Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Can we export logs to SIEM System

https://support.nagios.com/forum/viewtopic.php?t=39050

Page 4 of 4

Re: Can we export logs to SIEM System

Posted: Tue Sep 06, 2016 9:35 am
by tmcdonald
That's a bit out of scope for this forum. If you need assistance writing code I would have to ask you to speak to one of the developers on your team. We can help with getting things into Nagios, but writing custom code for a remote system is out of scope.

Re: Can we export logs to SIEM System

Posted: Wed Sep 07, 2016 9:35 am
by sgiworks
Wouldn't you support in installing a plugin in Nagios Log Server from the website that you provided?

Re: Can we export logs to SIEM System

Posted: Wed Sep 07, 2016 9:40 am
by eloyd
I don't work for Nagios, but I'm sure the answer is something like "Nagios supports Nagios software. You're asking for assistance installing a logstash output filter that is not part of the software included with Nagios Log Server. Therefore, it is not supported by Nagios."

In other words, just because they are using logstash under the hood does not mean that Nagios Enterprises can support everything that can be done with logstash.

Re: Can we export logs to SIEM System

Posted: Wed Sep 07, 2016 10:03 am
by tmcdonald
eloyd wrote:I don't work for Nagios, but I'm sure the answer is something like "Nagios supports Nagios software. You're asking for assistance installing a logstash output filter that is not part of the software included with Nagios Log Server. Therefore, it is not supported by Nagios."

In other words, just because they are using logstash under the hood does not mean that Nagios Enterprises can support everything that can be done with logstash.
Actually my answer was in response to a request for assistance to help "write a code", which would be out of scope. Might have been a misunderstanding on my part - I thought he wanted us to write new software or modify existing software.
sgiworks wrote:Wouldn't you support in installing a plugin in Nagios Log Server from the website that you provided?
This would just be a simple output filter most likely, not a whole plugin. The difference being that plugins are generally written by Logstash devs to handle a certain type of input or codec, whereas filters tend to be written by end users to manipulate data once it is in the system already.

Probably we would be looking at configuring this plugin, by means of writing a filter it can run:

https://www.elastic.co/guide/en/logstas ... -http.html

So we would need to know what sort of API this HTTP endpoint is using so we know how to format the output.

I'll also point out that we cannot guarantee that a given plugin/version will work since they were not written by us, but we will do what we can.

Re: Can we export logs to SIEM System

Posted: Wed Sep 07, 2016 10:17 am
by rkennedy
I just tested the basic functionality, and it appears to be working at that level.

Code: Select all

[root@localhost nagioslogserver]# logstash/bin/plugin install logstash-output-http
Validating logstash-output-http
Installing logstash-output-http
Installation successful
I then added an output:

Code: Select all

  http {
    url => "http://192.168.3.115"
    http_method => "post"
  }
Taking a look at the access_log on my XI machine:

Code: Select all

::1 - - [07/Sep/2016:11:13:22 -0400] "POST /nagiosxi/backend/ HTTP/1.1" 200 808 "-" "BinGet/1.00.A (http://www.bin-co.com/php/scripts/load/)"
::1 - - [07/Sep/2016:11:13:42 -0400] "POST /nagiosxi/backend/ HTTP/1.1" 200 808 "-" "BinGet/1.00.A (http://www.bin-co.com/php/scripts/load/)"
192.168.47.1 - - [07/Sep/2016:11:13:50 -0400] "POST  HTTP/1.1" 400 313 "-" "-"
192.168.47.1 - - [07/Sep/2016:11:13:50 -0400] "POST  HTTP/1.1" 400 313 "-" "-"
192.168.47.1 - - [07/Sep/2016:11:13:50 -0400] "POST  HTTP/1.1" 400 313 "-" "-"
192.168.47.1 - - [07/Sep/2016:11:13:50 -0400] "POST  HTTP/1.1" 400 313 "-" "-"
192.168.47.1 - - [07/Sep/2016:11:13:50 -0400] "POST  HTTP/1.1" 400 313 "-" "-"
192.168.47.1 - - [07/Sep/2016:11:13:50 -0400] "POST  HTTP/1.1" 400 313 "-" "-"
I can see it's successfully posting, I didn't configure it with any data, but it should work at this point if I was to. A guide that may help you is this one - http://blog.eagerelk.com/how-to-configu ... sh-output/

Re: Can we export logs to SIEM System

Posted: Mon Aug 21, 2017 6:38 pm
by sgiworks
Hi again,

I have installed logstash-output-csv plugin on a new Log Server, and trying to configure dashboard results as output. Can you help me with the script 'Windows Failed Logons' dashboard results here.

[root@IWKSEASPAINLS01 bin]# /usr/local/nagioslogserver/logstash/bin/plugin install logstash-output-csv
Validating logstash-output-csv
Installing logstash-output-csv
Installation successful

Example:
csv {
fields => ['host', 'message']
path => '/tmp/test.csv'
}

Re: Can we export logs to SIEM System

Posted: Tue Aug 22, 2017 8:33 am
by mcapra
That is not how the logstash-output-csv plugin works. This plugin takes events that are in the Logstash pipeline, and writes them out to CSV. It can't work with results that are currently stored in Elasticsearch.

As mentioned in the other thread, if you can navigate Elasticsearch queries well enough, this application might be of use:
https://github.com/mcapra/nagios-nlsexport

Re: Can we export logs to SIEM System

Posted: Tue Aug 22, 2017 9:42 am
by cdienger
Did mcapra's post help you?
All times are UTC-05:00
Page 4 of 4

Powered by phpBB® Forum Software © phpBB Limited