geoip conflict

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
Locked
User avatar
benhank
Posts: 1264
Joined: Tue Apr 12, 2011 12:29 pm

geoip conflict

Post by benhank »

Hey guys good evening!

So I have a filter (non input) for my asa devioces that is working like a champ, and it contains an entry for geoip:

Code: Select all

if [type] == 'asa' {
  grok{
    match => [ 'message', '<%{POSINT:syslog_pri}>%{MONTH} +%{MONTHDAY} %{YEAR} %{TIME}: %%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = (%{USERNAME:Group}|%{IP:Group}), Username = %{IPORHOST:username}, IP = %{IP:IPAddress}, Session disconnected. Session Type: %{NOTSPACE:SessionType}, Duration: (%NUMBER:DurationDays}d ?)?%{NUMBER:DurationHours}h:%{NUMBER:DurationMinutes}m:%{NUMBER:DurationSeconds}s, Bytes xmt: %{INT:BytesTransmitted:int}, Bytes rcv: %{INT:BytesReceived:int}, Reason: %{GREEDYDATA:Reason}' ]
}
geoip {
source => "IPAddress"
}
}
the problem is that when I create another filter for messages received from my vidyo servers:

Code: Select all

if [host] == '172.30.100.226' {

grok {

match => { "message" => "result=\"%{WORD:result}\" ip=\"%{IP:IP}\" action=\"%{WORD:action}\" params=\"Username: %{USER:params}\" user=\"%{USER:user}\" tenant=\"%{WORD:tenant}\""}
match => { "message" => "result=\"%{WORD:result}\" ip=\"%{IP:IP}\" action=\"%{WORD:action}\" params=\"Username=%{USER:params}\" user=\"%{USER:user}\" tenant=\"%{WORD:tenant}\""}
}
geoip {
source => "IP"
}
}
I cant do an apply config. I get an error stating:

Code: Select all

= '172.30.100.226' {\n    \n    grok {\n    \n    match => { \"message\" => \"result=\\\"%{WORD:result}\\\" ip=\\\"%{IP:IP}\\\" action=\\\"%{WORD:action}\\\" params=\\\"Username: %{USER:params}\\\" user=\\\"%{USER:user}\\\" tenant=\\\"%{WORD:tenant}\\\"\"}\n    match => { \"message\" => \"result=\\\"%{WORD:result}\\\" ip=\\\"%{IP:IP}\\\" action=\\\"%{WORD:action}\\\" params=\\\"Username=%{USER:params}\\\" user=\\\"%{USER:user}\\\" tenant=\\\"%{WORD:tenant}\\\"\"}\n    geoip ", :level=>:fatal}
I suspect that the two entries are conflicting with each other but I don't know how to fix it.
Proudly running:
NagiosXI 5.4.12 2 node Prod Env 2500 hosts, 13,000 services
Nagiosxi 5.5.7(test env) 2500 hosts, 13,000 services
Nagios Logserver 2 node Prod Env 500 objects sending
Nagios Network Analyser
Nagios Fusion
Top
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:
Contact scottwilkerson

Re: geoip conflict

Post by scottwilkerson »

You were putting your match in { instead of [

Try this

Code: Select all

if [host] == '172.30.100.226' {

grok {

match => [ "message" => "result=\"%{WORD:result}\" ip=\"%{IP:IP}\" action=\"%{WORD:action}\" params=\"Username: %{USER:params}\" user=\"%{USER:user}\" tenant=\"%{WORD:tenant}\""]
match => [ "message" => "result=\"%{WORD:result}\" ip=\"%{IP:IP}\" action=\"%{WORD:action}\" params=\"Username=%{USER:params}\" user=\"%{USER:user}\" tenant=\"%{WORD:tenant}\""]
}
geoip {
source => "IP"
}
}
Former Nagios employee
Creator:
Human Design Website
Get Your Human Design Chart
Top
User avatar
benhank
Posts: 1264
Joined: Tue Apr 12, 2011 12:29 pm

Re: geoip conflict

Post by benhank »

that didnt pan out :

