Page 1 of 2
Determining which Alerts are Disabled because of User Action
Posted: Tue Feb 19, 2019 11:46 am
by MikeMAN987
Hi All,
I wanted to ask if there was a way to determine from either the configuration files or another way to find out all services/hosts that have notifications disabled due to user action and not a template? I know i can look back on the audit log and find out what action was taken (we use this often for historical items), however we have lots of servers that we are monitoring and NOT alerting on by default (i.e our test/rd environments where we simply want to capture data) as the template disables the alerting, so without a way to find which ones were user initiated it would be a lot (11,000+ checks) to sift through.
Thanks for any insight!!
Regards,
Mike
Re: Determining which Alerts are Disabled because of User Ac
Posted: Tue Feb 19, 2019 2:32 pm
by benjaminsmith
Hi Mike,
I wanted to ask if there was a way to determine from either the configuration files or another way to find out all services/hosts that have notifications disabled due to user action and not a template?
The audit log provides a record of changes to the system such as changes to which host or template, but not that level of detail. However, if it helps, you can query the database to determine which hosts or services have notifications enabled or disabled. The configuration is stored in the nagiosql database.
Let me know if you have any other questions.
Re: Determining which Alerts are Disabled because of User Ac
Posted: Tue Feb 19, 2019 4:14 pm
by SteveBeauchemin
If you want to start from this point going forward, you could monitor your log file.
I just started doing this so it is fresh in my mind. I am concerned about turning off notifications, which is permanent, versus Ack'ing alerts which makes more sense as it clears itself after recovery. So I started using a plugin to keep an eye on the log.
From the consol labs site I found check_logfiles and found it to be very useful.
This config file can be tailored to get emails when someone does the bad thing.
Code: Select all
$options = 'report=long';
$scriptpath = '/bin';
$protocolretention = '3';
$postscript = 'mailx';
$postscriptparams = '-s Nagios_Audit nagiosalerts@<your-email>.com < $CL_PROTOCOLFILE$';
@searches = ({
tag => 'audit',
logfile => '/usr/local/nagiosxi/var/components/auditlog.log',
criticalpatterns => [
'Pattern is Critical', # place holder
],
warningpatterns => [
#'Pattern is Warning', # place holder
#'ACKNOWLEDGE', # Ack a Service of Host issue
'NOTIFICATIONS', # Nagios Notification disabled or enabled
#'FORCED', # Nagios Force a check to run
#'asqueraded', # User is Masquerading
#'applied a new configuration', # Updated the Configuration
#'account has not been setup', # User login attempt but has no account
#'nvalid username or password', # User login attempt failure
#'ser logged out', # User manually logged out
],
okpatterns => [
'Pattern is Okay', # This will override previous critical or warning matches - place holder
],
criticalexceptions => [
'Pattern is not Critical after all', # This was seen as critical but is not - place holder
],
warningexceptions => [
'Pattern is not Warning after all', # This was seen as warning but is not - place holder
],
options => 'noperfdata',
});
In my case I actually grab the emails and feed the items I care about to a database so I can open a web page on it.
Service Config Name
Code: Select all
svc-NRPE-Linux-Check-Logfile-Scrape-Nagios_Audit
Description
Check Command
Code: Select all
/usr/local/nagios/libexec/check_nrpe --unknown-timeout --timeout 120:3 --host $HOSTADDRESS$ --command $ARG1$ $ARG2$ $ARG3$ $ARG4$ $ARG5$ $ARG6$ $ARG7$ $ARG8$
Code: Select all
$ARG1$ = check_logfiles
$ARG2$ = -a nagios-auditlog.cfg
nrpe ini entry
Code: Select all
command[check_logfiles]=/usr/local/nagios/libexec/check_logfiles.pl --config /usr/local/nagios/libexec/cfg.d/$ARG1$ $ARG2$
I hope this helps.
Steve B
Re: Determining which Alerts are Disabled because of User Ac
Posted: Tue Feb 19, 2019 4:34 pm
by benjaminsmith
Thanks
@SteveBeauchemin!
Let us know if you have any other questions.
Re: Determining which Alerts are Disabled because of User Ac
Posted: Mon Feb 25, 2019 11:49 am
by MikeMAN987
Thank you all for the help.
Re: Determining which Alerts are Disabled because of User Ac
Posted: Mon Feb 25, 2019 11:55 am
by MikeMAN987
Where is the default location on the filesystem for the audit log? I read the documentation and can only see it in the Web UI.
Re: Determining which Alerts are Disabled because of User Ac
Posted: Mon Feb 25, 2019 12:25 pm
by benjaminsmith
Hi Mike,
The audit log is stored in the xi_auditlog table in the nagiosxi database. The following command will pull everything from the audit log if you'd like to output this to a file.
Code: Select all
echo "SELECT * FROM xi_users\G;" | mysql -uroot -pnagiosxi nagiosxi
Let me know if you have any other questions.
Re: Determining which Alerts are Disabled because of User Ac
Posted: Mon Feb 25, 2019 2:45 pm
by SteveBeauchemin
Admin tab > System Settings > General tab > at the bottom you will see "Write Audit Log to file:"
And a location.
Steve B
Re: Determining which Alerts are Disabled because of User Ac
Posted: Mon Feb 25, 2019 2:58 pm
by benjaminsmith
Thanks again
@SteveBeauchemin!
Let me know if you have any other questions.
Re: Determining which Alerts are Disabled because of User Ac
Posted: Mon Feb 25, 2019 3:54 pm
by MikeMAN987
Thank you both! Feel free to lock/close this one.