I'm going to prefix the question saying I know that these should be far and inbetween however I need to generate events for every instance of something found and include the instance.
I've tried creating a super simple one that just says message =~ /NOTIFICATION/ as for testing I'm trying to trigger off of the nagios XI and I'm not getting any hits. I have lots of messages flowing into the system where the message field contains NOTIFICATION since I'm parsing the nagios.log on an XI server.
Any ideas why I'm not able to get realtime alerts to fire?
Real-Time Alert
Re: Real-Time Alert
I think you need to do this:
Let us know if that works for you.
Code: Select all
message in "NOTIFICATION"Re: Real-Time Alert
I now see the below and I get hits in the query alert but not in the realtime alert.
[message] in "NOTIFICATION"
[message] in "NOTIFICATION"
Re: Real-Time Alert
Should I be seeing these filters being written to "/usr/local/nagioslogserver/logstash/etc/conf.d" directory in one of the conf files? If so I'm not currently seeing that.
Re: Real-Time Alert
I'm fairly confident I've nailed this down to the Apply Config even though it passes validation check is NOT being written to logstash and implemented. I added a new input type/port and it's not there either in the back end config, nor do I see logstash listening.
Where can I find more information on exactly what the Apply is doing for Logstash configurations from the log server ui?
Where can I find more information on exactly what the Apply is doing for Logstash configurations from the log server ui?
Re: Real-Time Alert
Hi
The Apply Config updates:
/usr/local/nagioslogserver/logstash/etc/conf.d:
000_inputs.conf
500_filters.conf
501_live_filters.conf
998_live_outputs.conf
999_outputs.conf
Sounds like you suspect bug - we haven't heard anything around this.
Let us know how it works out please.
Thanks
The Apply Config updates:
/usr/local/nagioslogserver/logstash/etc/conf.d:
000_inputs.conf
500_filters.conf
501_live_filters.conf
998_live_outputs.conf
999_outputs.conf
Sounds like you suspect bug - we haven't heard anything around this.
Let us know how it works out please.
Thanks
Re: Real-Time Alert
It's definitely not making changes to those files. No inputs or real-time alerts have their definitions being pushed even when the configuration passes validation.
I'm doing a fresh install right now to ensure there was nothing funky during install that's causing the issue.
I'm doing a fresh install right now to ensure there was nothing funky during install that's causing the issue.
Re: Real-Time Alert
Hi
Ok, sounds good. Could be a permissions issue.
Here's what I have:
-rw-rw-r--. 1 apache apache 594 May 27 09:05 000_inputs.conf
-rw-rw-r--. 1 apache apache 1921 May 27 09:05 500_filters.conf
-rw-rw-r--. 1 apache apache 861 May 27 09:05 501_live_filters.conf
-rw-rw-r--. 1 apache apache 242 May 27 09:05 998_live_outputs.conf
-rw-rw-r--. 1 apache apache 392 May 27 09:05 999_outputs.conf
Good luck and let us know how what you find please.
Thanks
Ok, sounds good. Could be a permissions issue.
Here's what I have:
-rw-rw-r--. 1 apache apache 594 May 27 09:05 000_inputs.conf
-rw-rw-r--. 1 apache apache 1921 May 27 09:05 500_filters.conf
-rw-rw-r--. 1 apache apache 861 May 27 09:05 501_live_filters.conf
-rw-rw-r--. 1 apache apache 242 May 27 09:05 998_live_outputs.conf
-rw-rw-r--. 1 apache apache 392 May 27 09:05 999_outputs.conf
Good luck and let us know how what you find please.
Thanks
Re: Real-Time Alert
The install was bad ... I'm now seeing configs change when applying. I'm going to get back to getting my realtime alerts to work and follow up if I my syntax doesn't work.
Re: Real-Time Alert
Sounds good - I'll leave this open for you.
Thanks
Thanks