Page 1 of 1
No config file found, Nagios LS Trial
Posted: Thu Jan 26, 2017 9:30 am
by SteveO86
Running a Trial of Nagios LS. It was an OVA deployment to VMWare.
I've got some Cisoc ASA's sending logs via the default port 5544 however nothing is displaying in the dashboard. When I run tail -n50 /var/log/logstash/logstash.log i see the following
Error: No config files found: /usr/local/nagioslogserver/logstash/etc/conf.d*\n Can you make this is a logstash config file.
Re: No config file found, Nagios LS Trial
Posted: Thu Jan 26, 2017 10:48 am
by mcapra
Can you share the output of the following commands executed from the CLI of your Nagios Log Server machine:
Code: Select all
ls -al /usr/local/nagioslogserver/logstash/etc/conf.d/
grep '' /usr/local/nagioslogserver/logstash/etc/conf.d/*
cat /etc/sysconfig/logstash
Re: No config file found, Nagios LS Trial
Posted: Thu Jan 26, 2017 12:37 pm
by SteveO86
ls -al /usr/local/nagioslogserver/logstash/etc/conf.d/
Code: Select all
total 20
drwxrwxr-x. 2 nagios nagios 4096 Jan 26 13:31 .
drwxrwxr-x. 3 nagios nagios 4096 Nov 15 16:13 ..
-rw-rw-r-- 1 apache apache 636 Jan 26 15:42 000_inputs.conf
-rw-rw-r-- 1 apache apache 987 Jan 26 15:42 500_filters.conf
-rw-rw-r-- 1 apache apache 537 Jan 26 15:42 999_outputs.conf
grep '' /usr/local/nagioslogserver/logstash/etc/conf.d/*
Code: Select all
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:# Logstash Configuration File
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:# Dynamically created by Nagios Log Server
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:# Created Thu, 26 Jan 2017 15:42:35 -0500
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:# Global inputs
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:input {
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: syslog {
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: type => 'syslog'
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: port => 5544
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: tcp {
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: type => 'eventlog'
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: port => 3515
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: codec => json {
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: charset => 'CP1252'
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: tcp {
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: type => 'import_raw'
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: tags => 'import_raw'
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: port => 2056
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: tcp {
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: type => 'import_json'
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: tags => 'import_json'
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: port => 2057
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: codec => json
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:}
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:# Local inputs
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:# Logstash Configuration File
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:# Dynamically created by Nagios Log Server
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:# Created Thu, 26 Jan 2017 15:42:35 -0500
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:# Global filters
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:filter {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: if [program] == 'apache_access' {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: grok {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: match => [ 'message', '%{COMBINEDAPACHELOG}']
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: date {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z', 'MMM dd HH:mm:ss', 'ISO8601' ]
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: mutate {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: replace => [ 'type', 'apache_access' ]
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: convert => [ 'bytes', 'integer' ]
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: convert => [ 'response', 'integer' ]
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: if [program] == 'apache_error' {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: grok {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: match => [ 'message', '\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] \[%{WORD:class}\] \[%{WORD:originator} %{IP:clientip}\] %{GREEDYDATA:errmsg}']
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: mutate {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: replace => [ 'type', 'apache_error' ]
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:}
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:# Local filters
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:# Logstash Configuration File
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:# Dynamically created by Nagios Log Server
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:# Created Thu, 26 Jan 2017 15:42:35 -0500
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:# Required output for Nagios Log Server
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:output {
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf: elasticsearch {
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf: cluster => 'd6a221e3-ae25-4d6a-aa22-4e53977bd47f'
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf: host => 'localhost'
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf: document_type => '%{type}'
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf: node_name => '89b3d3db-a3ec-4fa3-8ff2-85fa59969e4e'
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf: protocol => 'transport'
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf: workers => 4
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:}
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:# Global outputs
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:# Local outputs
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:
[root@localhost ~]# cat /etc/sysconfig/logstash
Code: Select all
###############################
# Default settings for logstash
###############################
# Override Java location
#JAVACMD=/usr/bin/java
# Set a home directory
APP_DIR=/usr/local/nagioslogserver
LS_HOME="$APP_DIR/logstash"
# set ES_CLUSTER
ES_CLUSTER=$(cat $APP_DIR/var/cluster_uuid)
# Arguments to pass to java
#LS_HEAP_SIZE="256m"
LS_JAVA_OPTS="-Djava.io.tmpdir=$APP_DIR/tmp"
# Logstash filter worker threads
#LS_WORKER_THREADS=1
# pidfiles aren't used for upstart; this is for sysv users.
#LS_PIDFILE=/var/run/logstash.pid
# user id to be invoked as; for upstart: edit /etc/init/logstash.conf
LS_USER=nagios
LS_GROUP=nagios
# logstash logging
#LS_LOG_FILE=/var/log/logstash/logstash.log
#LS_USE_GC_LOGGING="true"
# logstash configuration directory
LS_CONF_DIR="$LS_HOME/etc/conf.d"
# Open file limit; cannot be overridden in upstart
#LS_OPEN_FILES=2048
# Nice level
#LS_NICE=0
# Increase Filter workers to 4 threads
LS_OPTS=" -w 4"
if [ "x$1" == "xstart" -o "x$1" == "xrestart" -o "x$1" == "xreload" ];then
GET_LOGSTASH_CONFIG_MESSAGE=$( php /usr/local/nagioslogserver/scripts/get_logstash_config.php )
GET_LOGSTASH_CONFIG_RETURN=$?