Code: Select all

{:timestamp=>"2019-02-21T11:41:36.193000-0500", :message=>"The given configuration is invalid. Reason: Expected one of #, {, ,, ] at line 556, column 26 (byte 21580) after filter {\n    if [type] == 'asa' {\n      grok{\n        match => [ 'message', '<%{POSINT:syslog_pri}>%{MONTH} +%{MONTHDAY} %{YEAR} %{TIME}: %%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = (%{USERNAME:Group}|%{IP:Group}), Username = %{IPORHOST:username}, IP = %{IP:IPAddress}, Session disconnected. Session Type: %{NOTSPACE:SessionType}, Duration: (%NUMBER:DurationDays}d ?)?%{NUMBER:DurationHours}h:%{NUMBER:DurationMinutes}m:%{NUMBER:DurationSeconds}s, Bytes xmt: %{INT:BytesTransmitted:int}, Bytes rcv: %{INT:BytesReceived:int}, Reason: %{GREEDYDATA:Reason}' ]\n    }\n    geoip {\n    database => \"/usr/share/GeoIP/GeoLiteCity.dat\"\n    source => \"IPAddress\"\n    }\n    }\n    if [program] == 'apache_access' {\n        grok {\n            match => [ 'message', '%{COMBINEDAPACHELOG}']\n        }\n        date {\n            match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]\n        }\n        mutate {\n            replace => [ 'type', 'apache_access' ]\n             convert => [ 'bytes', 'integer' ]\n             convert => [ 'response', 'integer' ]\n        }\n    }\n     \n    if [program] == 'apache_error' {\n        grok {\n            match => [ 'message', '\\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\\] \\[%{WORD:class}\\] \\[%{WORD:originator} %{IP:clientip}\\] %{GREEDYDATA:errmsg}']\n        }\n        mutate {\n            replace => [ 'type', 'apache_error' ]\n        }\n    }\n        if [program] == \"mysqld_log\" {\n            grok {\n                match => [ \"message\", \"^%{NUMBER:date} *%{NOTSPACE:time}\"]\n            }\n            mutate {\n                replace => [ \"type\", \"mysqld_log\" ]\n            }\n        }\n    if [program] == 'nagios_core' {\n    \tgrok {\n    \t\tmatch => [ 'message', '\\[%{NUMBER:epoch_timestamp}\\] %{GREEDYDATA:message}' ]\n    \t\toverwrite => [ 'message' ]\n    \t}\n    \tif [message] =~ /^Warning:|Error:/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA:nagios_severity_label}: %{GREEDYDATA}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /check\\sof\\shost|check\\sfor\\shost|host\\scheckresult\\sfor|Passive\\scheck\\sresult\\swas\\sreceived\\sfor\\shost/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA} \\'%{DATA:nagios_host}\\'%{GREEDYDATA}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /service.*on\\shost|Service\\s\\'/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA} \\'%{DATA:nagios_service}\\' %{DATA} \\'%{DATA:nagios_host}\\'' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /wproc:/ {\n    \t\tif [message] =~ /host=.*;\\sservice=/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA}host=%{DATA:nagios_host}; service=%{DATA:nagios_service};' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /job.*return\\scode/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA}: %{DATA:nagios_job} job%{DATA} return code %{NUMBER:nagios_return_code}' ]\n    \t\t\t}\n    \t\t}\n    \t}\n    \tif [message] =~ /Return\\scode\\sof/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA} %{NUMBER:nagios_return_code} %{GREEDYDATA}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /Host\\s\\'|results\\sof\\shost\\s'/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA} \\'%{DATA:nagios_host}\\' %{GREEDYDATA}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /^HOST\\sALERT:/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_host};%{DATA:nagios_host_status};%{DATA:nagios_host_state};%{NUMBER:nagios_host_attempt};%{GREEDYDATA:nagios_host_output}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /^SERVICE\\sALERT:/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_service_status};%{DATA:nagios_service_state};%{NUMBER:nagios_service_attempt};%{GREEDYDATA:nagios_service_output}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /^CURRENT\\sHOST\\sSTATE:/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_host};%{DATA:nagios_host_status};%{DATA:nagios_host_state};%{NUMBER:nagios_host_attempt};%{GREEDYDATA:nagios_host_output}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /^CURRENT\\sSERVICE\\sSTATE:/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_service_status};%{DATA:nagios_service_state};%{NUMBER:nagios_service_attempt};%{GREEDYDATA:nagios_service_output}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /^HOST\\sNOTIFICATION:/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_contact};%{DATA:nagios_host};%{DATA:nagios_host_status};%{DATA:nagios_command};%{GREEDYDATA:nagios_host_output}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /^SERVICE\\sNOTIFICATION:/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_contact};%{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_service_status};%{DATA:nagios_command};%{GREEDYDATA:nagios_service_output}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /DOWNTIME\\sALERT:/ {\n    \t\tif [message] =~ /^HOST\\sDOWNTIME/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA:nagios_alert}: %{DATA:nagios_host};%{DATA:nagios_downtime_state};' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /^SERVICE\\sDOWNTIME/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA:nagios_alert}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_downtime_state};' ]\n    \t\t\t}\n    \t\t}\n    \t}\n    \tif [message] =~ /FLAPPING\\sALERT:/ {\n    \t\tif [message] =~ /^HOST\\sFLAPPING/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA:nagios_alert}: %{DATA:nagios_host};%{DATA:nagios_flapping_state};' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /^SERVICE\\sFLAPPING/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA:nagios_alert}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_flapping_state};' ]\n    \t\t\t}\n    \t\t}\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA}\\(%{NUMBER:nagios_flapping_value}%{DATA}%{NUMBER:nagios_flapping_threshold}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /HOST\\sEVENT\\sHANDLER:/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA}: %{DATA:nagios_host};%{DATA:nagios_host_status};%{DATA:nagios_host_state};%{NUMBER:nagios_host_attempt};%{GREEDYDATA:nagios_command}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /SERVICE\\sEVENT\\sHANDLER:/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_service_status};%{DATA:nagios_service_state};%{NUMBER:nagios_service_attempt};%{GREEDYDATA:nagios_command}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /contact\\s\\'|Contact\\s\\'/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA} \\'%{DATA:nagios_contact}\\'' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /^EXTERNAL\\sCOMMAND:/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA}: %{DATA:nagios_external_command};%{GREEDYDATA}' ]\n    \t\t}\n    \t\tif [message] =~ /DEL_ALL_HOST_COMMENTS|ABLE_ALL_NOTIFICATIONS_BEYOND_HOST|ABLE_HOST_AND_CHILD_NOTIFICATION|ABLE_HOST_CHECK|ABLE_HOST_EVENT_HANDLER|ABLE_HOST_FLAP_DETECTION|ABLE_HOST_SVC_CHECKS|ABLE_HOST_SVC_NOTIFICATIONS|ABLE_PASSIVE_HOST_CHECKS|REMOVE_HOST_ACKNOWLEDGEMENT|_OBSESSING_OVER_HOST/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{GREEDYDATA:nagios_host}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /DEL_ALL_SVC_COMMENTS|ABLE_PASSIVE_SVC_CHECKS|ABLE_SVC_CHECK|ABLE_SVC_EVENT_HANDLER|ABLE_SVC_FLAP_DETECTION|ABLE_SVC_NOTIFICATIONS|REMOVE_SVC_ACKNOWLEDGEMENT|_OBSESSING_OVER_SVC/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_service}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /SCHEDULE_FORCED_HOST_CHECK|SCHEDULE_FORCED_HOST_SVC_CHECKS|SCHEDULE_HOST_CHECK|SCHEDULE_HOST_SVC_CHECKS/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_epoch_check_time}' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_check_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_check_time'\n    \t\t\t\tremove_field => [ 'nagios_epoch_check_time' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /SCHEDULE_FORCED_SVC_CHECK|SCHEDULE_SVC_CHECK/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{GREEDYDATA:nagios_epoch_check_time}' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_check_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_check_time'\n    \t\t\t\tremove_field => [ 'nagios_epoch_check_time' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /SCHEDULE_AND_PROPAGATE_HOST_DOWNTIME|SCHEDULE_AND_PROPAGATE_TRIGGERED_HOST_DOWNTIME|SCHEDULE_HOST_DOWNTIME|SCHEDULE_HOST_SVC_DOWNTIME/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_epoch_start_time};%{NUMBER:nagios_epoch_end_time};%{INT:nagios_downtime_fixed};%{NUMBER:nagios_downtime_trigger_id};%{NUMBER:nagios_downtime_duration};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_start_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_downtime_start'\n    \t\t\t\tremove_field => [ 'nagios_epoch_start_time' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_end_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_downtime_end'\n    \t\t\t\tremove_field => [ 'nagios_epoch_end_time' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /SCHEDULE_SVC_DOWNTIME/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_epoch_start_time};%{NUMBER:nagios_epoch_end_time};%{INT:nagios_downtime_fixed};%{NUMBER:nagios_downtime_trigger_id};%{NUMBER:nagios_downtime_duration};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_start_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_downtime_start'\n    \t\t\t\tremove_field => [ 'nagios_epoch_start_time' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_end_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_downtime_end'\n    \t\t\t\tremove_field => [ 'nagios_epoch_end_time' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /SCHEDULE_HOSTGROUP_HOST_DOWNTIME|SCHEDULE_HOSTGROUP_SVC_DOWNTIME/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_hostgroup};%{NUMBER:nagios_epoch_start_time};%{NUMBER:nagios_epoch_end_time};%{INT:nagios_downtime_fixed};%{NUMBER:nagios_downtime_trigger_id};%{NUMBER:nagios_downtime_duration};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_start_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_downtime_start'\n    \t\t\t\tremove_field => [ 'nagios_epoch_start_time' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_end_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_downtime_end'\n    \t\t\t\tremove_field => [ 'nagios_epoch_end_time' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /SCHEDULE_SERVICEGROUP_HOST_DOWNTIME|SCHEDULE_SERVICEGROUP_SVC_DOWNTIME/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_servicegroup};%{NUMBER:nagios_epoch_start_time};%{NUMBER:nagios_epoch_end_time};%{INT:nagios_downtime_fixed};%{NUMBER:nagios_downtime_trigger_id};%{NUMBER:nagios_downtime_duration};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_start_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_downtime_start'\n    \t\t\t\tremove_field => [ 'nagios_epoch_start_time' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_end_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_downtime_end'\n    \t\t\t\tremove_field => [ 'nagios_epoch_end_time' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /SEND_CUSTOM_HOST_NOTIFICATION/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{INT:nagios_notification_options};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /SEND_CUSTOM_SVC_NOTIFICATION/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{INT:nagios_notification_options};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /ADD_HOST_COMMENT/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{INT:nagios_persistent};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /ADD_SVC_COMMENT/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{INT:nagios_persistent};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /ACKNOWLEDGE_HOST_PROBLEM/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{INT:nagios_sticky};%{INT:nagios_notify};%{INT:nagios_persistent};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /ACKNOWLEDGE_SVC_PROBLEM/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{INT:nagios_sticky};%{INT:nagios_notify};%{INT:nagios_persistent};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /DEL_HOST_COMMENT|DEL_SVC_COMMENT/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{NUMBER:nagios_comment_id}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /DEL_HOST_DOWNTIME|DEL_SVC_DOWNTIME/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{NUMBER:nagios_downtime_id}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /DELAY_HOST_NOTIFICATION/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_epoch_notification_time}' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_notification_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_notification_time'\n    \t\t\t\tremove_field => [ 'nagios_epoch_notification_time' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /DELAY_SVC_NOTIFICATION/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_epoch_notification_time}' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_notification_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_notification_time'\n    \t\t\t\tremove_field => [ 'nagios_epoch_notification_time' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /ABLE_CONTACTGROUP_HOST_NOTIFICATIONS|ABLE_CONTACTGROUP_SVC_NOTIFICATIONS/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{GREEDYDATA:nagios_contactgroup}' ]\n    \t\t\t}\t\t\t\n    \t\t}\n    \t\tif [message] =~ /ABLE_CONTACT_HOST_NOTIFICATIONS|ABLE_CONTACT_SVC_NOTIFICATIONS/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{GREEDYDATA:nagios_contact}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /ABLE_HOSTGROUP_HOST_CHECKS|ABLE_HOSTGROUP_HOST_NOTIFICATIONS|ABLE_HOSTGROUP_PASSIVE_HOST_CHECKS|ABLE_HOSTGROUP_PASSIVE_SVC_CHECKS|ABLE_HOSTGROUP_SVC_CHECKS|ABLE_HOSTGROUP_SVC_NOTIFICATIONS/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{GREEDYDATA:nagios_hostgroup}' ]\n    \t\t\t}\t\t\t\n    \t\t}\n    \t\tif [message] =~ /ABLE_SERVICEGROUP_HOST_CHECKS|ABLE_SERVICEGROUP_HOST_NOTIFICATIONS|ABLE_SERVICEGROUP_PASSIVE_HOST_CHECKS|ABLE_SERVICEGROUP_PASSIVE_SVC_CHECKS|ABLE_SERVICEGROUP_SVC_CHECKS|ABLE_SERVICEGROUP_SVC_NOTIFICATIONS/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{GREEDYDATA:nagios_servicegroup}' ]\n    \t\t\t}\t\t\t\n    \t\t}\n    \t\tif [message] =~ /PROCESS_FILE/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_process_file};%{GREEDYDATA:nagios_process_file_delete}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /PROCESS_HOST_CHECK_RESULT/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{INT:nagios_host_status_code};%{GREEDYDATA:nagios_host_output}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /PROCESS_SERVICE_CHECK_RESULT/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{INT:nagios_service_status_code};%{GREEDYDATA:nagios_service_output}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /SET_HOST_NOTIFICATION_NUMBER/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_notification_number}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /SET_SVC_NOTIFICATION_NUMBER/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_notification_number}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_CONTACT_HOST_NOTIFICATION_TIMEPERIOD|CHANGE_CONTACT_SVC_NOTIFICATION_TIMEPERIOD/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_contact};%{GREEDYDATA:nagios_timeperiod}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_CONTACT_MOD/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_contact};%{GREEDYDATA:nagios_attribute_value}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_CUSTOM_CONTACT_VAR/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_contact};%{DATA:nagios_variable_name};%{GREEDYDATA:nagios_variable_value}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_CUSTOM_HOST_VAR/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_variable_name};%{GREEDYDATA:nagios_variable_value}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_CUSTOM_SVC_VAR/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_variable_name};%{GREEDYDATA:nagios_variable_value}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_GLOBAL_HOST_EVENT_HANDLER|CHANGE_GLOBAL_SVC_EVENT_HANDLER/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{GREEDYDATA:nagios_command}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_HOST_CHECK_COMMAND|CHANGE_HOST_EVENT_HANDLER/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_command}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_SVC_CHECK_COMMAND|CHANGE_SVC_EVENT_HANDLER/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{GREEDYDATA:nagios_command}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_HOST_CHECK_TIMEPERIOD|CHANGE_HOST_NOTIFICATION_TIMEPERIOD/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_timeperiod}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_SVC_CHECK_TIMEPERIOD|CHANGE_SVC_NOTIFICATION_TIMEPERIOD/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{GREEDYDATA:nagios_timeperiod}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_HOST_MODATTR/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_attribute_value}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_SVC_MODATTR/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{GREEDYDATA:nagios_attribute_value}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_MAX_HOST_CHECK_ATTEMPTS/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_max_check_attempts}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_MAX_SVC_CHECK_ATTEMPTS/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_max_check_attempts}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_NORMAL_HOST_CHECK_INTERVAL/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_check_interval}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_NORMAL_SVC_CHECK_INTERVAL/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_check_interval}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_RETRY_HOST_CHECK_INTERVAL/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_retry_interval}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_RETRY_SVC_CHECK_INTERVAL/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_retry_interval}' ]\n    \t\t\t}\n    \t\t}\n    \t}\n    \tif [message] =~ /External\\scommand\\sfailed/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA}-> %{DATA:nagios_external_command};' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /Nagios.*starting/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA} (?<nagios_version>%{INT}\\.%{INT}\\.%{INT}) %{GREEDYDATA}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /timed\\sout\\safter/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA} timed out after %{NUMBER:nagios_timeout}s' ]\n    \t\t}\n    \t}\n    \tmutate {\n    \t\treplace => [ 'type', 'nagios_core' ]\n    \t}\n    \tdate {\n    \t\tmatch => ['epoch_timestamp', 'UNIX' ]\n    \t}\n    }\n    if [host] == '172.30.100.226' {\n    \n    grok {\n    \n    match => [ \"message\" ", :level=>:fatal}
Proudly running:
NagiosXI 5.4.12 2 node Prod Env 2500 hosts, 13,000 services
Nagiosxi 5.5.7(test env) 2500 hosts, 13,000 services
Nagios Logserver 2 node Prod Env 500 objects sending
Nagios Network Analyser
Nagios Fusion
Top
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:
Contact scottwilkerson

Re: geoip conflict

Post by scottwilkerson »

Can you send your whole configuration?

