Page 1 of 1
Windows events not showing up in log server
Posted: Thu Jun 04, 2020 6:24 am
by tim.kroeger
I'm starting to point all my devices to the log server. I have 11 devices pointed to it and Nagios is collecting logs from those hosts and everything is fine. I attempted to point 4 more windows hosts to send logs to the log server yesterday, but nagios isn't showing logs from those hosts. When I run tcpdump on the log server, I can see the logs coming in on port 3515 and I can see the log server acknowledging the traffic, but I dont see the logs when I query the server. Is there some kind of error log in Nagios that might tell me why they aren't being accepted? Thanks!
Re: Windows events not showing up in log server
Posted: Thu Jun 04, 2020 4:47 pm
by cdienger
Edit /etc/init.d/logstash and change line 64 from:
Code: Select all
DAEMON_OPTS="agent -f ${LS_CONF_DIR} -l ${LS_LOG_FILE} ${LS_OPTS}"
to:
Code: Select all
DAEMON_OPTS="agent -f ${LS_CONF_DIR} -l ${LS_LOG_FILE} ${LS_OPTS} --debug"
and restart the service with:
Code: Select all
systemctl daemon-reload
service logstash restart
Let this run just long enough to allow NLS to process some events from this host before reverting the config back. Debug logging will be saved to /var/log/logstash.log.
Re: Windows events not showing up in log server
Posted: Tue Jun 09, 2020 7:09 am
by tim.kroeger
thanks for your help! The debug worked great. It helped me find the problem.
Re: Windows events not showing up in log server
Posted: Tue Jun 09, 2020 7:19 am
by scottwilkerson
tim.kroeger wrote:thanks for your help! The debug worked great. It helped me find the problem.
Great!
Locking thread