Nagios Support Forum

Hello LOG Support

Please help with inserting source tag into the conf file attached
What would be the syntax to tag this source as "TEST" ?

---

figured one to be based of incoming port

trying to add port 4446 via iptables, but no success (no incoming data)
Please hep (recall some issues with LOG vs Firewall from the past

I believe you'll actually want to tag it based on the input, on the NLS side.

Simply create a new input like this for port 4446 - (replace yourtag with what you'd like to specify as the type.)

rkennedy wrote:I believe you'll actually want to tag it based on the input, on the NLS side.

Simply create a new input like this for port 4446 -

Code: Select all

tcp {
    type => 'yourtag'
    port => 3515
    codec => json {
        charset => 'CP1252'
    }
}

(replace yourtag with what you'd like to specify as the type.)

Already had this one

Tried port 3516 instead (opened iptables, created & aplied global config), but could not get incoming flow (works with 3515)

Just to make sure - did you apply configuration after making the change?

What is the output of iptables -L?

rkennedy wrote:Just to make sure - did you apply configuration after making the change?

What is the output of iptables -L?

Here it is (actually most ports are not present; I am using -S instead which has different values)

[root@fikc-naglsprod01 /]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:rich-cp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:omnisky
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5544
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:krb524
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:upnotifyp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:must-backplane
ACCEPT tcp -- anywhere anywhere state NEW tcp dpts:vrace:sec-t4net-srv
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nsca
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nrpe
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smartcard-port

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@fikc-naglsprod01 /]#

If other ports aren't working, but you can get traffic over 3515 just fine, another option would be to set fields directly in nxlog. You can do this by modifying the <Output> rule like so:
Here's what my full Output looks like:

mcapra wrote:If other ports aren't working, but you can get traffic over 3515 just fine, another option would be to set fields directly in nxlog. You can do this by modifying the <Output> rule like so:

Code: Select all

Exec $tags='super_cool_tag';

Here's what my full Output looks like:

Code: Select all

<Output out>
    Module om_tcp
    Host 192.168.67.200
    Port 3515
	
	Exec $tags='super_cool_tag';
	
    Exec  $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
    Exec  $raw_event = to_json();
	
	# Uncomment for debug output
	# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>

Thank you,
please close this thread