Click View -> "All Files Combined"
Former Nagios employee
Creator:
Human Design Website
Get Your Human Design Chart
Top
User avatar
benhank
Posts: 1264
Joined: Tue Apr 12, 2011 12:29 pm

Re: geoip conflict

Post by benhank »

here it is :

Code: Select all

# 
# Logstash Configuration File
# Dynamically created by Nagios Log Server
#
# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
#
# Created Thu, 21 Feb 2019 12:09:38 -0500
#

#
# Global inputs
#

input {
    syslog {
        type => 'syslog'
        port => 5544
    }
    syslog {
        type => 'syslog'
        port => 514
    }
    tcp {
        type => 'asa'
        port => 6514
    }
    udp {
        type => 'asa'
        port => 6514
    }
    
    tcp {
        type => 'eventlog'
        port => 3515
        codec => json {
            charset => 'CP1252'
        }
    }
    tcp {
        type => 'import_raw'
        tags => 'import_raw'
        port => 2056
    }
    tcp {
        type => 'import_json'
        tags => 'import_json'
        port => 2057
        codec => json
    }
    file {
        path => '/var/log/logstash/logstash.log'
    }
    snmptrap {
    port => 162
    type => snmptrap
    }
    snmptrap {
    port => 161
    type => snmptrap
    }
    snmptrap {
    port => 2381
    type => ilosnmptrap
    }
}

#
# Local inputs
#



#
# Global filters
#

filter {
    if [type] == 'asa' {
      grok{
        match => [ 'message', '<%{POSINT:syslog_pri}>%{MONTH} +%{MONTHDAY} %{YEAR} %{TIME}: %%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = (%{USERNAME:Group}|%{IP:Group}), Username = %{IPORHOST:username}, IP = %{IP:IPAddress}, Session disconnected. Session Type: %{NOTSPACE:SessionType}, Duration: (%NUMBER:DurationDays}d ?)?%{NUMBER:DurationHours}h:%{NUMBER:DurationMinutes}m:%{NUMBER:DurationSeconds}s, Bytes xmt: %{INT:BytesTransmitted:int}, Bytes rcv: %{INT:BytesReceived:int}, Reason: %{GREEDYDATA:Reason}' ]
    }
    geoip {
    database => "/usr/share/GeoIP/GeoLiteCity.dat"
    source => "IPAddress"
    }
    }
    if [program] == 'apache_access' {
        grok {
            match => [ 'message', '%{COMBINEDAPACHELOG}']
        }
        date {
            match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
        }
        mutate {
            replace => [ 'type', 'apache_access' ]
             convert => [ 'bytes', 'integer' ]
             convert => [ 'response', 'integer' ]
        }
    }
     