if [ "$GET_LOGSTASH_CONFIG_RETURN" != "0" ]; then
echo $GET_LOGSTASH_CONFIG_MESSAGE
exit 1
fi
I've verified my devices are sending Syslogs over port 5544 via tcpdump but the application itself does not appear to be picking them up.
Re: No config file found, Nagios LS Trial
Posted: Thu Jan 26, 2017 1:08 pm
by SteveO86
Actual, I think I just got it working.
Had to finish the NTP configuration, the time on the server was ahead by a few hours so I'm thinking it discarding syslogs. Since then it's been accepting logs.
Is there a sizing guide I can review somewhere?
Re: No config file found, Nagios LS Trial
Posted: Thu Jan 26, 2017 5:35 pm
by rkennedy
Ah - that makes sense. We have a 'general flyer' -
https://assets.nagios.com/handouts/nagi ... -Flyer.pdf
NLS will be pretty ram intensive which is the main requirement. 4 CPU's should be fine. The ram will vary really based on a few factors:
- Amount of data that is in open in each index. (aka amount of data incoming per day)
- How many days you plan on looking back actively. (indices can always be re-opened after closed, but NLS will automatically close based on your settings in backup & maint.)
- How many members are in your cluster.
If you can provide a bit of information about all of that, I can tailor something to suit you.
Re: No config file found, Nagios LS Trial
Posted: Mon Jan 30, 2017 8:40 am
by SteveO86
Sure, thank you for the assistance!
- Per day, that should be around 30-40 Gb (No more than 50)
- Ideally we would like to go back at least 2 weeks. A month would be better but that I'm hoping we can eventually expand into.
- # of Cluster members, that is something I am open to. I assume the more members increases my scalability. I'm not sure how much a single member can handle so I'm not how many members would be needed.
I had a question about members, how do they balance out the work load and storage between them? Right now, all logs are sent to a UDP replicator and then we divy out the logs from there, can we send all the logs to a single member or do I need to distribute the logs to different members based on load?
Re: No config file found, Nagios LS Trial
Posted: Mon Jan 30, 2017 12:00 pm
by rkennedy
We're doing a bit of testing in house currently to see what sort of optimization we can get for data to ram ratio. My current recommendation is roughly 1.5x-2.5x the amount of data to be open at a time per 1GB of ram. Generally speaking though, I have seen some systems run fine with 4x-5x, which is why we're currently doing testing.
Let's say you have 30GB per day, and three cluster members with 64GB of ram each. (192GB total) - based on my recommendation, this would allow you to have roughly 14 days of data open at a time. (14x30=420)
Going back a month should work too, but it really depends on how far / how many people are actively looking at a time which is where my recommendation comes in. It becomes a juggling game of data <-> ram.
- # of Cluster members, that is something I am open to. I assume the more members increases my scalability. I'm not sure how much a single member can handle so I'm not how many members would be needed.
My recommendation is three, because of how ELK runs it's master / slave setup. The nodes all communicate and distribute data evenly, with one serving as a master to make decisions for everyone. With 3 instances, you can set the min master nodes for election to 2, which will help to avoid a 'split-brain'. (in a two node, this number is going to be one, and if disconnected for too long they could both run off on their own for whatever reason.) You can always scale out another one, add it to the cluster, and continue too as needed.
I had a question about members, how do they balance out the work load and storage between them? Right now, all logs are sent to a UDP replicator and then we divy out the logs from there, can we send all the logs to a single member or do I need to distribute the logs to different members based on load?
Elasticsearch will distribute the data once it enters the node. If you have at least a two node system, then you can compare it to a RAID1 type diagram with a copy always existing on two nodes. Elasticsearch creates a primary shard, and a replica shard, and in order to be in a green state both are required to exist. This helps to balance the redundancy / workload between all members. To answer your question, yes, you can send them to a single member and have E distribute them accordingly.
Re: No config file found, Nagios LS Trial
Posted: Wed Mar 01, 2017 2:10 pm
by tmcdonald
Just checking in since we have not heard from you in a while. Did
@rkennedy's post clear things up? Or has the issue been resolved?