Nagios Support Forum

Posted: **Thu Dec 05, 2019 5:49 pm**

Hello,

My organization has an FTP application (EFT Server Enterprise) that writes it's authentication related logs to a SQL database which is stored on a separate server. The logs are W3C format. The FTP server itself has 30+ IP addresses all assigned to different FTP sites housed in the EFT Server Enterprise application.

I'm curious if there is a way to intercept these logs midstream and direct them to Nagios Log Server as well as the SQL database? I guess no one thought to check whether Log Server was collecting that information or not and now there is a need for it.

Do you have any experience collecting logs from enterprise FTP applications?

Thank you.

Posted: **Fri Dec 06, 2019 1:37 pm**

Setting up a man in the middle is bit beyond our scope

but you could always use the shipper.py script or nxlog to send the log over if it's a simple text file or you could use the jdbc input to query a sql database:

https://www.elastic.co/guide/en/logstas ... -jdbc.html

Posted: **Fri Dec 06, 2019 2:49 pm**

use the shipper.py script or nxlog to send the log over if it's a simple text file

I would like to use nxlog since we're already deploying the client, but I don't know how to modify the config file to make it look for logs somewhere besides where the Windows logs are stored.

Posted: **Fri Dec 06, 2019 4:06 pm**

A new input, route, and output similar to the IIS input, route, and output in the configuration attached to https://support.nagios.com/forum/viewto ... 38&t=52799 should do the trick or at least get you on the way:

Code: Select all

<Extension w3c>
    Module             xm_csv
    Fields             $date, $time, $sitename, $computername, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $cs-version, $csUser-Agent, $cs-cookie, $cs-Referer, $cs_host, $sc-status, $sc-substatus, $sc-win32-status, $sc-bytes, $cs-bytes, $time-taken
    FieldTypes         string, string, string, string, string, string, string, string, integer, string, string, string, string, string, string, string, integer, integer, integer, integer, integer, integer
    Delimiter         ' '
    QuoteChar         '"'
    EscapeControl     FALSE
    UndefValue         -
</Extension>

Code: Select all

<Input ftplogs>
    Module        im_file
   File        "C:\location of ftp logs"
    SavePos      TRUE
   Recursive TRUE

   Exec        if $raw_event =~ /^#/ drop();                    \
               else                                             \
                {                                                \
                    w3c->parse_csv();                            \
                    $EventTime = parsedate($date + " " + $time); \
                    $SourceName = "FTP";                         \
                   $Message = to_json();                         \
               }
</Input>

Code: Select all

<Output ftpout>
    Module om_tcp
    Host XXXXXXX
   Port 3334 #Make sure to setup a new JSON input on the NLS side of things.
	
   Exec  $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");

	
	# Uncomment for debug output
	 #Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>

Code: Select all

<Route 2>
    Path  ftp=> ftpout
</Route>

The input on the NLS side would look something like:

Code: Select all

tcp {
    type => 'ftp_json'
    tags => 'ftp_json'
    port => 3334
    codec => json
}

Posted: **Fri Dec 06, 2019 4:14 pm**

See here for NXLog MSSQL stuff:

https://nxlog.co/documentation/nxlog-us ... mssql.html

Nagios Support Forum

Intercept logs from FTP app sent to SQL database?

Intercept logs from FTP app sent to SQL database?

Re: Intercept logs from FTP app sent to SQL database?

Re: Intercept logs from FTP app sent to SQL database?

Re: Intercept logs from FTP app sent to SQL database?

Re: Intercept logs from FTP app sent to SQL database?