    if [program] == 'apache_error' {
        grok {
            match => [ 'message', '\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] \[%{WORD:class}\] \[%{WORD:originator} %{IP:clientip}\] %{GREEDYDATA:errmsg}']
        }
        mutate {
            replace => [ 'type', 'apache_error' ]
        }
    }
        if [program] == "mysqld_log" {
            grok {
                match => [ "message", "^%{NUMBER:date} *%{NOTSPACE:time}"]
            }
            mutate {
                replace => [ "type", "mysqld_log" ]
            }
        }
    if [program] == 'nagios_core' {
    	grok {
    		match => [ 'message', '\[%{NUMBER:epoch_timestamp}\] %{GREEDYDATA:message}' ]
    		overwrite => [ 'message' ]
    	}
    	if [message] =~ /^Warning:|Error:/ {
    		grok {
    			match => [ 'message', '%{DATA:nagios_severity_label}: %{GREEDYDATA}' ]
    		}
    	}
    	if [message] =~ /check\sof\shost|check\sfor\shost|host\scheckresult\sfor|Passive\scheck\sresult\swas\sreceived\sfor\shost/ {
    		grok {
    			match => [ 'message', '%{DATA} \'%{DATA:nagios_host}\'%{GREEDYDATA}' ]
    		}
    	}
    	if [message] =~ /service.*on\shost|Service\s\'/ {
    		grok {
    			match => [ 'message', '%{DATA} \'%{DATA:nagios_service}\' %{DATA} \'%{DATA:nagios_host}\'' ]
    		}
    	}
    	if [message] =~ /wproc:/ {
    		if [message] =~ /host=.*;\sservice=/ {
    			grok {
    				match => [ 'message', '%{DATA}host=%{DATA:nagios_host}; service=%{DATA:nagios_service};' ]
    			}
    		}
    		if [message] =~ /job.*return\scode/ {
    			grok {
    				match => [ 'message', '%{DATA}: %{DATA:nagios_job} job%{DATA} return code %{NUMBER:nagios_return_code}' ]
    			}
    		}
    	}
    	if [message] =~ /Return\scode\sof/ {
    		grok {
    			match => [ 'message', '%{DATA} %{NUMBER:nagios_return_code} %{GREEDYDATA}' ]
    		}
    	}
    	if [message] =~ /Host\s\'|results\sof\shost\s'/ {
    		grok {
    			match => [ 'message', '%{DATA} \'%{DATA:nagios_host}\' %{GREEDYDATA}' ]
    		}
    	}
    	if [message] =~ /^HOST\sALERT:/ {
    		grok {
    			match => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_host};%{DATA:nagios_host_status};%{DATA:nagios_host_state};%{NUMBER:nagios_host_attempt};%{GREEDYDATA:nagios_host_output}' ]
    		}
    	}
    	if [message] =~ /^SERVICE\sALERT:/ {
    		grok {
    			match => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_service_status};%{DATA:nagios_service_state};%{NUMBER:nagios_service_attempt};%{GREEDYDATA:nagios_service_output}' ]
    		}
    	}
    	if [message] =~ /^CURRENT\sHOST\sSTATE:/ {
    		grok {
    			match => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_host};%{DATA:nagios_host_status};%{DATA:nagios_host_state};%{NUMBER:nagios_host_attempt};%{GREEDYDATA:nagios_host_output}' ]
    		}
    	}
    	if [message] =~ /^CURRENT\sSERVICE\sSTATE:/ {
    		grok {
    			match => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_service_status};%{DATA:nagios_service_state};%{NUMBER:nagios_service_attempt};%{GREEDYDATA:nagios_service_output}' ]
    		}
    	}
    	if [message] =~ /^HOST\sNOTIFICATION:/ {
    		grok {
    			match => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_contact};%{DATA:nagios_host};%{DATA:nagios_host_status};%{DATA:nagios_command};%{GREEDYDATA:nagios_host_output}' ]
    		}
    	}
    	if [message] =~ /^SERVICE\sNOTIFICATION:/ {
    		grok {
    			match => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_contact};%{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_service_status};%{DATA:nagios_command};%{GREEDYDATA:nagios_service_output}' ]
    		}
    	}
    	if [message] =~ /DOWNTIME\sALERT:/ {
    		if [message] =~ /^HOST\sDOWNTIME/ {
    			grok {
    				match => [ 'message', '%{DATA:nagios_alert}: %{DATA:nagios_host};%{DATA:nagios_downtime_state};' ]
    			}
    		}
    		if [message] =~ /^SERVICE\sDOWNTIME/ {
    			grok {
    				match => [ 'message', '%{DATA:nagios_alert}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_downtime_state};' ]
    			}
    		}
    	}
    	if [message] =~ /FLAPPING\sALERT:/ {
    		if [message] =~ /^HOST\sFLAPPING/ {
    			grok {
    				match => [ 'message', '%{DATA:nagios_alert}: %{DATA:nagios_host};%{DATA:nagios_flapping_state};' ]
    			}
    		}
    		if [message] =~ /^SERVICE\sFLAPPING/ {
    			grok {
    				match => [ 'message', '%{DATA:nagios_alert}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_flapping_state};' ]
    			}
    		}
    		grok {
    			match => [ 'message', '%{DATA}\(%{NUMBER:nagios_flapping_value}%{DATA}%{NUMBER:nagios_flapping_threshold}' ]
    		}
    	}
    	if [message] =~ /HOST\sEVENT\sHANDLER:/ {
    		grok {
    			match => [ 'message', '%{DATA}: %{DATA:nagios_host};%{DATA:nagios_host_status};%{DATA:nagios_host_state};%{NUMBER:nagios_host_attempt};%{GREEDYDATA:nagios_command}' ]
    		}
    	}
    	if [message] =~ /SERVICE\sEVENT\sHANDLER:/ {
    		grok {
    			match => [ 'message', '%{DATA}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_service_status};%{DATA:nagios_service_state};%{NUMBER:nagios_service_attempt};%{GREEDYDATA:nagios_command}' ]
    		}
    	}
    	if [message] =~ /contact\s\'|Contact\s\'/ {
    		grok {
    			match => [ 'message', '%{DATA} \'%{DATA:nagios_contact}\'' ]
    		}
    	}
    	if [message] =~ /^EXTERNAL\sCOMMAND:/ {
    		grok {
    			match => [ 'message', '%{DATA}: %{DATA:nagios_external_command};%{GREEDYDATA}' ]
    		}
    		if [message] =~ /DEL_ALL_HOST_COMMENTS|ABLE_ALL_NOTIFICATIONS_BEYOND_HOST|ABLE_HOST_AND_CHILD_NOTIFICATION|ABLE_HOST_CHECK|ABLE_HOST_EVENT_HANDLER|ABLE_HOST_FLAP_DETECTION|ABLE_HOST_SVC_CHECKS|ABLE_HOST_SVC_NOTIFICATIONS|ABLE_PASSIVE_HOST_CHECKS|REMOVE_HOST_ACKNOWLEDGEMENT|_OBSESSING_OVER_HOST/ {
    			grok {
    				match => [ 'message', '%{DATA};%{GREEDYDATA:nagios_host}' ]
    			}
    		}
    		if [message] =~ /DEL_ALL_SVC_COMMENTS|ABLE_PASSIVE_SVC_CHECKS|ABLE_SVC_CHECK|ABLE_SVC_EVENT_HANDLER|ABLE_SVC_FLAP_DETECTION|ABLE_SVC_NOTIFICATIONS|REMOVE_SVC_ACKNOWLEDGEMENT|_OBSESSING_OVER_SVC/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_service}' ]
    			}
    		}
    		if [message] =~ /SCHEDULE_FORCED_HOST_CHECK|SCHEDULE_FORCED_HOST_SVC_CHECKS|SCHEDULE_HOST_CHECK|SCHEDULE_HOST_SVC_CHECKS/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_epoch_check_time}' ]
    			}
    			date {
    				match => ['nagios_epoch_check_time', 'UNIX' ]
    				target => 'nagios_check_time'
    				remove_field => [ 'nagios_epoch_check_time' ]
    			}
    		}
    		if [message] =~ /SCHEDULE_FORCED_SVC_CHECK|SCHEDULE_SVC_CHECK/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{GREEDYDATA:nagios_epoch_check_time}' ]
    			}
    			date {
    				match => ['nagios_epoch_check_time', 'UNIX' ]
    				target => 'nagios_check_time'
    				remove_field => [ 'nagios_epoch_check_time' ]
    			}
    		}
    		if [message] =~ /SCHEDULE_AND_PROPAGATE_HOST_DOWNTIME|SCHEDULE_AND_PROPAGATE_TRIGGERED_HOST_DOWNTIME|SCHEDULE_HOST_DOWNTIME|SCHEDULE_HOST_SVC_DOWNTIME/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_epoch_start_time};%{NUMBER:nagios_epoch_end_time};%{INT:nagios_downtime_fixed};%{NUMBER:nagios_downtime_trigger_id};%{NUMBER:nagios_downtime_duration};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    			date {
    				match => ['nagios_epoch_start_time', 'UNIX' ]
    				target => 'nagios_downtime_start'
    				remove_field => [ 'nagios_epoch_start_time' ]
    			}
    			date {
    				match => ['nagios_epoch_end_time', 'UNIX' ]
    				target => 'nagios_downtime_end'
    				remove_field => [ 'nagios_epoch_end_time' ]
    			}
    		}
    		if [message] =~ /SCHEDULE_SVC_DOWNTIME/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_epoch_start_time};%{NUMBER:nagios_epoch_end_time};%{INT:nagios_downtime_fixed};%{NUMBER:nagios_downtime_trigger_id};%{NUMBER:nagios_downtime_duration};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    			date {
    				match => ['nagios_epoch_start_time', 'UNIX' ]
    				target => 'nagios_downtime_start'
    				remove_field => [ 'nagios_epoch_start_time' ]
    			}
    			date {
    				match => ['nagios_epoch_end_time', 'UNIX' ]
    				target => 'nagios_downtime_end'
    				remove_field => [ 'nagios_epoch_end_time' ]
    			}
    		}
    		if [message] =~ /SCHEDULE_HOSTGROUP_HOST_DOWNTIME|SCHEDULE_HOSTGROUP_SVC_DOWNTIME/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_hostgroup};%{NUMBER:nagios_epoch_start_time};%{NUMBER:nagios_epoch_end_time};%{INT:nagios_downtime_fixed};%{NUMBER:nagios_downtime_trigger_id};%{NUMBER:nagios_downtime_duration};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    			date {
    				match => ['nagios_epoch_start_time', 'UNIX' ]
    				target => 'nagios_downtime_start'
    				remove_field => [ 'nagios_epoch_start_time' ]
    			}
    			date {
    				match => ['nagios_epoch_end_time', 'UNIX' ]
    				target => 'nagios_downtime_end'
    				remove_field => [ 'nagios_epoch_end_time' ]
    			}
    		}
    		if [message] =~ /SCHEDULE_SERVICEGROUP_HOST_DOWNTIME|SCHEDULE_SERVICEGROUP_SVC_DOWNTIME/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_servicegroup};%{NUMBER:nagios_epoch_start_time};%{NUMBER:nagios_epoch_end_time};%{INT:nagios_downtime_fixed};%{NUMBER:nagios_downtime_trigger_id};%{NUMBER:nagios_downtime_duration};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    			date {
    				match => ['nagios_epoch_start_time', 'UNIX' ]
    				target => 'nagios_downtime_start'
    				remove_field => [ 'nagios_epoch_start_time' ]
    			}
    			date {
    				match => ['nagios_epoch_end_time', 'UNIX' ]
    				target => 'nagios_downtime_end'
    				remove_field => [ 'nagios_epoch_end_time' ]
    			}
    		}
    		if [message] =~ /SEND_CUSTOM_HOST_NOTIFICATION/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{INT:nagios_notification_options};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    		}
    		if [message] =~ /SEND_CUSTOM_SVC_NOTIFICATION/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{INT:nagios_notification_options};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    		}
    		if [message] =~ /ADD_HOST_COMMENT/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{INT:nagios_persistent};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    		}
    		if [message] =~ /ADD_SVC_COMMENT/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{INT:nagios_persistent};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    		}
    		if [message] =~ /ACKNOWLEDGE_HOST_PROBLEM/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{INT:nagios_sticky};%{INT:nagios_notify};%{INT:nagios_persistent};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    		}
    		if [message] =~ /ACKNOWLEDGE_SVC_PROBLEM/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{INT:nagios_sticky};%{INT:nagios_notify};%{INT:nagios_persistent};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    		}
    		if [message] =~ /DEL_HOST_COMMENT|DEL_SVC_COMMENT/ {
    			grok {
    				match => [ 'message', '%{DATA};%{NUMBER:nagios_comment_id}' ]
    			}
    		}
    		if [message] =~ /DEL_HOST_DOWNTIME|DEL_SVC_DOWNTIME/ {
    			grok {
    				match => [ 'message', '%{DATA};%{NUMBER:nagios_downtime_id}' ]
    			}
    		}
    		if [message] =~ /DELAY_HOST_NOTIFICATION/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_epoch_notification_time}' ]
    			}
    			date {
    				match => ['nagios_epoch_notification_time', 'UNIX' ]
    				target => 'nagios_notification_time'
    				remove_field => [ 'nagios_epoch_notification_time' ]
    			}
    		}
    		if [message] =~ /DELAY_SVC_NOTIFICATION/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_epoch_notification_time}' ]
    			}
    			date {
    				match => ['nagios_epoch_notification_time', 'UNIX' ]
    				target => 'nagios_notification_time'
    				remove_field => [ 'nagios_epoch_notification_time' ]
    			}
    		}
    		if [message] =~ /ABLE_CONTACTGROUP_HOST_NOTIFICATIONS|ABLE_CONTACTGROUP_SVC_NOTIFICATIONS/ {
    			grok {
    				match => [ 'message', '%{DATA};%{GREEDYDATA:nagios_contactgroup}' ]
    			}			
    		}
    		if [message] =~ /ABLE_CONTACT_HOST_NOTIFICATIONS|ABLE_CONTACT_SVC_NOTIFICATIONS/ {
    			grok {
    				match => [ 'message', '%{DATA};%{GREEDYDATA:nagios_contact}' ]
    			}
    		}
    		if [message] =~ /ABLE_HOSTGROUP_HOST_CHECKS|ABLE_HOSTGROUP_HOST_NOTIFICATIONS|ABLE_HOSTGROUP_PASSIVE_HOST_CHECKS|ABLE_HOSTGROUP_PASSIVE_SVC_CHECKS|ABLE_HOSTGROUP_SVC_CHECKS|ABLE_HOSTGROUP_SVC_NOTIFICATIONS/ {
    			grok {
    				match => [ 'message', '%{DATA};%{GREEDYDATA:nagios_hostgroup}' ]
    			}			
    		}
    		if [message] =~ /ABLE_SERVICEGROUP_HOST_CHECKS|ABLE_SERVICEGROUP_HOST_NOTIFICATIONS|ABLE_SERVICEGROUP_PASSIVE_HOST_CHECKS|ABLE_SERVICEGROUP_PASSIVE_SVC_CHECKS|ABLE_SERVICEGROUP_SVC_CHECKS|ABLE_SERVICEGROUP_SVC_NOTIFICATIONS/ {
    			grok {
    				match => [ 'message', '%{DATA};%{GREEDYDATA:nagios_servicegroup}' ]
    			}			
    		}
    		if [message] =~ /PROCESS_FILE/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_process_file};%{GREEDYDATA:nagios_process_file_delete}' ]
    			}
    		}
    		if [message] =~ /PROCESS_HOST_CHECK_RESULT/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{INT:nagios_host_status_code};%{GREEDYDATA:nagios_host_output}' ]
    			}
    		}
    		if [message] =~ /PROCESS_SERVICE_CHECK_RESULT/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{INT:nagios_service_status_code};%{GREEDYDATA:nagios_service_output}' ]
    			}
    		}
    		if [message] =~ /SET_HOST_NOTIFICATION_NUMBER/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_notification_number}' ]
    			}
    		}
    		if [message] =~ /SET_SVC_NOTIFICATION_NUMBER/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_notification_number}' ]
    			}
    		}
    		if [message] =~ /CHANGE_CONTACT_HOST_NOTIFICATION_TIMEPERIOD|CHANGE_CONTACT_SVC_NOTIFICATION_TIMEPERIOD/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_contact};%{GREEDYDATA:nagios_timeperiod}' ]
    			}
    		}
    		if [message] =~ /CHANGE_CONTACT_MOD/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_contact};%{GREEDYDATA:nagios_attribute_value}' ]
    			}
    		}
    		if [message] =~ /CHANGE_CUSTOM_CONTACT_VAR/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_contact};%{DATA:nagios_variable_name};%{GREEDYDATA:nagios_variable_value}' ]
    			}
    		}
    		if [message] =~ /CHANGE_CUSTOM_HOST_VAR/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_variable_name};%{GREEDYDATA:nagios_variable_value}' ]
    			}
    		}
    		if [message] =~ /CHANGE_CUSTOM_SVC_VAR/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_variable_name};%{GREEDYDATA:nagios_variable_value}' ]
    			}
    		}
    		if [message] =~ /CHANGE_GLOBAL_HOST_EVENT_HANDLER|CHANGE_GLOBAL_SVC_EVENT_HANDLER/ {
    			grok {
    				match => [ 'message', '%{DATA};%{GREEDYDATA:nagios_command}' ]
    			}
    		}
    		if [message] =~ /CHANGE_HOST_CHECK_COMMAND|CHANGE_HOST_EVENT_HANDLER/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_command}' ]
    			}
    		}
    		if [message] =~ /CHANGE_SVC_CHECK_COMMAND|CHANGE_SVC_EVENT_HANDLER/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{GREEDYDATA:nagios_command}' ]
    			}
    		}
    		if [message] =~ /CHANGE_HOST_CHECK_TIMEPERIOD|CHANGE_HOST_NOTIFICATION_TIMEPERIOD/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_timeperiod}' ]
    			}
    		}
    		if [message] =~ /CHANGE_SVC_CHECK_TIMEPERIOD|CHANGE_SVC_NOTIFICATION_TIMEPERIOD/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{GREEDYDATA:nagios_timeperiod}' ]
    			}
    		}
    		if [message] =~ /CHANGE_HOST_MODATTR/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_attribute_value}' ]
    			}
    		}
    		if [message] =~ /CHANGE_SVC_MODATTR/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{GREEDYDATA:nagios_attribute_value}' ]
    			}
    		}
    		if [message] =~ /CHANGE_MAX_HOST_CHECK_ATTEMPTS/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_max_check_attempts}' ]
    			}
    		}
    		if [message] =~ /CHANGE_MAX_SVC_CHECK_ATTEMPTS/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_max_check_attempts}' ]
    			}
    		}
    		if [message] =~ /CHANGE_NORMAL_HOST_CHECK_INTERVAL/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_check_interval}' ]
    			}
    		}
    		if [message] =~ /CHANGE_NORMAL_SVC_CHECK_INTERVAL/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_check_interval}' ]
    			}
    		}
    		if [message] =~ /CHANGE_RETRY_HOST_CHECK_INTERVAL/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_retry_interval}' ]
    			}
    		}
    		if [message] =~ /CHANGE_RETRY_SVC_CHECK_INTERVAL/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_retry_interval}' ]
    			}
    		}
    	}
    	if [message] =~ /External\scommand\sfailed/ {
    		grok {
    			match => [ 'message', '%{DATA}-> %{DATA:nagios_external_command};' ]
    		}
    	}
    	if [message] =~ /Nagios.*starting/ {
    		grok {
    			match => [ 'message', '%{DATA} (?<nagios_version>%{INT}\.%{INT}\.%{INT}) %{GREEDYDATA}' ]
    		}
    	}
    	if [message] =~ /timed\sout\safter/ {
    		grok {
    			match => [ 'message', '%{DATA} timed out after %{NUMBER:nagios_timeout}s' ]
    		}
    	}
    	mutate {
    		replace => [ 'type', 'nagios_core' ]
    	}
    	date {
    		match => ['epoch_timestamp', 'UNIX' ]
    	}
    }
    if [host] == '172.30.100.226' {
    
    grok {
    
    match => { "message" => "result=\"%{WORD:result}\" ip=\"%{IP:IP}\" action=\"%{WORD:action}\" params=\"Username: %{USER:params}\" user=\"%{USER:user}\" tenant=\"%{WORD:tenant}\""}
    match => { "message" => "result=\"%{WORD:result}\" ip=\"%{IP:IP}\" action=\"%{WORD:action}\" params=\"Username=%{USER:params}\" user=\"%{USER:user}\" tenant=\"%{WORD:tenant}\""}
    }
    
    }
    
}

#
# Local filters
#



#
# Global outputs
#



#
# Local outputs
#
Proudly running:
NagiosXI 5.4.12 2 node Prod Env 2500 hosts, 13,000 services
Nagiosxi 5.5.7(test env) 2500 hosts, 13,000 services
Nagios Logserver 2 node Prod Env 500 objects sending
Nagios Network Analyser
Nagios Fusion
Top
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:
Contact scottwilkerson

