Page 3 of 5
Re: Cisco Switch Logs
Posted: Tue Mar 31, 2015 4:31 pm
by jolson
Please verify that your permissions are correct:
Code: Select all
ls -l /usr/local/nagioslogserver/logstash/etc/conf.d/
Can you post your inputs that you defined globally? I would like to take a look at them.
Re: Cisco Switch Logs
Posted: Wed Apr 01, 2015 1:27 pm
by ssavaso
[root@localhost conf.d]# more 000_inputs.conf
#
# Logstash Configuration File
# Dynamically created by Nagios Log Server
#
# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
#
# Created Tue, 31 Mar 2015 17:12:55 -0400
#
#
# Global inputs
#
#
# Local inputs
#
input {
syslog {
type => 'syslog'
port => 514
}
}
[root@localhost conf.d]# more 500_filters.conf
#
# Logstash Configuration File
# Dynamically created by Nagios Log Server
#
# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
#
# Created Tue, 31 Mar 2015 17:12:55 -0400
#
#
# Global filters
#
filter {
if [program] == 'apache_access' {
grok {
match => [ 'message', '%{COMBINEDAPACHELOG}']
}
date {
match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
}
mutate {
replace => [ 'type', 'apache_access' ]
convert => [ 'bytes', 'integer' ]
convert => [ 'response', 'integer' ]
}
}
if [program] == 'apache_error' {
grok {
match => [ 'message', '\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] \[%{WORD:clas
s}\] \[%{WORD:originator} %{IP:clientip}\] %{GREEDYDATA:errmsg}']
}
mutate {
replace => [ 'type', 'apache_error' ]
}
}
}
#
# Local filters
#
[root@localhost conf.d]# more 999_outputs.conf
#
# Logstash Configuration File
# Dynamically created by Nagios Log Server
#
# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
#
# Created Tue, 31 Mar 2015 17:12:55 -0400
#
#
# Required output for Nagios Log Server
#
output {
elasticsearch {
cluster => '81d8dd31-4078-4c51-a8d3-9d102bb9cd6c'
host => 'localhost'
index_type => '%{type}'
node_name => '474fc199-f9b8-4f20-ad18-e65d39bb7345'
protocol => 'transport'
workers => 4
}
}
#
# Global outputs
#
#
# Local outputs
#
[root@localhost conf.d]#
Re: Cisco Switch Logs
Posted: Wed Apr 01, 2015 1:30 pm
by ssavaso
This is from the web interface.
tcp {
type => 'import_json'
tags => 'import_json'
port => 2057
codec => json
}
tcp {
type => 'import_raw'
tags => 'import_raw'
port => 2056
}
tcp {
type => 'eventlog'
port => 3515
codec => json {
charset => 'CP1252'
}
}
syslog {
type => 'syslog'
port => 514
}
syslog {
type => 'syslog'
port => 514
}
Re: Cisco Switch Logs
Posted: Wed Apr 01, 2015 1:42 pm
by jolson
Please remove one of your syslog entries - you cannot have multiple inputs on the same port (unless they are using different protocols). After that, Apply Configuration and let us know if that works. Thanks!
Re: Cisco Switch Logs
Posted: Wed Apr 01, 2015 2:06 pm
by ssavaso
I deleted the last entry and every time I do that it returns.
Re: Cisco Switch Logs
Posted: Wed Apr 01, 2015 2:19 pm
by jolson
Did you define any local inputs or filters as shown in my screenshot? If so, I recommend deleting them and using Global Configuration exclusively.
Re: Cisco Switch Logs
Posted: Wed Apr 01, 2015 5:04 pm
by ssavaso
I did and that is when everything started working.
The red circle keeps coming back no mater how many times I delete it.
Re: Cisco Switch Logs
Posted: Wed Apr 01, 2015 5:05 pm
by jolson
Great - so is everything working well? Do you have any questions?
Re: Cisco Switch Logs
Posted: Wed Apr 01, 2015 5:10 pm
by ssavaso
What I mean is when I defined the local port to the local instance that is when everything started working.
Re: Cisco Switch Logs
Posted: Thu Apr 02, 2015 9:29 am
by jolson
Can you please show me your logstash configuration file?
Also, from the Web GUI please remove the local input. We will stick with a Global input for now.
I would also like you to verify permissions:
Code: Select all
ls -l /usr/local/nagioslogserver/logstash/etc/conf.d/
Best,
Jesse