Nagios Support Forum

Currently, according to the Nagios dashboard there are 13 hosts configured to send logs. However, on the Top Sources and Types Dashboard (this dashboard came with NLS) I can only see 10.

I have completed my own investigation and have identified that 10 IPs listed belong to Windows servers and 3 Linux servers are missing.

For one of the missing servers I have already created a dashboard in the past and I can see the activity. Its IP is 136.133.231.211. See screen print attached

Another server should be Nagios LS which I was able to see before and it is no longer listed. Its IP is 136.133.236.12

And there is also a third server IP - 136.133.231.213

I have attached screen prints in the MissingSourcesScreens.docx to illustrate the issue. Please let me know the reason I cannot see all 13 hosts.

The 136.133.231.211 indicated in your 'top talkers' only has 7k results, where as your top talkers minimum at at 45k. I would apply a different filter of sorts if you're after the linux ones, perhaps with a filter of type=syslog.

1. I do not have any filtering for 136.133.231.211 - only 24hr. Please explain what filtering you are referring
2. Please advise on the reason another 2 server are still missing

1. In the first screen shot, it only has 7k counts, and the list is only going to show 10 results. Please see the screenshot you posted which has an explicit filter for host.raw for 136.135.231.211. 2. If you are only looking at the top talkers, then my guess is they have less than 45k records so it is the same case. What happens when you explicitly filter for these hosts?

I have attached screen prints from Top Sources and Types. I do not see 7k counts. Please advise.

When I filter on the hosts I still do not see the missing ones including 136.133.231.211. Only 10 hosts. See the same attachment

The first screenshot ends at 18k now, which would put 136.133.231.211 well below the mark.

The second one only shows the count up to 250, with what is present in the current data set, the IP simply is not in this data set.

Please excuse all my questions since I am new to NLS.

I do not understand what are you referring to as 7K and 18K

If the count up to 250, should I see all 13 hosts

Would it be easier to do a WebEx session to illustrate and troubleshoot

Please see my previous screenshot taken from your screenshot outlining where the 7k is coming from. In 24 hours, you have 7k records for 136.133.231.211.

Now, in the top sources and types, it will only show the top 10 talkers, and that is where the 18k number is coming from. The 250 count can be seen in your screenshots, as Count / 250, where it shows that this information is only for 250 records you're querying / filtering based off of. I do not think a WebEx is necessary for this as this should clear up the confusion. Let me know if you have any further questions.

So my question is - How to see all 13 hosts which I used to see before and not any longer. Should I at least see 136.133.231.211 and Nagios Logs server (136.133.236.12)? What am I missing?

gimeb wrote:Currently, according to the Nagios dashboard there are 13 hosts configured to send logs. However, on the Top Sources and Types Dashboard (this dashboard came with NLS) I can only see 10.

The "Top Hosts" panel on the "Top Sources and Types" dashboard will only ever display a maximum of 10 hosts by default. This value can be adjusted in the panel's settings:
You could ostensibly have this panel display literally every host with it's record count, but that would be impractical for large environments. I imagine upping it to 13 should be fine.

The "Receiving logs from X hosts." information on the main page of Nagios Log Server is always a bit fuzzy and not 100% accurate. Logstash uses ephemeral ports for it's connections so tracking exactly how many machines are connecting is tricky.

gimeb wrote:So my question is - How to see all 13 hosts which I used to see before and not any longer. Should I at least see 136.133.231.211 and Nagios Logs server (136.133.236.12)? What am I missing?

The "Micro Analysis" window will also only display a maximum of 10 entries. This is hard-coded within Kibana itself though so you are unable to change it. If you have 13 total hosts, you will only even see 10 in the "Micro Analysis" window.

If you wanted to find events that have occurred on a specific host, say 136.133.231.211, you could include host:136.133.231.211 in your query in the top search bar.