Re: geoip conflict

Post by scottwilkerson »

You have this which isn't valid

Code: Select all

match => { "message" => "result=\"%{WORD:result}\" ip=\"%{IP:IP}\" action=\"%{WORD:action}\" params=\"Username: %{USER:params}\" user=\"%{USER:user}\" tenant=\"%{WORD:tenant}\""}
    match => { "message" => "result=\"%{WORD:result}\" ip=\"%{IP:IP}\" action=\"%{WORD:action}\" params=\"Username=%{USER:params}\" user=\"%{USER:user}\" tenant=\"%{WORD:tenant}\""}
replace it with this

Code: Select all

match => [ "message" => "result=\"%{WORD:result}\" ip=\"%{IP:IP}\" action=\"%{WORD:action}\" params=\"Username: %{USER:params}\" user=\"%{USER:user}\" tenant=\"%{WORD:tenant}\""]
    match => [ "message" => "result=\"%{WORD:result}\" ip=\"%{IP:IP}\" action=\"%{WORD:action}\" params=\"Username=%{USER:params}\" user=\"%{USER:user}\" tenant=\"%{WORD:tenant}\""]
Former Nagios employee
Creator:
Human Design Website
Get Your Human Design Chart
Top
User avatar
benhank
Posts: 1264
Joined: Tue Apr 12, 2011 12:29 pm

Re: geoip conflict

Post by benhank »

I still cant get it to work:

Code: Select all

{:timestamp=>"2019-02-21T13:43:48.364000-0500", :message=>"The given configuration is invalid. Reason: Expected one of #, {, ,, ] at line 556, column 30 (byte 21584) after filter {\n    if [type] == 'asa' {\n      grok{\n        match => [ 'message', '<%{POSINT:syslog_pri}>%{MONTH} +%{MONTHDAY} %{YEAR} %{TIME}: %%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = (%{USERNAME:Group}|%{IP:Group}), Username = %{IPORHOST:username}, IP = %{IP:IPAddress}, Session disconnected. Session Type: %{NOTSPACE:SessionType}, Duration: (%NUMBER:DurationDays}d ?)?%{NUMBER:DurationHours}h:%{NUMBER:DurationMinutes}m:%{NUMBER:DurationSeconds}s, Bytes xmt: %{INT:BytesTransmitted:int}, Bytes rcv: %{INT:BytesReceived:int}, Reason: %{GREEDYDATA:Reason}' ]\n    }\n    geoip {\n    database => \"/usr/share/GeoIP/GeoLiteCity.dat\"\n    source => \"IPAddress\"\n    }\n    }\n    if [program] == 'apache_access' {\n        grok {\n            match => [ 'message', '%{COMBINEDAPACHELOG}']\n        }\n        date {\n            match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]\n        }\n        mutate {\n            replace => [ 'type', 'apache_access' ]\n             convert => [ 'bytes', 'integer' ]\n             convert => [ 'response', 'integer' ]\n        }\n    }\n     \n    if [program] == 'apache_error' {\n        grok {\n            match => [ 'message', '\\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\\] \\[%{WORD:class}\\] \\[%{WORD:originator} %{IP:clientip}\\] %{GREEDYDATA:errmsg}']\n        }\n        mutate {\n            replace => [ 'type', 'apache_error' ]\n        }\n    }\n        if [program] == \"mysqld_log\" {\n            grok {\n                match => [ \"message\", \"^%{NUMBER:date} *%{NOTSPACE:time}\"]\n            }\n            mutate {\n                replace => [ \"type\", \"mysqld_log\" ]\n            }\n        }\n    if [program] == 'nagios_core' {\n    \tgrok {\n    \t\tmatch => [ 'message', '\\[%{NUMBER:epoch_timestamp}\\] %{GREEDYDATA:message}' ]\n    \t\toverwrite => [ 'message' ]\n    \t}\n    \tif [message] =~ /^Warning:|Error:/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA:nagios_severity_label}: %{GREEDYDATA}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /check\\sof\\shost|check\\sfor\\shost|host\\scheckresult\\sfor|Passive\\scheck\\sresult\\swas\\sreceived\\sfor\\shost/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA} \\'%{DATA:nagios_host}\\'%{GREEDYDATA}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /service.*on\\shost|Service\\s\\'/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA} \\'%{DATA:nagios_service}\\' %{DATA} \\'%{DATA:nagios_host}\\'' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /wproc:/ {\n    \t\tif [message] =~ /host=.*;\\sservice=/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA}host=%{DATA:nagios_host}; service=%{DATA:nagios_service};' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /job.*return\\scode/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA}: %{DATA:nagios_job} job%{DATA} return code %{NUMBER:nagios_return_code}' ]\n    \t\t\t}\n    \t\t}\n    \t}\n    \tif [message] =~ /Return\\scode\\sof/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA} %{NUMBER:nagios_return_code} %{GREEDYDATA}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /Host\\s\\'|results\\sof\\shost\\s'/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA} \\'%{DATA:nagios_host}\\' %{GREEDYDATA}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /^HOST\\sALERT:/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_host};%{DATA:nagios_host_status};%{DATA:nagios_host_state};%{NUMBER:nagios_host_attempt};%{GREEDYDATA:nagios_host_output}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /^SERVICE\\sALERT:/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_service_status};%{DATA:nagios_service_state};%{NUMBER:nagios_service_attempt};%{GREEDYDATA:nagios_service_output}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /^CURRENT\\sHOST\\sSTATE:/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_host};%{DATA:nagios_host_status};%{DATA:nagios_host_state};%{NUMBER:nagios_host_attempt};%{GREEDYDATA:nagios_host_output}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /^CURRENT\\sSERVICE\\sSTATE:/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_service_status};%{DATA:nagios_service_state};%{NUMBER:nagios_service_attempt};%{GREEDYDATA:nagios_service_output}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /^HOST\\sNOTIFICATION:/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_contact};%{DATA:nagios_host};%{DATA:nagios_host_status};%{DATA:nagios_command};%{GREEDYDATA:nagios_host_output}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /^SERVICE\\sNOTIFICATION:/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_contact};%{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_service_status};%{DATA:nagios_command};%{GREEDYDATA:nagios_service_output}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /DOWNTIME\\sALERT:/ {\n    \t\tif [message] =~ /^HOST\\sDOWNTIME/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA:nagios_alert}: %{DATA:nagios_host};%{DATA:nagios_downtime_state};' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /^SERVICE\\sDOWNTIME/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA:nagios_alert}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_downtime_state};' ]\n    \t\t\t}\n    \t\t}\n    \t}\n    \tif [message] =~ /FLAPPING\\sALERT:/ {\n    \t\tif [message] =~ /^HOST\\sFLAPPING/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA:nagios_alert}: %{DATA:nagios_host};%{DATA:nagios_flapping_state};' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /^SERVICE\\sFLAPPING/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA:nagios_alert}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_flapping_state};' ]\n    \t\t\t}\n    \t\t}\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA}\\(%{NUMBER:nagios_flapping_value}%{DATA}%{NUMBER:nagios_flapping_threshold}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /HOST\\sEVENT\\sHANDLER:/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA}: %{DATA:nagios_host};%{DATA:nagios_host_status};%{DATA:nagios_host_state};%{NUMBER:nagios_host_attempt};%{GREEDYDATA:nagios_command}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /SERVICE\\sEVENT\\sHANDLER:/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_service_status};%{DATA:nagios_service_state};%{NUMBER:nagios_service_attempt};%{GREEDYDATA:nagios_command}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /contact\\s\\'|Contact\\s\\'/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA} \\'%{DATA:nagios_contact}\\'' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /^EXTERNAL\\sCOMMAND:/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA}: %{DATA:nagios_external_command};%{GREEDYDATA}' ]\n    \t\t}\n    \t\tif [message] =~ /DEL_ALL_HOST_COMMENTS|ABLE_ALL_NOTIFICATIONS_BEYOND_HOST|ABLE_HOST_AND_CHILD_NOTIFICATION|ABLE_HOST_CHECK|ABLE_HOST_EVENT_HANDLER|ABLE_HOST_FLAP_DETECTION|ABLE_HOST_SVC_CHECKS|ABLE_HOST_SVC_NOTIFICATIONS|ABLE_PASSIVE_HOST_CHECKS|REMOVE_HOST_ACKNOWLEDGEMENT|_OBSESSING_OVER_HOST/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{GREEDYDATA:nagios_host}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /DEL_ALL_SVC_COMMENTS|ABLE_PASSIVE_SVC_CHECKS|ABLE_SVC_CHECK|ABLE_SVC_EVENT_HANDLER|ABLE_SVC_FLAP_DETECTION|ABLE_SVC_NOTIFICATIONS|REMOVE_SVC_ACKNOWLEDGEMENT|_OBSESSING_OVER_SVC/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_service}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /SCHEDULE_FORCED_HOST_CHECK|SCHEDULE_FORCED_HOST_SVC_CHECKS|SCHEDULE_HOST_CHECK|SCHEDULE_HOST_SVC_CHECKS/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_epoch_check_time}' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_check_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_check_time'\n    \t\t\t\tremove_field => [ 'nagios_epoch_check_time' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /SCHEDULE_FORCED_SVC_CHECK|SCHEDULE_SVC_CHECK/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{GREEDYDATA:nagios_epoch_check_time}' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_check_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_check_time'\n    \t\t\t\tremove_field => [ 'nagios_epoch_check_time' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /SCHEDULE_AND_PROPAGATE_HOST_DOWNTIME|SCHEDULE_AND_PROPAGATE_TRIGGERED_HOST_DOWNTIME|SCHEDULE_HOST_DOWNTIME|SCHEDULE_HOST_SVC_DOWNTIME/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_epoch_start_time};%{NUMBER:nagios_epoch_end_time};%{INT:nagios_downtime_fixed};%{NUMBER:nagios_downtime_trigger_id};%{NUMBER:nagios_downtime_duration};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_start_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_downtime_start'\n    \t\t\t\tremove_field => [ 'nagios_epoch_start_time' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_end_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_downtime_end'\n    \t\t\t\tremove_field => [ 'nagios_epoch_end_time' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /SCHEDULE_SVC_DOWNTIME/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_epoch_start_time};%{NUMBER:nagios_epoch_end_time};%{INT:nagios_downtime_fixed};%{NUMBER:nagios_downtime_trigger_id};%{NUMBER:nagios_downtime_duration};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_start_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_downtime_start'\n    \t\t\t\tremove_field => [ 'nagios_epoch_start_time' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_end_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_downtime_end'\n    \t\t\t\tremove_field => [ 'nagios_epoch_end_time' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /SCHEDULE_HOSTGROUP_HOST_DOWNTIME|SCHEDULE_HOSTGROUP_SVC_DOWNTIME/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_hostgroup};%{NUMBER:nagios_epoch_start_time};%{NUMBER:nagios_epoch_end_time};%{INT:nagios_downtime_fixed};%{NUMBER:nagios_downtime_trigger_id};%{NUMBER:nagios_downtime_duration};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_start_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_downtime_start'\n    \t\t\t\tremove_field => [ 'nagios_epoch_start_time' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_end_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_downtime_end'\n    \t\t\t\tremove_field => [ 'nagios_epoch_end_time' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /SCHEDULE_SERVICEGROUP_HOST_DOWNTIME|SCHEDULE_SERVICEGROUP_SVC_DOWNTIME/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_servicegroup};%{NUMBER:nagios_epoch_start_time};%{NUMBER:nagios_epoch_end_time};%{INT:nagios_downtime_fixed};%{NUMBER:nagios_downtime_trigger_id};%{NUMBER:nagios_downtime_duration};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_start_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_downtime_start'\n    \t\t\t\tremove_field => [ 'nagios_epoch_start_time' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_end_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_downtime_end'\n    \t\t\t\tremove_field => [ 'nagios_epoch_end_time' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /SEND_CUSTOM_HOST_NOTIFICATION/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{INT:nagios_notification_options};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /SEND_CUSTOM_SVC_NOTIFICATION/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{INT:nagios_notification_options};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /ADD_HOST_COMMENT/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{INT:nagios_persistent};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /ADD_SVC_COMMENT/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{INT:nagios_persistent};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /ACKNOWLEDGE_HOST_PROBLEM/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{INT:nagios_sticky};%{INT:nagios_notify};%{INT:nagios_persistent};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /ACKNOWLEDGE_SVC_PROBLEM/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{INT:nagios_sticky};%{INT:nagios_notify};%{INT:nagios_persistent};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /DEL_HOST_COMMENT|DEL_SVC_COMMENT/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{NUMBER:nagios_comment_id}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /DEL_HOST_DOWNTIME|DEL_SVC_DOWNTIME/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{NUMBER:nagios_downtime_id}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /DELAY_HOST_NOTIFICATION/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_epoch_notification_time}' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_notification_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_notification_time'\n    \t\t\t\tremove_field => [ 'nagios_epoch_notification_time' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /DELAY_SVC_NOTIFICATION/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_epoch_notification_time}' ]\n    \t\t\t}\n    \t\t\tdate {\n    \t\t\t\tmatch => ['nagios_epoch_notification_time', 'UNIX' ]\n    \t\t\t\ttarget => 'nagios_notification_time'\n    \t\t\t\tremove_field => [ 'nagios_epoch_notification_time' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /ABLE_CONTACTGROUP_HOST_NOTIFICATIONS|ABLE_CONTACTGROUP_SVC_NOTIFICATIONS/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{GREEDYDATA:nagios_contactgroup}' ]\n    \t\t\t}\t\t\t\n    \t\t}\n    \t\tif [message] =~ /ABLE_CONTACT_HOST_NOTIFICATIONS|ABLE_CONTACT_SVC_NOTIFICATIONS/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{GREEDYDATA:nagios_contact}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /ABLE_HOSTGROUP_HOST_CHECKS|ABLE_HOSTGROUP_HOST_NOTIFICATIONS|ABLE_HOSTGROUP_PASSIVE_HOST_CHECKS|ABLE_HOSTGROUP_PASSIVE_SVC_CHECKS|ABLE_HOSTGROUP_SVC_CHECKS|ABLE_HOSTGROUP_SVC_NOTIFICATIONS/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{GREEDYDATA:nagios_hostgroup}' ]\n    \t\t\t}\t\t\t\n    \t\t}\n    \t\tif [message] =~ /ABLE_SERVICEGROUP_HOST_CHECKS|ABLE_SERVICEGROUP_HOST_NOTIFICATIONS|ABLE_SERVICEGROUP_PASSIVE_HOST_CHECKS|ABLE_SERVICEGROUP_PASSIVE_SVC_CHECKS|ABLE_SERVICEGROUP_SVC_CHECKS|ABLE_SERVICEGROUP_SVC_NOTIFICATIONS/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{GREEDYDATA:nagios_servicegroup}' ]\n    \t\t\t}\t\t\t\n    \t\t}\n    \t\tif [message] =~ /PROCESS_FILE/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_process_file};%{GREEDYDATA:nagios_process_file_delete}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /PROCESS_HOST_CHECK_RESULT/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{INT:nagios_host_status_code};%{GREEDYDATA:nagios_host_output}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /PROCESS_SERVICE_CHECK_RESULT/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{INT:nagios_service_status_code};%{GREEDYDATA:nagios_service_output}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /SET_HOST_NOTIFICATION_NUMBER/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_notification_number}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /SET_SVC_NOTIFICATION_NUMBER/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_notification_number}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_CONTACT_HOST_NOTIFICATION_TIMEPERIOD|CHANGE_CONTACT_SVC_NOTIFICATION_TIMEPERIOD/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_contact};%{GREEDYDATA:nagios_timeperiod}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_CONTACT_MOD/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_contact};%{GREEDYDATA:nagios_attribute_value}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_CUSTOM_CONTACT_VAR/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_contact};%{DATA:nagios_variable_name};%{GREEDYDATA:nagios_variable_value}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_CUSTOM_HOST_VAR/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_variable_name};%{GREEDYDATA:nagios_variable_value}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_CUSTOM_SVC_VAR/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_variable_name};%{GREEDYDATA:nagios_variable_value}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_GLOBAL_HOST_EVENT_HANDLER|CHANGE_GLOBAL_SVC_EVENT_HANDLER/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{GREEDYDATA:nagios_command}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_HOST_CHECK_COMMAND|CHANGE_HOST_EVENT_HANDLER/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_command}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_SVC_CHECK_COMMAND|CHANGE_SVC_EVENT_HANDLER/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{GREEDYDATA:nagios_command}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_HOST_CHECK_TIMEPERIOD|CHANGE_HOST_NOTIFICATION_TIMEPERIOD/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_timeperiod}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_SVC_CHECK_TIMEPERIOD|CHANGE_SVC_NOTIFICATION_TIMEPERIOD/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{GREEDYDATA:nagios_timeperiod}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_HOST_MODATTR/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_attribute_value}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_SVC_MODATTR/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{GREEDYDATA:nagios_attribute_value}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_MAX_HOST_CHECK_ATTEMPTS/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_max_check_attempts}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_MAX_SVC_CHECK_ATTEMPTS/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_max_check_attempts}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_NORMAL_HOST_CHECK_INTERVAL/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_check_interval}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_NORMAL_SVC_CHECK_INTERVAL/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_check_interval}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_RETRY_HOST_CHECK_INTERVAL/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_retry_interval}' ]\n    \t\t\t}\n    \t\t}\n    \t\tif [message] =~ /CHANGE_RETRY_SVC_CHECK_INTERVAL/ {\n    \t\t\tgrok {\n    \t\t\t\tmatch => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_retry_interval}' ]\n    \t\t\t}\n    \t\t}\n    \t}\n    \tif [message] =~ /External\\scommand\\sfailed/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA}-> %{DATA:nagios_external_command};' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /Nagios.*starting/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA} (?<nagios_version>%{INT}\\.%{INT}\\.%{INT}) %{GREEDYDATA}' ]\n    \t\t}\n    \t}\n    \tif [message] =~ /timed\\sout\\safter/ {\n    \t\tgrok {\n    \t\t\tmatch => [ 'message', '%{DATA} timed out after %{NUMBER:nagios_timeout}s' ]\n    \t\t}\n    \t}\n    \tmutate {\n    \t\treplace => [ 'type', 'nagios_core' ]\n    \t}\n    \tdate {\n    \t\tmatch => ['epoch_timestamp', 'UNIX' ]\n    \t}\n    }\n    if [host] == '172.30.100.226' {\n    \n    grok {\n    \n        match => [ \"message\" ", :level=>:fatal}
Proudly running:
NagiosXI 5.4.12 2 node Prod Env 2500 hosts, 13,000 services
Nagiosxi 5.5.7(test env) 2500 hosts, 13,000 services
Nagios Logserver 2 node Prod Env 500 objects sending
Nagios Network Analyser
Nagios Fusion
Top
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:
Contact scottwilkerson

