Send alerts based on audit log

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
Locked
lallmann
Posts: 1
Joined: Thu Apr 05, 2018 3:55 am

Send alerts based on audit log

Post by lallmann »

Hi!
I need to create alerts based on the Log Server Audit log. For example, I need to send email alerts to our CISO, when a new Nagios Logserver user is created, modified and deleted.
Can anyone point me in the right direction?
Top
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Send alerts based on audit log

Post by cdienger »

The first steps are to create an input to import the auditlog file and then parse it into meaningful fields. I used the following input:

Code: Select all

file {
    type => "nlsauditlog"
    path => "/usr/local/nagioslogserver/var/auditlog.log"
}
and filter:

Code: Select all

if [type] == 'nlsauditlog' {
grok{
        match => {
          "message" => [
            "%{TIMESTAMP_ISO8601:date} created=%{INT:created} created_by=%{WORD:created_by} type=%{WORD:audit_log_type} message=%{DATA:message} source=%{DATA:source} ip_address=%{IP:ip_address}",
            "%{TIMESTAMP_ISO8601:date} created=%{INT:created} created_by=%{WORD:created_by} type=%{WORD:audit_log_type} message=%{DATA:message} node=%{UUID:node} source=%{GREEDYDATA:source}"
          ]
        }
		overwrite => [ 'message' ]
}
}
Once that is done then you can use the dashboards to create a query to use in the alert:

https://assets.nagios.com/downloads/nag ... Server.pdf
https://assets.nagios.com/downloads/nag ... Server.pdf
You do not have the required permissions to view the files attached to this post.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Top
Locked

Return to “Nagios Log Server”