Page 1 of 2
DNS translation and Severity logging
Posted: Wed Oct 19, 2016 2:32 pm
by Enamejko
Hello,
I would like to ask you for a help here. I have setup Nagios log server and curently collecting logs from cisco switches in our company.
First thing i wanted to solve was DNS resolution for Host which is not working currently. I have created filter, checked reverse dns lookup all looks fine but no go with FQDN under host
Code: Select all
dns {
reverse => [ "host" ]
action => [ "replace" ]
add_tag => [ "dns" ]
}
Second thing is that all the logs from cisco are translated by Nagios incorectly
Severity for all is Emergency and even facility is not visible... see attachment
Thank you!
Re: DNS translation and Severity logging
Posted: Wed Oct 19, 2016 3:28 pm
by rkennedy
I just tested your filter, and it was applied without issue. Do you have other GROK patterns being applied before it that would affect it? The other thing it could be, is the NLS machine cannot resolve. Are you able to run
nslookup ip.here of the ip that isn't resolving? It may just need your local DNS resolvers to use.
nls-dnsfilter.PNG
As for the Cisco logs, could you show us all of your inputs currently configured on the machine? I suspect you're using the default syslog input, which is applying the default syslog filtering. What we'll need to do is alter this, and define a custom grok filter specifically for Cisco.
Re: DNS translation and Severity logging
Posted: Thu Oct 20, 2016 4:50 am
by Enamejko
I have only default GROK patterns. nslookup working correct with the FQDN as well with IP address.
I was checking the settings and found that IP and Hostname is not correct for my instance could it be the issue? How can I change it?
20-10-2016 11-42-18.gif
INPUT:
20-10-2016 11-48-27.gif
Code: Select all
syslog {
type => 'syslog'
port => 514
}
Filters:
20-10-2016 11-48-40.gif
APACHE
Code: Select all
if [program] == 'apache_access' {
grok {
match => [ 'message', '%{COMBINEDAPACHELOG}']
}
date {
match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z', 'MMM dd HH:mm:ss', 'ISO8601' ]
}
mutate {
replace => [ 'type', 'apache_access' ]
convert => [ 'bytes', 'integer' ]
convert => [ 'response', 'integer' ]
}
}
if [program] == 'apache_error' {
grok {
match => [ 'message', '\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] \[%{WORD:class}\] \[%{WORD:originator} %{IP:clientip}\] %{GREEDYDATA:errmsg}']
}
mutate {
replace => [ 'type', 'apache_error' ]
}
}
DNS_Name
Code: Select all
dns {
reverse => [ "host" ]
action => [ "replace" ]
add_tag => [ "dns" ]
}
Re: DNS translation and Severity logging
Posted: Thu Oct 20, 2016 10:59 am
by rkennedy
Is nslookup working correctly from the NLS machine or from a different one? Just making sure it's using your local resolves vs. online resolvers. This is usually the culprit which is why I ask.
As for the Cisco logs, this is the issue. Using the syslog as an input, applies a filter to it by default. I would change your inputs to be the following -
Code: Select all
tcp {
port => 514
type => cisco
}
udp {
port => 514
type => cisco
}
Then, for your Cisco logs, apply this GROK filter -
Code: Select all
if [type] == "cisco" {
grok {
match => { "message" => "<%{POSINT:pri}>: %{SYSLOGTIMESTAMP:timestamp}: %{GREEDYDATA:systype}: %{GREEDYDATA:sysuer} : %{GREEDYDATA:syslog_message}" }
}
You may have to modify the match pattern, so that we can get all of your variables -> fields, but I would try this to see what it succeeds in doing. Post a screenshot back after you've made these changes to show us what is being inputted to the message field now, as it should be closer to being proper.
Re: DNS translation and Severity logging
Posted: Thu Oct 20, 2016 11:33 am
by Enamejko
DNS started to work. Dont know what was the issue but now it is working fine.
Changes i have done to Inputs:
20-10-2016 18-25-34.gif
Changes i have done to filters:
20-10-2016 18-26-25.gif
For the Events still the same:
20-10-2016 18-29-18.gif
Thank you
Re: DNS translation and Severity logging
Posted: Thu Oct 20, 2016 1:00 pm
by mcapra
I revised the filter a bit and was able to match the sample message successfully:
Code: Select all
if [type] == 'cisco' {
grok {
match => [ "message", "\<%{POSINT:pri}\>%{NUMBER:aux_id}: %{SYSLOGTIMESTAMP:timestamp}: %{GREEDYDATA:systype}: %{GREEDYDATA:syslog_message}" ]
}
}
2016_10_20_12_59_54_Dashboard_Nagios_Log_Server.png
LDAP and Alerts
Posted: Wed Oct 26, 2016 10:18 am
by Enamejko
Thank you looks like it is working fine now i was even able to crack correct grok code for my devices.
Now I am fighting with LDAP and Alerts.
For the LDAP do you have some best practice guide to get it working?
I tried few manuals i found on internet but no success. Until now i had no issues with LDAP configuration for other tools...
For the Alerts, looks everything works fine. I am just no sure if I can use only macros which are available under email Templates -> View Macros
Thank you for you answer
Re: DNS translation and Severity logging
Posted: Wed Oct 26, 2016 2:03 pm
by rkennedy
Could you show us the screenshots for errors you're having? Usually it works, we do not have any further documentation on it specifically for NLS. There is a guide available for XI, which won't exactly relate, but may help you out slightly.
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
You can use all those macros listed under the View Macros part. There are not any additional ones at this time.
Re: DNS translation and Severity logging
Posted: Thu Nov 03, 2016 12:34 pm
by Enamejko
Please find screenshot with error and settings of LDAP
03-11-2016 18-28-14.gif
03-11-2016 18-30-46.gif
THank you.
Re: DNS translation and Severity logging
Posted: Thu Nov 03, 2016 5:03 pm
by rkennedy
What sort of LDAP server are you using in the backend? Are you seeing any logs on the authenticating side that would help track down the issue?