Re: geoip conflict

Post by scottwilkerson »

looking, there is another error here

Code: Select all

if [type] == 'asa' {
          grok{
            match => [ 'message', '<%{POSINT:syslog_pri}>%{MONTH} +%{MONTHDAY} %{YEAR} %{TIME}: %%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = (%{USERNAME:Group}|%{IP:Group}), Username = %{IPORHOST:username}, IP = %{IP:IPAddress}, Session disconnected. Session Type: %{NOTSPACE:SessionType}, Duration: (%NUMBER:DurationDays}d ?)?%{NUMBER:DurationHours}h:%{NUMBER:DurationMinutes}m:%{NUMBER:DurationSeconds}s, Bytes xmt: %{INT:BytesTransmitted:int}, Bytes rcv: %{INT:BytesReceived:int}, Reason: %{GREEDYDATA:Reason}' ]
        }
you have the code

Code: Select all

Duration: (%NUMBER:DurationDays}d ?)
which should be

Code: Select all

Duration: {%NUMBER:DurationDays}d ?)
Former Nagios employee
Creator:
Human Design Website
Get Your Human Design Chart
Top
User avatar
benhank
Posts: 1264
Joined: Tue Apr 12, 2011 12:29 pm

Re: geoip conflict

Post by benhank »

I made the change to the asa and that worked, I was able to apply the config.

But for some reason when I change the { to [ the verification fails.
This config file is working for some reason, parsing and chopping up the data the way it should. but when I add the geo ip lines it all falls apart. this has got me baffled

Code: Select all

# 
# Logstash Configuration File
# Dynamically created by Nagios Log Server
#
# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
#
# Created Thu, 21 Feb 2019 15:04:09 -0500
#

#
# Global inputs
#

input {
    syslog {
        type => 'syslog'
        port => 5544
    }
    syslog {
        type => 'syslog'
        port => 514
    }
    tcp {
        type => 'asa'
        port => 6514
    }
    udp {
        type => 'asa'
        port => 6514
    }
    
    tcp {
        type => 'eventlog'
        port => 3515
        codec => json {
            charset => 'CP1252'
        }
    }
    tcp {
        type => 'import_raw'
        tags => 'import_raw'
        port => 2056
    }
    tcp {
        type => 'import_json'
        tags => 'import_json'
        port => 2057
        codec => json
    }
    file {
        path => '/var/log/logstash/logstash.log'
    }
    snmptrap {
    port => 162
    type => snmptrap
    }
    snmptrap {
    port => 161
    type => snmptrap
    }
    snmptrap {
    port => 2381
    type => ilosnmptrap
    }
}

