Nagios Support Forum

Hello Folks,

Has anyone configured Nagios Log Server to archive below reporting needs? Queries/ Alerts / Dashboard

(a) OS log on & log off by Users and privilege accounts (both success & fail events)
(b) User & privilege accounts actions on OS, including:
(c) Failed attempts to access OS resource or files
(d) Success and fail privilege actions
(e) DBA log on & log off to DBMS (both success & fail events)
(f) DBA actions performed within DBMS
(g) Read/write activities on encryption keys (bitlocker & SQL TDE) by a user or admin (non-machine access)
(h) Application level audit trail from a enterprise level applications.
(i) Log in, log out, and configuration changes in the Microsoft Azure management portal
(j) Non-authorized network sources connecting to application environment, i.e. non Customer or vendor IP addresses

Thanks in advance.

Regards,
Swapnil

You should be able to log anything you have access to as text. The Azure management portal would be the one that looks the hardest to me. It looks like you can get some data, but you'd need to figure out a way to automate the process: https://docs.microsoft.com/en-us/azure/ ... ivity-logs

As far as giving you more specific answers, what OSes and DBAs are you using? Logging is going to be different on different systems.

Our main logserver tech should be back in the office tomorrow and he may have more detail on Azure and the other activity.

When you have a lot of things like this to do, it's usually best to have them all as separate forum posts. Having them all together makes it very difficult for techs to jump in and help that may only know a partial answer. If a tech knows an answer to say "e" they can't respond else it will take your post off the dashboard.

Do we have a option to export the collected log at Nagios Log Server?

Need some help with implementing https://github.com/logstash-plugins/logstash-output-csv

sgiworks wrote:Do we have a option to export the collected log at Nagios Log Server?

I believe this is a planned feature. From what I recall, much of the implementation depended on design choices regarding Kibana.

I wrote this thing that can export Elasticsearch query results to CSV, JSON, and plain-text:
https://github.com/mcapra/nagios-nlsexport

So as long as you can strip the raw Elasticsearch query out from a given dashboard, you can pretty much just drop it into the -query argument.

sgiworks wrote:Need some help with implementing https://github.com/logstash-plugins/logstash-output-csv

Were you encountering any sort of errors with this Logstash plugin? You should be able to install it like so: And the documentation is pretty thorough:
https://www.elastic.co/guide/en/logstas ... s-csv.html

But it's worth mentioning that won't allow you to export historical data; Just what is entering the Logstash pipeline.

Did mcapra's post help you?

No File is generated, can you tell me what am I doing wrong here.


[root@IWKSEASPAINLS01 nagios-nlsexport-master]# java -jar nlsexport.jar -host=localhost -date_start=2017.08.23 -date_end=2017.08.23 -output_path=/tmp/export_nls/ -query='{"query":{"query_string":{"query":"EventID:(20 OR 24 OR 25 OR 31 OR 34 OR 35) AND Severity:ERROR AND Channel:\"Microsoft-Windows-WindowsUpdateClient\""}}}' -output_format=csv
Creating directory /tmp/export_nls/nls-export-1503429392520/
[1503429392559] <WARNING> Index not found [logstash-2017.08.23], skipping.
[1503429392559] Completed export of 0 index and 0 documents, took 0 seconds.

Simply put: Try a different date. An index for 2017.08.23 doesn't seem to exist yet. See what -date_start=2017.08.21 -date_end=2017.08.21 churns out.

[root@IWKSEASPAINLS01 nagios-nlsexport-master]# java -jar nlsexport.jar -host=localhost -date_start=2017.08.21 -date_end=2017.08.21 -output_path=/tmp/export_nls/ -query='{"query":{"query_string":{"query":"EventID:(20 OR 24 OR 25 OR 31 OR 34 OR 35) AND Severity:ERROR AND Channel:\"Microsoft-Windows-WindowsUpdateClient\""}}}' -output_format=csv
Creating directory /tmp/export_nls/nls-export-1503432125024/
[1503432125160] Writing data from [logstash-2017.08.21/eventlog].
[============================================================] 100.00% 1ms/? ETA: ?
[1503432126231] Writing data from [logstash-2017.08.21/syslog].
[1503432126394] No results found in [logstash-2017.08.21/syslog]. Skipping it.
[1503432126394] Finished writing data from [logstash-2017.08.21].
[1503432126394] Completed export of 1 index and 8 documents, took 1 seconds.

..Completed export of 1 index and 8 documents, took 1 seconds.

Can you confirm that it exported the data you were looking for?