Page 1 of 1
Send alerts based on audit log
Posted: Wed Jan 20, 2021 5:16 am
by lallmann
Hi!
I need to create alerts based on the Log Server Audit log. For example, I need to send email alerts to our CISO, when a new Nagios Logserver user is created, modified and deleted.
Can anyone point me in the right direction?
Re: Send alerts based on audit log
Posted: Wed Jan 20, 2021 4:20 pm
by cdienger
The first steps are to create an input to import the auditlog file and then parse it into meaningful fields. I used the following input:
Code: Select all
file {
type => "nlsauditlog"
path => "/usr/local/nagioslogserver/var/auditlog.log"
}
and filter:
Code: Select all
if [type] == 'nlsauditlog' {
grok{
match => {
"message" => [
"%{TIMESTAMP_ISO8601:date} created=%{INT:created} created_by=%{WORD:created_by} type=%{WORD:audit_log_type} message=%{DATA:message} source=%{DATA:source} ip_address=%{IP:ip_address}",
"%{TIMESTAMP_ISO8601:date} created=%{INT:created} created_by=%{WORD:created_by} type=%{WORD:audit_log_type} message=%{DATA:message} node=%{UUID:node} source=%{GREEDYDATA:source}"
]
}
overwrite => [ 'message' ]
}
}
Once that is done then you can use the dashboards to create a query to use in the alert:
https://assets.nagios.com/downloads/nag ... Server.pdf
https://assets.nagios.com/downloads/nag ... Server.pdf