#
# Local inputs
#



#
# Global filters
#

filter {
    if [type] == 'asa' {
      grok{
        match => [ 'message', '<%{POSINT:syslog_pri}>%{MONTH} +%{MONTHDAY} %{YEAR} %{TIME}: %%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = (%{USERNAME:Group}|%{IP:Group}), Username = %{IPORHOST:username}, IP = %{IP:IPAddress}, Session disconnected. Session Type: %{NOTSPACE:SessionType}, Duration: {%NUMBER:DurationDays}d ?)?)?%{NUMBER:DurationHours}h:%{NUMBER:DurationMinutes}m:%{NUMBER:DurationSeconds}s, Bytes xmt: %{INT:BytesTransmitted:int}, Bytes rcv: %{INT:BytesReceived:int}, Reason: %{GREEDYDATA:Reason}' ]
    }
    geoip {
    database => "/usr/share/GeoIP/GeoLiteCity.dat"
    source => "IPAddress"
    }
    }
    
    if [program] == 'apache_access' {
        grok {
            match => [ 'message', '%{COMBINEDAPACHELOG}']
        }
        date {
            match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
        }
        mutate {
            replace => [ 'type', 'apache_access' ]
             convert => [ 'bytes', 'integer' ]
             convert => [ 'response', 'integer' ]
        }
    }
     
    if [program] == 'apache_error' {
        grok {
            match => [ 'message', '\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] \[%{WORD:class}\] \[%{WORD:originator} %{IP:clientip}\] %{GREEDYDATA:errmsg}']
        }
        mutate {
            replace => [ 'type', 'apache_error' ]
        }
    }
        if [program] == "mysqld_log" {
            grok {
                match => [ "message", "^%{NUMBER:date} *%{NOTSPACE:time}"]
            }
            mutate {
                replace => [ "type", "mysqld_log" ]
            }
        }
    if [program] == 'nagios_core' {
    	grok {
    		match => [ 'message', '\[%{NUMBER:epoch_timestamp}\] %{GREEDYDATA:message}' ]
    		overwrite => [ 'message' ]
    	}
    	if [message] =~ /^Warning:|Error:/ {
    		grok {
    			match => [ 'message', '%{DATA:nagios_severity_label}: %{GREEDYDATA}' ]
    		}
    	}
    	if [message] =~ /check\sof\shost|check\sfor\shost|host\scheckresult\sfor|Passive\scheck\sresult\swas\sreceived\sfor\shost/ {
    		grok {
    			match => [ 'message', '%{DATA} \'%{DATA:nagios_host}\'%{GREEDYDATA}' ]
    		}
    	}
    	if [message] =~ /service.*on\shost|Service\s\'/ {
    		grok {
    			match => [ 'message', '%{DATA} \'%{DATA:nagios_service}\' %{DATA} \'%{DATA:nagios_host}\'' ]
    		}
    	}
    	if [message] =~ /wproc:/ {
    		if [message] =~ /host=.*;\sservice=/ {
    			grok {
    				match => [ 'message', '%{DATA}host=%{DATA:nagios_host}; service=%{DATA:nagios_service};' ]
    			}
    		}
    		if [message] =~ /job.*return\scode/ {
    			grok {
    				match => [ 'message', '%{DATA}: %{DATA:nagios_job} job%{DATA} return code %{NUMBER:nagios_return_code}' ]
    			}
    		}
    	}
    	if [message] =~ /Return\scode\sof/ {
    		grok {
    			match => [ 'message', '%{DATA} %{NUMBER:nagios_return_code} %{GREEDYDATA}' ]
    		}
    	}
    	if [message] =~ /Host\s\'|results\sof\shost\s'/ {
    		grok {
    			match => [ 'message', '%{DATA} \'%{DATA:nagios_host}\' %{GREEDYDATA}' ]
    		}
    	}
    	if [message] =~ /^HOST\sALERT:/ {
    		grok {
    			match => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_host};%{DATA:nagios_host_status};%{DATA:nagios_host_state};%{NUMBER:nagios_host_attempt};%{GREEDYDATA:nagios_host_output}' ]
    		}
    	}
    	if [message] =~ /^SERVICE\sALERT:/ {
    		grok {
    			match => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_service_status};%{DATA:nagios_service_state};%{NUMBER:nagios_service_attempt};%{GREEDYDATA:nagios_service_output}' ]
    		}
    	}
    	if [message] =~ /^CURRENT\sHOST\sSTATE:/ {
    		grok {
    			match => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_host};%{DATA:nagios_host_status};%{DATA:nagios_host_state};%{NUMBER:nagios_host_attempt};%{GREEDYDATA:nagios_host_output}' ]
    		}
    	}
    	if [message] =~ /^CURRENT\sSERVICE\sSTATE:/ {
    		grok {
    			match => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_service_status};%{DATA:nagios_service_state};%{NUMBER:nagios_service_attempt};%{GREEDYDATA:nagios_service_output}' ]
    		}
    	}
    	if [message] =~ /^HOST\sNOTIFICATION:/ {
    		grok {
    			match => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_contact};%{DATA:nagios_host};%{DATA:nagios_host_status};%{DATA:nagios_command};%{GREEDYDATA:nagios_host_output}' ]
    		}
    	}
    	if [message] =~ /^SERVICE\sNOTIFICATION:/ {
    		grok {
    			match => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_contact};%{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_service_status};%{DATA:nagios_command};%{GREEDYDATA:nagios_service_output}' ]
    		}
    	}
    	if [message] =~ /DOWNTIME\sALERT:/ {
    		if [message] =~ /^HOST\sDOWNTIME/ {
    			grok {
    				match => [ 'message', '%{DATA:nagios_alert}: %{DATA:nagios_host};%{DATA:nagios_downtime_state};' ]
    			}
    		}
    		if [message] =~ /^SERVICE\sDOWNTIME/ {
    			grok {
    				match => [ 'message', '%{DATA:nagios_alert}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_downtime_state};' ]
    			}
    		}
    	}
    	if [message] =~ /FLAPPING\sALERT:/ {
    		if [message] =~ /^HOST\sFLAPPING/ {
    			grok {
    				match => [ 'message', '%{DATA:nagios_alert}: %{DATA:nagios_host};%{DATA:nagios_flapping_state};' ]
    			}
    		}
    		if [message] =~ /^SERVICE\sFLAPPING/ {
    			grok {
    				match => [ 'message', '%{DATA:nagios_alert}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_flapping_state};' ]
    			}
    		}
    		grok {
    			match => [ 'message', '%{DATA}\(%{NUMBER:nagios_flapping_value}%{DATA}%{NUMBER:nagios_flapping_threshold}' ]
    		}
    	}
    	if [message] =~ /HOST\sEVENT\sHANDLER:/ {
    		grok {
    			match => [ 'message', '%{DATA}: %{DATA:nagios_host};%{DATA:nagios_host_status};%{DATA:nagios_host_state};%{NUMBER:nagios_host_attempt};%{GREEDYDATA:nagios_command}' ]
    		}
    	}
    	if [message] =~ /SERVICE\sEVENT\sHANDLER:/ {
    		grok {
    			match => [ 'message', '%{DATA}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_service_status};%{DATA:nagios_service_state};%{NUMBER:nagios_service_attempt};%{GREEDYDATA:nagios_command}' ]
    		}
    	}
    	if [message] =~ /contact\s\'|Contact\s\'/ {
    		grok {
    			match => [ 'message', '%{DATA} \'%{DATA:nagios_contact}\'' ]
    		}
    	}
    	if [message] =~ /^EXTERNAL\sCOMMAND:/ {
    		grok {
    			match => [ 'message', '%{DATA}: %{DATA:nagios_external_command};%{GREEDYDATA}' ]
    		}
    		if [message] =~ /DEL_ALL_HOST_COMMENTS|ABLE_ALL_NOTIFICATIONS_BEYOND_HOST|ABLE_HOST_AND_CHILD_NOTIFICATION|ABLE_HOST_CHECK|ABLE_HOST_EVENT_HANDLER|ABLE_HOST_FLAP_DETECTION|ABLE_HOST_SVC_CHECKS|ABLE_HOST_SVC_NOTIFICATIONS|ABLE_PASSIVE_HOST_CHECKS|REMOVE_HOST_ACKNOWLEDGEMENT|_OBSESSING_OVER_HOST/ {
    			grok {
    				match => [ 'message', '%{DATA};%{GREEDYDATA:nagios_host}' ]
    			}
    		}
    		if [message] =~ /DEL_ALL_SVC_COMMENTS|ABLE_PASSIVE_SVC_CHECKS|ABLE_SVC_CHECK|ABLE_SVC_EVENT_HANDLER|ABLE_SVC_FLAP_DETECTION|ABLE_SVC_NOTIFICATIONS|REMOVE_SVC_ACKNOWLEDGEMENT|_OBSESSING_OVER_SVC/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_service}' ]
    			}
    		}
    		if [message] =~ /SCHEDULE_FORCED_HOST_CHECK|SCHEDULE_FORCED_HOST_SVC_CHECKS|SCHEDULE_HOST_CHECK|SCHEDULE_HOST_SVC_CHECKS/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_epoch_check_time}' ]
    			}
    			date {
    				match => ['nagios_epoch_check_time', 'UNIX' ]
    				target => 'nagios_check_time'
    				remove_field => [ 'nagios_epoch_check_time' ]
    			}
    		}
    		if [message] =~ /SCHEDULE_FORCED_SVC_CHECK|SCHEDULE_SVC_CHECK/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{GREEDYDATA:nagios_epoch_check_time}' ]
    			}
    			date {
    				match => ['nagios_epoch_check_time', 'UNIX' ]
    				target => 'nagios_check_time'
    				remove_field => [ 'nagios_epoch_check_time' ]
    			}
    		}
    		if [message] =~ /SCHEDULE_AND_PROPAGATE_HOST_DOWNTIME|SCHEDULE_AND_PROPAGATE_TRIGGERED_HOST_DOWNTIME|SCHEDULE_HOST_DOWNTIME|SCHEDULE_HOST_SVC_DOWNTIME/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_epoch_start_time};%{NUMBER:nagios_epoch_end_time};%{INT:nagios_downtime_fixed};%{NUMBER:nagios_downtime_trigger_id};%{NUMBER:nagios_downtime_duration};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    			date {
    				match => ['nagios_epoch_start_time', 'UNIX' ]
    				target => 'nagios_downtime_start'
    				remove_field => [ 'nagios_epoch_start_time' ]
    			}
    			date {
    				match => ['nagios_epoch_end_time', 'UNIX' ]
    				target => 'nagios_downtime_end'
    				remove_field => [ 'nagios_epoch_end_time' ]
    			}
    		}
    		if [message] =~ /SCHEDULE_SVC_DOWNTIME/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_epoch_start_time};%{NUMBER:nagios_epoch_end_time};%{INT:nagios_downtime_fixed};%{NUMBER:nagios_downtime_trigger_id};%{NUMBER:nagios_downtime_duration};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    			date {
    				match => ['nagios_epoch_start_time', 'UNIX' ]
    				target => 'nagios_downtime_start'
    				remove_field => [ 'nagios_epoch_start_time' ]
    			}
    			date {
    				match => ['nagios_epoch_end_time', 'UNIX' ]
    				target => 'nagios_downtime_end'
    				remove_field => [ 'nagios_epoch_end_time' ]
    			}
    		}
    		if [message] =~ /SCHEDULE_HOSTGROUP_HOST_DOWNTIME|SCHEDULE_HOSTGROUP_SVC_DOWNTIME/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_hostgroup};%{NUMBER:nagios_epoch_start_time};%{NUMBER:nagios_epoch_end_time};%{INT:nagios_downtime_fixed};%{NUMBER:nagios_downtime_trigger_id};%{NUMBER:nagios_downtime_duration};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    			date {
    				match => ['nagios_epoch_start_time', 'UNIX' ]
    				target => 'nagios_downtime_start'
    				remove_field => [ 'nagios_epoch_start_time' ]
    			}
    			date {
    				match => ['nagios_epoch_end_time', 'UNIX' ]
    				target => 'nagios_downtime_end'
    				remove_field => [ 'nagios_epoch_end_time' ]
    			}
    		}
    		if [message] =~ /SCHEDULE_SERVICEGROUP_HOST_DOWNTIME|SCHEDULE_SERVICEGROUP_SVC_DOWNTIME/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_servicegroup};%{NUMBER:nagios_epoch_start_time};%{NUMBER:nagios_epoch_end_time};%{INT:nagios_downtime_fixed};%{NUMBER:nagios_downtime_trigger_id};%{NUMBER:nagios_downtime_duration};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    			date {
    				match => ['nagios_epoch_start_time', 'UNIX' ]
    				target => 'nagios_downtime_start'
    				remove_field => [ 'nagios_epoch_start_time' ]
    			}
    			date {
    				match => ['nagios_epoch_end_time', 'UNIX' ]
    				target => 'nagios_downtime_end'
    				remove_field => [ 'nagios_epoch_end_time' ]
    			}
    		}
    		if [message] =~ /SEND_CUSTOM_HOST_NOTIFICATION/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{INT:nagios_notification_options};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    		}
    		if [message] =~ /SEND_CUSTOM_SVC_NOTIFICATION/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{INT:nagios_notification_options};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    		}
    		if [message] =~ /ADD_HOST_COMMENT/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{INT:nagios_persistent};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    		}
    		if [message] =~ /ADD_SVC_COMMENT/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{INT:nagios_persistent};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    		}
    		if [message] =~ /ACKNOWLEDGE_HOST_PROBLEM/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{INT:nagios_sticky};%{INT:nagios_notify};%{INT:nagios_persistent};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    		}
    		if [message] =~ /ACKNOWLEDGE_SVC_PROBLEM/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{INT:nagios_sticky};%{INT:nagios_notify};%{INT:nagios_persistent};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    		}
    		if [message] =~ /DEL_HOST_COMMENT|DEL_SVC_COMMENT/ {
    			grok {
    				match => [ 'message', '%{DATA};%{NUMBER:nagios_comment_id}' ]
    			}
    		}
    		if [message] =~ /DEL_HOST_DOWNTIME|DEL_SVC_DOWNTIME/ {
    			grok {
    				match => [ 'message', '%{DATA};%{NUMBER:nagios_downtime_id}' ]
    			}
    		}
    		if [message] =~ /DELAY_HOST_NOTIFICATION/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_epoch_notification_time}' ]
    			}
    			date {
    				match => ['nagios_epoch_notification_time', 'UNIX' ]
    				target => 'nagios_notification_time'
    				remove_field => [ 'nagios_epoch_notification_time' ]
    			}
    		}
    		if [message] =~ /DELAY_SVC_NOTIFICATION/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_epoch_notification_time}' ]
    			}
    			date {
    				match => ['nagios_epoch_notification_time', 'UNIX' ]
    				target => 'nagios_notification_time'
    				remove_field => [ 'nagios_epoch_notification_time' ]
    			}
    		}
    		if [message] =~ /ABLE_CONTACTGROUP_HOST_NOTIFICATIONS|ABLE_CONTACTGROUP_SVC_NOTIFICATIONS/ {
    			grok {
    				match => [ 'message', '%{DATA};%{GREEDYDATA:nagios_contactgroup}' ]
    			}			
    		}
    		if [message] =~ /ABLE_CONTACT_HOST_NOTIFICATIONS|ABLE_CONTACT_SVC_NOTIFICATIONS/ {
    			grok {
    				match => [ 'message', '%{DATA};%{GREEDYDATA:nagios_contact}' ]
    			}
    		}
    		if [message] =~ /ABLE_HOSTGROUP_HOST_CHECKS|ABLE_HOSTGROUP_HOST_NOTIFICATIONS|ABLE_HOSTGROUP_PASSIVE_HOST_CHECKS|ABLE_HOSTGROUP_PASSIVE_SVC_CHECKS|ABLE_HOSTGROUP_SVC_CHECKS|ABLE_HOSTGROUP_SVC_NOTIFICATIONS/ {
    			grok {
    				match => [ 'message', '%{DATA};%{GREEDYDATA:nagios_hostgroup}' ]
    			}			
    		}
    		if [message] =~ /ABLE_SERVICEGROUP_HOST_CHECKS|ABLE_SERVICEGROUP_HOST_NOTIFICATIONS|ABLE_SERVICEGROUP_PASSIVE_HOST_CHECKS|ABLE_SERVICEGROUP_PASSIVE_SVC_CHECKS|ABLE_SERVICEGROUP_SVC_CHECKS|ABLE_SERVICEGROUP_SVC_NOTIFICATIONS/ {
    			grok {
    				match => [ 'message', '%{DATA};%{GREEDYDATA:nagios_servicegroup}' ]
    			}			
    		}
    		if [message] =~ /PROCESS_FILE/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_process_file};%{GREEDYDATA:nagios_process_file_delete}' ]
    			}
    		}
    		if [message] =~ /PROCESS_HOST_CHECK_RESULT/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{INT:nagios_host_status_code};%{GREEDYDATA:nagios_host_output}' ]
    			}
    		}
    		if [message] =~ /PROCESS_SERVICE_CHECK_RESULT/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{INT:nagios_service_status_code};%{GREEDYDATA:nagios_service_output}' ]
    			}
    		}
    		if [message] =~ /SET_HOST_NOTIFICATION_NUMBER/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_notification_number}' ]
    			}
    		}
    		if [message] =~ /SET_SVC_NOTIFICATION_NUMBER/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_notification_number}' ]
    			}
    		}
    		if [message] =~ /CHANGE_CONTACT_HOST_NOTIFICATION_TIMEPERIOD|CHANGE_CONTACT_SVC_NOTIFICATION_TIMEPERIOD/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_contact};%{GREEDYDATA:nagios_timeperiod}' ]
    			}
    		}
    		if [message] =~ /CHANGE_CONTACT_MOD/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_contact};%{GREEDYDATA:nagios_attribute_value}' ]
    			}
    		}
    		if [message] =~ /CHANGE_CUSTOM_CONTACT_VAR/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_contact};%{DATA:nagios_variable_name};%{GREEDYDATA:nagios_variable_value}' ]
    			}
    		}
    		if [message] =~ /CHANGE_CUSTOM_HOST_VAR/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_variable_name};%{GREEDYDATA:nagios_variable_value}' ]
    			}
    		}
    		if [message] =~ /CHANGE_CUSTOM_SVC_VAR/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_variable_name};%{GREEDYDATA:nagios_variable_value}' ]
    			}
    		}
    		if [message] =~ /CHANGE_GLOBAL_HOST_EVENT_HANDLER|CHANGE_GLOBAL_SVC_EVENT_HANDLER/ {
    			grok {
    				match => [ 'message', '%{DATA};%{GREEDYDATA:nagios_command}' ]
    			}
    		}
    		if [message] =~ /CHANGE_HOST_CHECK_COMMAND|CHANGE_HOST_EVENT_HANDLER/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_command}' ]
    			}
    		}
    		if [message] =~ /CHANGE_SVC_CHECK_COMMAND|CHANGE_SVC_EVENT_HANDLER/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{GREEDYDATA:nagios_command}' ]
    			}
    		}
    		if [message] =~ /CHANGE_HOST_CHECK_TIMEPERIOD|CHANGE_HOST_NOTIFICATION_TIMEPERIOD/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_timeperiod}' ]
    			}
    		}
    		if [message] =~ /CHANGE_SVC_CHECK_TIMEPERIOD|CHANGE_SVC_NOTIFICATION_TIMEPERIOD/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{GREEDYDATA:nagios_timeperiod}' ]
    			}
    		}
    		if [message] =~ /CHANGE_HOST_MODATTR/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_attribute_value}' ]
    			}
    		}
    		if [message] =~ /CHANGE_SVC_MODATTR/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{GREEDYDATA:nagios_attribute_value}' ]
    			}
    		}
    		if [message] =~ /CHANGE_MAX_HOST_CHECK_ATTEMPTS/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_max_check_attempts}' ]
    			}
    		}
    		if [message] =~ /CHANGE_MAX_SVC_CHECK_ATTEMPTS/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_max_check_attempts}' ]
    			}
    		}
    		if [message] =~ /CHANGE_NORMAL_HOST_CHECK_INTERVAL/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_check_interval}' ]
    			}
    		}
    		if [message] =~ /CHANGE_NORMAL_SVC_CHECK_INTERVAL/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_check_interval}' ]
    			}
    		}
    		if [message] =~ /CHANGE_RETRY_HOST_CHECK_INTERVAL/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_retry_interval}' ]
    			}
    		}
    		if [message] =~ /CHANGE_RETRY_SVC_CHECK_INTERVAL/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_retry_interval}' ]
    			}
    		}
    	}
    	if [message] =~ /External\scommand\sfailed/ {
    		grok {
    			match => [ 'message', '%{DATA}-> %{DATA:nagios_external_command};' ]
    		}
    	}
    	if [message] =~ /Nagios.*starting/ {
    		grok {
    			match => [ 'message', '%{DATA} (?<nagios_version>%{INT}\.%{INT}\.%{INT}) %{GREEDYDATA}' ]
    		}
    	}
    	if [message] =~ /timed\sout\safter/ {
    		grok {
    			match => [ 'message', '%{DATA} timed out after %{NUMBER:nagios_timeout}s' ]
    		}
    	}
    	mutate {
    		replace => [ 'type', 'nagios_core' ]
    	}
    	date {
    		match => ['epoch_timestamp', 'UNIX' ]
    	}
    }
    if [host] == '172.30.100.226' {
    
