Page 1 of 1
Config check
Posted: Thu May 14, 2015 11:00 am
by WillemDH
Wouldn't it be a nice feature if NLS could compare the config to be saved with the actual config in /usr/local/nagioslogserver/logstash/etc/conf.d/* and showing some kind of error?
I seemed to have missed a komma somewhere in a filter resulting in me finding this out several changes later, making it kind of not easy to pinpoint the problem. This shouldn't be too much work and could prevent many headaches for your NLS customers?
Grtz
WIllem
Re: Config check
Posted: Thu May 14, 2015 11:51 am
by jolson
Did the 'verify config' button display any errors when you clicked it? If it did not, could you post the configuration that didn't work? I have already submitted the feature request, but it would be good to have a working example ready for when the devs take a look at this.
Re: Config check
Posted: Thu May 14, 2015 11:56 am
by WillemDH
Jesse,
Try this:
Code: Select all
if [type] == "eventlog" {
mutate {
remove => [ "SourceModuleType", "EventTimeWritten", "EventTime", "EventReceivedTime", "EventType" ]
rename => [ "Severity", "severity_label" ]
lowercase => [ "severity_label" ]
rename => [ "SeverityValue", "severity" ]
rename => [ "Hostname", "hostname" ]
lowercase => [ "hostname" ]
gsub => [
"severity_label", "info", "informational",
]
}
}
The error is in the komma behind informational.
To be honest I just discovered the Verify button. Wouldn't it make more sense if config was verified each time after save and apply?
EDIT 1: Seems like something is still wrong with the above, just noticed the gsub isn't working.. Investigating...
EDIT 2: Hmm I'm not sure why my gsub in this example isn't working. In my f5 filter I have it working perfectly. Verified config. It's written fine. Tried:
Code: Select all
if [type] == "eventlog" {
mutate {
gsub => [
"Severity", "info", "informational"
]
remove => [ "SourceModuleType", "EventTimeWritten", "EventTime", "EventReceivedTime", "EventType" ]
rename => [ "Severity", "severity_label" ]
lowercase => [ "severity_label" ]
rename => [ "SeverityValue", "severity" ]
rename => [ "Hostname", "hostname" ]
lowercase => [ "hostname" ]
}
}
Putting the gsub in the beginning on Severity (before I renamed the field). Do you happen to see something missing? I'm getting kind of tired.. Gonna take a break..
Grtz
Re: Config check
Posted: Thu May 14, 2015 12:01 pm
by jolson
Let me know what you find out - I've added to the feature request to include a run of 'Verify' before the 'Apply Configuration' takes place.
Re: Config check
Posted: Fri May 15, 2015 7:34 am
by WillemDH
Code: Select all
if [type] == "eventlog" {
mutate {
remove => [ "SourceModuleType", "EventTimeWritten", "EventTime", "EventReceivedTime", "EventType" ]
rename => [ "Severity", "severity_label" ]
lowercase => [ "severity_label" ]
rename => [ "SeverityValue", "severity" ]
rename => [ "Hostname", "hostname" ]
lowercase => [ "hostname" ]
gsub => [
"severity_label", "info", "informational"
]
}
}
The above is not working. I don't know why, I suspect it has something to do with renaming the field I'm trying to gsub. (although I also tried with the original field name)
The only way I could make it work was by splitting the gsub from the rename in a separate filter:
Code: Select all
if [type] == "eventlog" {
mutate {
remove => [ "SourceModuleType", "EventTimeWritten", "EventTime", "EventReceivedTime", "EventType" ]
rename => [ "Severity", "severity_label" ]
lowercase => [ "severity_label" ]
rename => [ "SeverityValue", "severity" ]
rename => [ "Hostname", "hostname" ]
lowercase => [ "hostname" ]
}
}
if [type] == "eventlog" {
mutate {
gsub => [
"severity_label", "info", "informational"
]
}
}
Or in a separate mutate in the same filter:
Code: Select all
if [type] == "eventlog" {
mutate {
remove => [ "SourceModuleType", "EventTimeWritten", "EventTime", "EventReceivedTime", "EventType" ]
rename => [ "Severity", "severity_label" ]
lowercase => [ "severity_label" ]
rename => [ "SeverityValue", "severity" ]
rename => [ "Hostname", "hostname" ]
lowercase => [ "hostname" ]
}
mutate {
gsub => [
"severity_label", "info", "informational"
]
}
}
You can close this thread if you want. Tx for the feature request.
Re: Config check
Posted: Fri May 15, 2015 9:24 am
by jolson
No problem - glad you got your filter working properly. Interesting that gsub doesn't appear to be active unless it's separated from the other parameters. Thanks for letting us know - I'll lock it up.