Page 1 of 1
Filtering event logs through nxlog.conf
Posted: Wed Dec 21, 2016 10:31 am
by sgiworks
Hello Team,
Can you have filters set on the Nagios Log Server clients - nxlog.conf? so that filter the type of events to be forwarded, instead of forwarding all the event logs from the clients to the Nagios Log Server.
Regards,
Swapnil
Re: Filtering event logs through nxlog.conf
Posted: Wed Dec 21, 2016 10:33 am
by sgiworks
Attached current nxlog file for your reference, do let us know is you need more details from our end?
Re: Filtering event logs through nxlog.conf
Posted: Wed Dec 21, 2016 11:28 am
by mcapra
You can configure nxlog to discard certain events, yes. If you could provide some sample logs and indicate which events you would like to discard, we can assist with this.
Re: Filtering event logs through nxlog.conf
Posted: Thu Dec 22, 2016 1:10 pm
by sgiworks
We want to discard all, and only allow event to be pushed with specific event ID. Is it possible?
Re: Filtering event logs through nxlog.conf
Posted: Thu Dec 22, 2016 1:58 pm
by mcapra
That's pretty easy to handle as a Logstash filter. Using the ID 4634 as an example:
Code: Select all
if [type] == 'eventlog' {
if [EventID] != '4634' {
drop{}
}
}
If you still wanted to do this from within nxlog, it might look something like this in the Input definition:
Code: Select all
Exec if string($EventID) !~ /^4634/ drop();
Re: Filtering event logs through nxlog.conf
Posted: Thu Dec 22, 2016 3:07 pm
by sgiworks
Yes, we will definitely need to nxlog.conf updated. Because we don't want network load for forwarding all the logs from all servers to Nagios Log Server.
We will try below command and keep you posted.
Exec if string($EventID) !~ /^4634/ drop()
Do you know the log forwarding frequency from nxlog.conf
Regards,
Swapnil
Re: Filtering event logs through nxlog.conf
Posted: Thu Dec 22, 2016 3:23 pm
by mcapra
Just as an FYI, there was a syntax error in my original post. The line should be as follows for EventID 4634:
Code: Select all
Exec if string($EventID) !~ /^4634/ drop();
sgiworks wrote:Do you know the log forwarding frequency from nxlog.conf
I don't think you can set a poll frequency for the event log input modules (im_internal or im_vista typically), so it's approximately "whenever the system gets around to the nxlog operations".