    grok {
    
    match => { "message" => "result=\"%{WORD:result}\" ip=\"%{IP:IP}\" action=\"%{WORD:action}\" params=\"Username: %{USER:params}\" user=\"%{USER:user}\" tenant=\"%{WORD:tenant}\""}
        match => { "message" => "result=\"%{WORD:result}\" ip=\"%{IP:IP}\" action=\"%{WORD:action}\" params=\"Username=%{USER:params}\" user=\"%{USER:user}\" tenant=\"%{WORD:tenant}\""}
    
    
    }
    }
    
    
}

#
# Local filters
#



#
# Global outputs
#



#
# Local outputs
#
Last edited by benhank on Thu Feb 21, 2019 3:27 pm, edited 1 time in total.
Proudly running:
NagiosXI 5.4.12 2 node Prod Env 2500 hosts, 13,000 services
Nagiosxi 5.5.7(test env) 2500 hosts, 13,000 services
Nagios Logserver 2 node Prod Env 500 objects sending
Nagios Network Analyser
Nagios Fusion
Top
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:
Contact scottwilkerson

Re: geoip conflict

Post by scottwilkerson »

You could try changing the grok to this, it's possible something isn't escaping correctly

Code: Select all

grok {
    match => [ "message" => 'result="%{WORD:result}" ip="%{IP:IP}" action="%{WORD:action}" params="Username: %{USER:params}" user="%{USER:user}" tenant="%{WORD:tenant}"']
    match => [ "message" => 'result="%{WORD:result}" ip="%{IP:IP}" action="%{WORD:action}" params="Username=%{USER:params}" user="%{USER:user}" tenant="%{WORD:tenant}"']
    }
Former Nagios employee
Creator:
Human Design Website
Get Your Human Design Chart
Top
Locked

Return to “Nagios Log Server”