Nagios Log Server 2.0.2 Filtering option

[SrinivasanNSL]

HI Team,

Please find the case details below and let me know is this a Bug in Nagios Log server?

"When filtering syslog entries, it is usual to create filters with multiple entries, such as ‘Deny and tcp and 443’ for example (this would show up dropped https traffic by the way). When applying this filter it all looks perfectly fine, but when you export the information I found lots of other logs in the file and often the traffic I was looking for wasn’t even there.

It turns out this is down to the search term used and the case of the operand. In order to ensure that *only* the data selected is exported the search term must use uppercase operands. To take the example above, it should now be ‘Deny AND tcp AND 443’."

[cdienger]

This appears to be a bug with the export feature - as another test I created a query that returned no results yet I was able to export a file with data. I'll look into this and let you know what I find.

[SrinivasanNSL]

Thanks dienger.

Please let me know your observation.

[cdienger]

If you right click the export link, copy the link address, and paste it into notepad, you can change the string used to generate the csv. Changing each and to an AND, and pasting the new url in a browser will download a new cvs that contains acurate data. At list on my initial test. Can you cofirm on your side? For example, I started with:

http://nls/nagioslogserver/export?limit ... D%7D%5D%7D

and changed it to:

http://nls/nagioslogserver/export?limit ... D%7D%5D%7D

and got the expected results.

[SrinivasanNSL]

HI Deinger,

Thanks for your response. So can we confirm this as a BUG and is there any resolution for it? I dont see a difference in your example URL, can you please explain more?

[cdienger]

Correct - I've filed bug regarding it. The samples may be clearer once they're decoded(https://meyerweb.com/eric/tools/dencoder/):

http://nls/nagioslogserver/export?limit ... ":{"should":[{"query_string":{"query":"syslog and nagios and cmd and 99"}}]}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1525276216445,"to":1525362616445}}}]}}}},"highlight":{"fields":{"*":{}},"fragment_size":2147483647,"pre_tags":["@start-highlight@"],"post_tags":["@end-highlight@"]},"size":250,"sort":[{"@timestamp":{"order":"asc","ignore_unmapped":true}},{"@timestamp":{"order":"asc","ignore_unmapped":true}}]}


http://nls/nagioslogserver/export?limit ... ":{"should":[{"query_string":{"query":"syslog AND nagios AND cmd AND 99"}}]}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1525276216445,"to":1525362616445}}}]}}}},"highlight":{"fields":{"*":{}},"fragment_size":2147483647,"pre_tags":["@start-highlight@"],"post_tags":["@end-highlight@"]},"size":250,"sort":[{"@timestamp":{"order":"asc","ignore_unmapped":true}},{"@timestamp":{"order":"asc","ignore_unmapped":true}}]}

The difference being the query_string:

syslog and nagios and cmd and 99

vs

syslog AND nagios AND cmd AND 99

Note the capitalized logical AND.

[SrinivasanNSL]

Thanks dienger.

Is there any reference number for the Bug that you raised. Just I want to update my Management

[cdienger]

The ID is 13245.

[SrinivasanNSL]

Thanks Dienger.

Please let me know if any solution provided for this BUG.

[tmcdonald]

It may take some time for the bug to be fixed. When it is fixed we will update the changelog, which can be viewed here: https://www.nagios.com/downloads/nagios ... hange-log/