Nagios Support Forum

I am new to Nagios Log server but was asked the following question. What is the advantage for Log server to collect logs that you cannot already do with Nagios XI?

Log monitoring with Nagios XI is limited to what you can do. For example you may search a log to find a specific entry, which may trigger a critical alert, however the next time the search is done the check goes back to OK, so it might not be as helpful. Also, you only generally see the last status output. In addition, you are parsing log files every time a check is done, adding load to the server being monitored.

Log Server on the other hand stores all the logs it receives. You can then search the results that you have received and generate alerts based on things like "this event appeared 3 times in the last 10 minutes". Log server is a good auditing tool, once the log is sent from the original server, if someone deletes the log on the original server then it's still available on log server.

Basically Log Server allows you to report on the data received, and store it for historical reasons.

That being said, Log Server keeps ALL its logs (up to a limit that you decide), so you may be keeping hundreds of gigabytes of data, or more, depending on how much you're logging and how long you retain it. This, however, lets you go back and look at any time in the past, not just the most recent things.

Thanks @eloyd and @Box293!

@tmartin149 let us know if you have additional questions.