Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Configured linux file and not seeing in NLS

https://support.nagios.com/forum/viewtopic.php?t=35598

Page 1 of 1

Configured linux file and not seeing in NLS

Posted: Thu Nov 05, 2015 11:24 am
by BanditBBS
Ok, so I told my XI to write the audit log to file and then attempted to send the file to NLS. I'm not seeing any entries, this was the output of configuring the file:

Code: Select all

[root@iss-chi-nag05 ~]# bash setup-linux.sh -s xxxxxxxxx.com -p 5444 -f "/usr/local/nagiosxi/var/components/auditlog.log" -t XIAudit
Detected rsyslog 5.8.10
Detected rsyslog work directory /var/lib/rsyslog
Destination Log Server: xxxxxxxxxx.com:5444
Processing /usr/local/nagiosxi/var/components/auditlog.log file...
Creating /etc/rsyslog.d/90-nagioslogserver_usr_local_nagiosxi_var_components_auditlog.log.conf...
SELinux is disabled.
rsyslog configuration check passed.
Restarting rsyslog service with 'service'...
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
Okay.
rsyslog is running with the new configuration.
Visit your Nagios Log Server dashboard to verify that logs are being received.

Re: Configured linux file and not seeing in NLS

Posted: Thu Nov 05, 2015 11:36 am
by jolson
That output looks good - can you verify that packets are being sent from XI to NLS on port 5544?

On NLS:

Code: Select all

tcpdump -n host <xi ip address> and dst port 5544
I'm also interested in seeing the rsyslog.conf file that was generated on your XI machine.

Code: Select all

cat /etc/rsyslog.d/90-nagioslogserver_usr_local_nagiosxi_var_components_auditlog.log.conf

Re: Configured linux file and not seeing in NLS

Posted: Thu Nov 05, 2015 11:45 am
by BanditBBS
First off, I typo'd the setup and put 5444 and not 5544. I modified the config fiel and restarted rsyslog, still no XIAudit data.....now to your questions....

Yes data is being received but its the syslog data that i setup long ago to get sent there.

Here is that config file:

Code: Select all

[root@iss-chi-nag05 components]# cat /etc/rsyslog.d/90-nagioslogserver_usr_local_nagiosxi_var_components_auditlog.log.conf
$ModLoad imfile
$InputFilePollInterval 10
$PrivDropToGroup adm
$WorkDirectory /var/lib/rsyslog

# Input for XIAudit
$InputFileName /usr/local/nagiosxi/var/components/auditlog.log
$InputFileTag XIAudit:
$InputFileStateFile nls-state-usr_local_nagiosxi_var_components_auditlog.log # Must be unique for each file being polled
# Uncomment the folowing line to override the default severity for messages
# from this file.
#$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor

# Forward to Nagios Log Server and then discard, otherwise these messages
# will end up in the syslog file (/var/log/messages) unless there are other
# overriding rules.
if $programname == 'XIAudit' then @@iss-chi-nag07.net.itciss.com:5544
if $programname == 'XIAudit' then ~
EDIT: Just got back from lunch and all is working....no clue....but its working!

Re: Configured linux file and not seeing in NLS

Posted: Thu Nov 05, 2015 6:01 pm
by jolson
Just got back from lunch and all is working....no clue....but its working!
Good to hear! Are you sure you're seeing logs in near-real-time, or are they slightly in the future/past? It's possible that logs could be sending slightly in the future due to date discrepancies, which would cause the laggy behavior you noted.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited