Page 2 of 3
Re: sendin nagios core logs to the logserver
Posted: Wed Sep 23, 2020 9:12 am
by benhank
ok original file was 90 mb so I cut out sections
Re: sendin nagios core logs to the logserver
Posted: Thu Sep 24, 2020 9:59 am
by cdienger
Was that 90mb when compressed? I'm not finding the events in the snippets provided so if you could provide the full log that would be best.
Re: sendin nagios core logs to the logserver
Posted: Thu Sep 24, 2020 11:00 am
by benhank
man do I feel dumb , here is the file
Re: sendin nagios core logs to the logserver
Posted: Thu Sep 24, 2020 4:01 pm
by benhank
Oh I failed to mention that I have two servers that are configured to send the logs from nagios and the os.
Both servers are sending the logs from the OS but im getting no data from nagios parsed and displayed in the nagios dashboards.
Re: sendin nagios core logs to the logserver
Posted: Fri Sep 25, 2020 10:53 am
by cdienger
The events are not going through the filters for some reason that isn't made immediately clear. Let's get a copy of the settings index from the NLS machine and I'll be able to take a closer look at the config. This can be gathered by running:
Code: Select all
curl -XPOST http://localhost:9200/nagioslogserver/_export?path=/tmp/nagioslogserver.tar.gz
The file it creates is /tmp/nagioslogserver.tar.gz. Please PM this file to me.
Re: sendin nagios core logs to the logserver
Posted: Fri Sep 25, 2020 3:05 pm
by benhank
sent
Re: sendin nagios core logs to the logserver
Posted: Mon Sep 28, 2020 4:38 pm
by cdienger
The issue here is that the "syslog" inputs are actually using tcp or udp inputs. For example, the default syslog input looks like:
Code: Select all
syslog {
type => 'syslog'
port => 5544
}
But your config uses:
Code: Select all
tcp {
type => 'syslog'
port => 5544
}
udp {
type => 'syslog'
port => 5544
}
I think the 'nagios_core' program name is not getting parsed as a result which is allowing the logs to bypass the filter. Try changing the first line of the filter config from:
to:
Code: Select all
if [host] == 'xxx.xxx.xxx.xxx' and [message] =~ "nagios_core {
where xxx.xxx.xxx.xxx is the IP address of your XI server.
Re: sendin nagios core logs to the logserver
Posted: Mon Sep 28, 2020 4:44 pm
by benhank
ok but before I do it that verbatim or is the "~" a typo? just being sure man =D
Re: sendin nagios core logs to the logserver
Posted: Tue Sep 29, 2020 9:42 am
by benhank
ok the apply config worked. now Im just waiting to see if any data comes in
Re: sendin nagios core logs to the logserver
Posted: Tue Sep 29, 2020 2:41 pm
by benhank
ok after making the adjustments the dashboards are still blank