After a Nagios Log Server update to version 2.0.3 records from a TACACS are recorded modified in elasticsearch. Making a tcpdump I see that the message arrives OK without modifications and from the nagios it verifies that it removes the timestamp of the message and replaces the timestamp of the elastic by this one.
Is there a possibility that this does not happen?
Luego de una actualización Nagios Log Server a la versión 2.0.3 los logs provenientes de un TACACS se graban modificados en elasticsearch. Haciendo un tcpdump veo que el mensaje llega OK sin modificaciones y desde el nagios se verifica que remueve el timestamp del mensaje y reemplaza el timestamp del elastic por este.
Existe la posibilidad de que esto no ocurra?
[root@localhost ~]# tcpdump 'port 5555' -X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:12:44.473281 IP 172.31.104.77.newlixengine > 172.31.104.101.personal-agent: UDP, length 246
0x0000: 4500 0112 5487 0000 8011 bc62 ac1f 684d E...T......b..hM
0x0010: ac1f 6865 081b 15b3 00fe beb8 3c33 383e ..he........<38>
0x0020: 4a75 6e20 3231 2032 323a 3132 3a34 3420 Jun.21.22:12:44.
0x0030: 3137 322e 3331 2e31 3034 2e37 3720 4369 172.31.104.77.Ci
0x0040: 7341 4353 5f30 315f 5061 7373 6564 4175 sACS_01_PassedAu
0x0050: 7468 2031 7032 756f 396e 666b 2031 2030 th.1p2uo9nfk.1.0
0x0060: 204d 6573 7361 6765 2d54 7970 653d 4175 .Message-Type=Au
0x0070: 7468 656e 204f 4b2c 5573 6572 2d4e 616d then.OK,User-Nam
0x0080: 653d 6665 726e 616e 6465 6a75 616e 6d2c e=fernandejuanm,
0x0090: 4e41 532d 4950 2d41 6464 7265 7373 3d32 NAS-IP-Address=2
0x00a0: 3030 2e32 362e 3736 2e39 392c 4361 6c6c 00.26.76.99,Call
0x00b0: 6572 2d49 443d 3230 302e 302e 3232 342e er-ID=200.0.224.
0x00c0: 3139 362c 4e41 532d 506f 7274 3d2f 6465 196,NAS-Port=/de
0x00d0: 762f 7674 7930 2c47 726f 7570 2d4e 616d v/vty0,Group-Nam
0x00e0: 653d 4144 4d49 4e53 2c46 696c 7465 7220 e=ADMINS,Filter.
0x00f0: 496e 666f 726d 6174 696f 6e3d 4e6f 2046 Information=No.F
0x0100: 696c 7465 7273 2061 6374 6976 6174 6564 ilters.activated
0x0110: 2e2c .,
^C
Image of Nagios LS output
https://ibb.co/mxcdh8
Change the TACACS messages after update to 2.0.3
Change the TACACS messages after update to 2.0.3
You do not have the required permissions to view the files attached to this post.
-
scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Change the TACACS messages after update to 2.0.3
This should have always done this for syslog messages
Re: Change the TACACS messages after update to 2.0.3
But with the previous version that does not happen. And with other log source neither ...
I want to set all the timestamps with the Nagios LS clock.
LOG before upload
https://ibb.co/nMFQUo
I want to set all the timestamps with the Nagios LS clock.
LOG before upload
https://ibb.co/nMFQUo
Last edited by juanmafer on Fri Jun 22, 2018 2:49 pm, edited 1 time in total.
-
scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Change the TACACS messages after update to 2.0.3
This has done this with the syslog input on every version of Nagios Log Server
If you want to only use Nagios server time you can probably get away with adding a filter like this:
Which would force it to be re-created
If you want to only use Nagios server time you can probably get away with adding a filter like this:
Code: Select all
mutate {
remove_field => [ "timestamp" ]
}