Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Real-time Log File from NSClient++

https://support.nagios.com/forum/viewtopic.php?t=33455

Page 1 of 1

Real-time Log File from NSClient++

Posted: Tue Jun 23, 2015 8:31 am
by matthewk2
Hi All,

I am currently using the latest stable 0.4.3 version of NSclient and am currently struggling to monitor changes to log-files in real-time.

I have followed the guide at http://blog.medin.name/blog/2012/11/26/ ... ext-files/

by adding the following to my nsclient.ini;

Code: Select all

[settings/logfile/real-time/checks/logfile]
file=c:/test2.log
target=CACHE
critical=column1 like 'error'
column split=;
and then running;

Code: Select all

echo error;error >>c:\test2.log
I can see the change by issuing the following to 'nscp test --log info';

Code: Select all

check_cache key=logfile
The problem I have is when I try to change the name of the index. ie change;

Code: Select all

[settings/logfile/real-time/checks/logfile]
to

Code: Select all

[settings/logfile/real-time/checks/brokerserver]
in nsclient.ini. If I restart the service and instead issue the command;

Code: Select all

check_cache key=brokerserver
I get a message;

Code: Select all

cli UNKNOWN: Entry not found
Also if I try to use the 'maximum age' field in NSclient.ini this seems to have no effect or change the log location I don't get the expected result.

Thanks in advance,

Matthew

Re: Real-time Log File from NSClient++

Posted: Tue Jun 23, 2015 10:42 am
by jolson
I tested this on my end, and came up with the following working configuration:

Code: Select all

[/modules]
SimpleFileWriter = enabled
SimpleCache = enabled
NSCAClient = enabled
CheckLogFile = enabled

[/settings/NSCA/client/targets/default]
address=192.168.x.x:5667
encryption=none
password=password

[/settings/logfile/real-time]
enabled = true

[/settings/logfile/real-time/checks/logfile]
file = c:/test/test.log
destination = NSCA,CACHE,FILE
filter = column1 like 'hello'
critical = column2 like 'world'
column split=;
The issue that I came across is that everything entered into the log file via the 'echo hello;world' command will be considered to be in column1, despite the separator being defined.

The primary problem is that the syntax was changed. What used to be called 'column separator' is now called 'column split'. You can see the revised documentation here: http://docs.nsclient.org/reference/Chec ... mn%20split

Let me know if the above works for you, I expect it will.

Best,


Jesse

Re: Real-time Log File from NSClient++

Posted: Wed Jun 24, 2015 5:23 am
by matthewk2
Hi there Jesse, Thanks for the reply.

I noticed the change in syntax, as is shown in my original post. The problem I was having is that I want to monitor several files on the same server. When I try to change the name away from 'logfile' I don't seem to be able to monitor for the new log file. I guess I want to move from this;

Code: Select all

[settings/logfile/real-time/checks/logfile]
file=c:/test2.log
target=CACHE
critical=column1 like 'error'
column split=;
To have multiple instances similar to this;

Code: Select all

[settings/logfile/real-time/checks/broker]
file=c:/brokerserver/broker.log
target=CACHE
critical=column1 like 'error'
column split=;

[settings/logfile/real-time/checks/parser]
file=c:/parserserver/parser.log
target=CACHE
critical=column1 like 'error'
column split=;
When I run the command;

Code: Select all

check_cache key=broker --info log
I get the error message;

Code: Select all

cli UNKNOWN: Entry not found
which suggests it can't find the key 'broker'

Thanks, Matthew

Re: Real-time Log File from NSClient++

Posted: Wed Jun 24, 2015 1:22 pm
by tgriep
I found this on the NSClient++ site.
file (CheckLogFile, check_logfile)
File to read (can be specified multiple times to check multiple files.
Notice that specifying multiple files will create an aggregate set it will not check each file individually.
In other words if one file contains an error the entire check will result in error or if you check the count it is the global count which is used.

files (CheckLogFile, check_logfile)
A comma separated list of files to scan (same as file except a list)
It looks like you create one entry for the logfiles and then give it multiple files to check by changing the file= setting to files=file1, file2, file3 and so on .

Re: Real-time Log File from NSClient++

Posted: Thu Jun 25, 2015 2:30 am
by matthewk2
Thank you for your reply.

This would be fine if the log file were in the same format. I would need to search for different text in different files.

I was really hoping for something a bit more flexible.

Re: Real-time Log File from NSClient++

Posted: Thu Jun 25, 2015 9:43 am
by jolson
I spent some time testing this, and it does work properly for me.

I want you to make sure of the following:

-You're running the latest version of NSClient (0.4.3.143)
-Your NSClient configuration is saved, and the NSClient service is in a stopped state
-Your NSClient configuration is proper - mine for reference:

Code: Select all

[/settings/logfile/real-time]
enabled = true

[/settings/logfile/real-time/checks/logfile]
file = c:/test/test.log
target=CACHE
filter = column1 like 'hello'
critical = column2 like 'world'
column split=;

[/settings/logfile/real-time/checks/logfile2]
file = c:/test/test2.log
target=CACHE
filter = column1 like 'hallo'
critical = column2 like 'wurld'
column split=;
After you have verified that your configuration is proper and NSClient is up to date, I want you to start NSClient in test mode from an administrative cmd prompt/powershell:

Code: Select all

cd c:\program files\nsclient++
nscp.exe test
After starting nscp, generate logs - one for each index - and make certain that they're being detected properly.

Code: Select all

echo hello;world >> c:\test\test.log
In your running 'nscp test prompt', you should see:
D cache Adding to index: logfile
And the other index:

Code: Select all

echo hallo;wurld >> c:\test\test2.log
D cache Adding to index: logfile2
At this point, you know that cached data exists on the server. Let's query from nrpe:

Code: Select all

[root@localhost libexec]# ./check_nrpe -H 192.168.x.x -c check_cache -a key=logfile
c:/test/test.log: 1 (hello, world , )|
[root@localhost libexec]# ./check_nrpe -H 192.168.x.x -c check_cache -a key=logfile2
c:/test/test2.log: 1 (hallo, wurld , )|
No issues on my end. Let me know if this helps.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited