Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

audit log to file

https://support.nagios.com/forum/viewtopic.php?t=35522

Page 1 of 1

audit log to file

Posted: Sun Nov 01, 2015 6:57 am
by WillemDH
Hello,

Just a few informative questions about this feature in XI 5:

Write Audit Log to file: When checked all audit log events will be written to /usr/local/nagiosxi/var/components/auditlog.log

Where are the audit logs located if they are not written to file? The mysql db? Is this auditlog.log file rotated? I'm guessing this done to be able to send it to NLS?
Is there someone who made a nice grok filter for this logfile yet?

Grtz

Willem

Re: audit log to file

Posted: Mon Nov 02, 2015 12:45 pm
by jdalrymple
WillemDH wrote:Where are the audit logs located if they are not written to file? The mysql db?
nagiosxi database to be certain. Postgres in older versions, mysql in the new version.
WillemDH wrote:Is there someone who made a nice grok filter for this logfile yet?
You'd think - not to the best of my knowledge. Try this though:

Code: Select all

filter {
  grok {
    match => { "message" => "%{TIMESTAMP_ISO8601} - %{GREEDYDATA:source} \[%{NUMBER:id}\] %{GREEDYDATA:username}:%{IP:ipaddress} - %{GREEDYDATA:message}" }
  }
}

Re: audit log to file

Posted: Thu Nov 05, 2015 4:22 am
by WillemDH
JR,

I can confirm your grok filter works. made some small changes to it:

Code: Select all

if [type] == "nagios-audit" {
    grok {
            match => { "message" => "%{TIMESTAMP_ISO8601} - %{GREEDYDATA:nagiossource} \[%{NUMBER:nagiosid}\] %{GREEDYDATA:nagiosusername}:%{IP:workstationip} - %{GREEDYDATA:message}" }
            overwrite => [ "message" ]    
            add_tag => "grokked_file_nagios_audit"
    }
}
Thanks. Please close.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited