Page 1 of 2
Monitor logs on geo location basis
Posted: Mon Mar 12, 2018 6:46 am
by Thanis
Hi,
we have configured the cisco devices to push syslog to Nagios Log server as per the steps recommended.
Successfully , we are receiving the logs generated by the devices.
Instead of the host ip. we would like to view hostname in the UI for the ip's. what should we need to do ?
Moreover , we would like to monitor (dashboard) log on entity (or) location basis. for example floor wise or building wise
Please give us the solution to configure geoip, geoip.location wise to view the output
Re: Monitor logs on geo location basis
Posted: Mon Mar 12, 2018 8:09 am
by mcapra
Filters are the general answer to all of these use cases. Here is a primer on what filters are and how to configure some simple ones:
https://assets.nagios.com/downloads/nag ... ilters.pdf
Thanis wrote:Instead of the host ip. we would like to view hostname in the UI for the ip's. what should we need to do ?
A dns filter rule can do this, assuming all of your Nagios Log Server instances can properly reach your DNS server(s). Here's a thread where that is implemented:
https://support.nagios.com/forum/viewto ... 37&t=40770
And here's the very basic filter rule:
Code: Select all
dns {
reverse => [ "host" ]
action => [ "replace" ]
add_tag => [ "dns" ]
}
This will replace the
host field in all of your messages, converting it from an IP address to a DNS resolved hostname.
Thanis wrote:Moreover , we would like to monitor (dashboard) log on entity (or) location basis. for example floor wise or building wise
Without knowing exactly how you're identifying what floor/building a given machine's hostname/address is located in, I can't offer specific advice. You could leverage conditional
mutate filters and
tagging to, based on the hostname/address, flag messages with specific metadata.
In pseudocode, and assuming you had already figured out how to identify the specific building and floor a message came from, here's a filter rule that tags the 12th floor of the west building as "accounting":
Code: Select all
if [building] == 'west' and [floor] == 12 {
mutate {
add_tag => [ "accounting" ]
}
}
Or, instead of tagging, you can leverage an entirely new field by using the
add_field setting of the mutate filter. Perhaps something like "department" as the name and "accounting" as the value in the above case.
Thanis wrote:Please give us the solution to configure geoip, geoip.location wise to view the output
Here's a very basic filter rule that applies a geoip filter to the ip field:
https://support.nagios.com/forum/viewto ... 33#p173280
Your actual field name that contains the ip address might be named something other than
ip though, like
host. The filter will be slightly different depending on which field holds the ip address.
Re: Monitor logs on geo location basis
Posted: Mon Mar 12, 2018 10:38 am
by Thanis
Many thanks for your reply, will try tomorrow and let you know.again thanks for your guidance.
Re: Monitor logs on geo location basis
Posted: Mon Mar 12, 2018 1:36 pm
by cdienger
Please let us know your results after you've had a chance to test : )
Re: Monitor logs on geo location basis
Posted: Tue Mar 13, 2018 2:43 am
by Thanis
cdienger wrote:Please let us know your results after you've had a chance to test : )
I have followed the DNS Filter Rule but it doesn't change ip to hostname.
I have checked nslookup PF output below
--------------------------------------------------------------------------------
Output
[root@CQ218MAA ~]# nslookup 10.24x.xx.xxx
Server: 10.2x4.xx.1x
Address: 10.2x4.xx.1x#53
** server can't find xxx.xx.24x.10.in-addr.arpa.: NXDOMAIN
---------------------------------------------------------------------------------
So, I resolved ip locally on adding line in /etc/hosts file. As of now I used two hosts to resolve.
the below picture depicts host report and queried output
Here, I would like to change the IP to hostname. even I tried the dns filter rule. which doesn't work out.
As per the report picture (1.PNG) you could find both ip and hostname in bracket after I resolved locally.
but at the same time when I look at dashboard and filtered query it show "ip" in host field.
Please provide the solution.advance thanks
Re: Monitor logs on geo location basis
Posted: Tue Mar 13, 2018 12:45 pm
by cdienger
The DNS filter requires a dns sever that is able to do reverse lookups to get the hosts' IP address and a /etc/hosts entry will not work for this. The unique hosts works differently.
Re: Monitor logs on geo location basis
Posted: Tue Mar 13, 2018 1:57 pm
by Thanis
Thanks for your reply let me try and let you know
And have you got any document to configure Cisco switch to send it's geoip or geoip location to
NLS.
Re: Monitor logs on geo location basis
Posted: Tue Mar 13, 2018 4:35 pm
by cdienger
We don't have anything specific to that, but adding fields will likely cause it to break syslog format and require custom filters to have the logs parsed properly. Check out the logstash section at
https://support.nagios.com/kb/article/n ... ew-98.html which has details on how this can be done.
Re: Monitor logs on geo location basis
Posted: Tue Mar 13, 2018 7:31 pm
by mcapra
cdienger wrote:We don't have anything specific to that, but adding fields will likely cause it to break syslog format and require custom filters to have the logs parsed properly.
And to be clear, this is not a problem that is specific to Nagios Log Server. Certain network device vendors (like Cisco) take liberties with the syslog protocol.
Re: Monitor logs on geo location basis
Posted: Wed Mar 14, 2018 10:04 am
by cdienger
mcapra wrote:cdienger wrote:We don't have anything specific to that, but adding fields will likely cause it to break syslog format and require custom filters to have the logs parsed properly.
And to be clear, this is not a problem that is specific to Nagios Log Server. Certain network device vendors (like Cisco) take liberties with the syslog protocol.
Absolutely. Thanks for the clarification
