{GREEDYDATA:errmsg}']\n }\n mutate {\n replace => [ 'type', 'apache_error' ]\n }\n }\n if [program] == 'xi_auditlog' {\n grok {\n match => [ 'message', '%{XIAUDITLOG_MESSAGE}' ]\n patterns_dir => '/usr/local/nagioslogserver/etc/patterns'\n overwrite => [ 'message' ]\n }\n date {\n match => [ 'timestamp', 'yyyy-MM-dd HH:mm:ss' ]\n }\n mutate {\n replace => [ 'type', 'xi_auditlog' ]\n }\n }\n if [program] == 'Syslog' {\n CSV {\n convertir", :level=>:fatal}