Nagios Support Forum

tacolover101 wrote:

hyacinth wrote:@kyang
I have tried both udp and tcp, but Splunk received nothing. Is there any config missed ? Besides, Is there any network requirement between NLS and Splunk ?

how are you trying to configure the sending? there are many options i see viable here:
1. splunk forwarder
2. NLS output (which is the code you're seeing above, by @mcapra)
3. syslog (using built in rsyslog)

I configured the sending by NLS output.

scottwilkerson wrote:

hyacinth wrote:@kyang
I have tried both udp and tcp, but Splunk received nothing. Is there any config missed ? Besides, Is there any network requirement between NLS and Splunk ?

You must pardon our ignorance, but we are not familiar with configuring Splunk, nor how you have configured your version of Splunk.

These setups are are hypothetical assuming you have splunk listening on the port and protocol specified, only you know that.

As for the config, it might help if we say yours from the Nagios Log Server, please run the following

Code: Select all

cat /usr/local/nagioslogserver/logstash/etc/conf.d/*

Dear Kyang,
I have run the cat commande, and saw the output config as attached without problem. I'll check splunk config and the network between NLS and splunk. If any good news will give you a feedback. TKS!

hyacinth wrote:Dear Kyang,
I have run the cat commande, and saw the output config as attached without problem. I'll check splunk config and the network between NLS and splunk. If any good news will give you a feedback. TKS!

It wasn't attached, however, let us know if the configs match your Splunk configs and you still have issues.

scottwilkerson wrote:

hyacinth wrote:Dear Kyang,
I have run the cat commande, and saw the output config as attached without problem. I'll check splunk config and the network between NLS and splunk. If any good news will give you a feedback. TKS!

It wasn't attached, however, let us know if the configs match your Splunk configs and you still have issues.

HI Scott,
Acutually we still have many problems about NLS.
Now our company are using Splunk and going to buy Naigos XI/LS/NA/Fusion. Both NLS and Splunk can collect syslog but Splunk cost too much, we want to know whether NLS can filter the log data first and then send the important or useful or key log data to Splunk. Is there any scheme can work on that ? Hope we can get Nagios professional support, thanks !

Yes, Nagios Log Server can filter and send important events to Splunk. I have done this with load-balanced outputs to Splunk forwarders using the syslog output rule.

As mentioned in my first post:

mcapra wrote:It sort of depends on some specifics of your Splunk architecture.

We still don't know anything about your Splunk setup, so we can't tell you the best way to configure Nagios Log Server to your liking.

hyacinth wrote:Is there any scheme can work on that ?

As mentioned in my first post, the most common solution is to configure a syslog output rule in Nagios Log Server which is pointed at a Splunk forwarder:

A very common way to forward messages from Logstash to Splunk generally is to use a syslog Logstash output rule pointed at a Splunk Heavy Forwarder or syslog aggregator:
https://www.elastic.co/guide/en/logstas ... yslog.html

Assuming your architecture includes one or several Splunk forwarders, I would suggest first getting that syslog output rule correctly configured in Nagios Log Server. Then once Splunk is receiving messages, you can worry about the filtering.

If you have trouble configuring the syslog output, that is definitely something we can assist with if you provide us with the error messages you receive. We simply cannot tell you exactly where to point the syslog output unless we know some basic stuff about your Splunk setup, though.

Here is another doc on creating filters
https://assets.nagios.com/downloads/nag ... ilters.pdf

@scottwilkerson
Thanks for your infomation. We are not so fimiliar with log server filter and output rule configuration. Assume we have bought Nagios enterprise products from Nagios Agent, can we make this a custom case to get more support ?

hyacinth wrote:@scottwilkerson
Thanks for your infomation. We are not so fimiliar with log server filter and output rule configuration. Assume we have bought Nagios enterprise products from Nagios Agent, can we make this a custom case to get more support ?

Yes purchases come with 10 support incidents and you could use one to learn to configure an output, however some on the learning and reading is still going to be on you because we do not always know what is best for your environment.