Nagios Support Forum

Hi Everyone! I have a question for the experts.

Using Nagios XI 2014R2.0 (currently in 60 day trial mode while we get the PO for a license)
OS is Red Hat Enterprise 6.5, 64 bit
Proxy is in place and working correctly (Nagios XI installed flawlessly)

Many of our managed systems host user-space applications which write output to text files (logs, outputs, errors, etc). We are required to monitor multiple log files outside the usual syslog, error_log, httpd.log, etc. When certain patterns are matched, we need to know immediately.

Which Nagios plugin, or combination of plugins, would be best suited for this? Would the NRPE or NRDP agent be required, or beneficial, for sending a message back to the Nagios XI server?

Note: I'm working with the check_log plugin version 2.0.3. The 5th line down says "Last Modified: 07-31-1999" by Ethan. This seems dated, but I'm OK with "if it's not broke, don't fix it."

How many logs on how many systems are you looking to monitor?

If you don't mind a shameless sales pitch, we actually have a new product called Nagios Logserver that handles exactly this sort of thing. If you are looking to do even a moderate amount of log monitoring, I would definitely give it a try: http://www.nagios.com/products/nagios-log-server

Same as with XI, you get a fully-featured 60-day trial and an additional 30 days since it is a newer product and we want to give people ample time to test it out.

Otherwise, looking at our Nagios Exchange I can see a few plugins listed. This one seems to be fairly simple but should do what you need: http://exchange.nagios.org/directory/Pl ... nt/details

Just run it actively through NRPE or passively through NRDS/NRDP and you should be good to go.

Hello,

Nagios log server may be a bit much. We have about 8 machines and each running about 3 safety critical applications total.

I have been trying to test NPRE to use check_log to read /var/log/httpd/access_log-20141207 on a remote system by running at Nagios CLI:

(as root)# ./check_nrpe -H 123.45.67.89 -c check_log /var/log/httpd/access_log-20141201 /tmp/httpd_access nagios

which produces this error:

[*]Log check error: Log file -O does not exist!

and when I configure the NPRE service from the Nagios web interface, this error is displayed under the host details:

[*]"Log check error: Log file /var/log/httpd/access_log-20141201 does not exist!"

I have manually verified both files /tmp/httpd_access and /var/log/httpd/access_log-20141201 do exist in the FS of the monitored machine. I even tried opening permissions 777 on the directories.

I'm really unsure about how to correct this problem with check_log, which is why I wanted to see if a better plugin would work.

Additional guidance is welcome

Honestly, I can't even suggest a good alternative compared with log server. In your case, with only 8 systems currently, you could very likely get by with the free license just fine. As for why I can't suggest alternatives, there is just no alternative for being able to correlate your log data from multiple locations, alert and create dashboards displaying data you care about in a meaningful way. Also it prevents having to muck about with different plugins that need to keep a state of the last monitored location, which can be sketchy at times. Finally, the integration with XI and ability to alert on nearly any field in any log at any time just blows everything else out of the water.

If you really need to use plugins and XI, check_log is not a bad option, there are a few alternatives, but they are all largely the same. Only really able to string match or alert on number of entries. I'd suggest su-ing to the nagios user and seeing if you can access the check_log plugin and the apache access logs.

Thank you Spenser. We are getting a dedicated server along with our Nagios XI licenses. Can the Log Server run on the same system as XI? I have not put much research into the log server product, however we are going to use the Nagios Network Scanning tool.

Our official stance on that is to keep a separate server for each product. You are certainly free to try running them on the same one, but that's not something we typically provide support for.

This thread can be closed.