Page 1 of 2
Real-Time Alert
Posted: Tue May 25, 2021 1:29 pm
by dh0125e
I'm going to prefix the question saying I know that these should be far and inbetween however I need to generate events for every instance of something found and include the instance.
I've tried creating a super simple one that just says message =~ /NOTIFICATION/ as for testing I'm trying to trigger off of the nagios XI and I'm not getting any hits. I have lots of messages flowing into the system where the message field contains NOTIFICATION since I'm parsing the nagios.log on an XI server.
Any ideas why I'm not able to get realtime alerts to fire?
Re: Real-Time Alert
Posted: Wed May 26, 2021 10:28 am
by ssax
I think you need to do this:
Let us know if that works for you.
Re: Real-Time Alert
Posted: Wed May 26, 2021 10:37 am
by dh0125e
I now see the below and I get hits in the query alert but not in the realtime alert.
[message] in "NOTIFICATION"
Re: Real-Time Alert
Posted: Wed May 26, 2021 11:39 am
by dh0125e
Should I be seeing these filters being written to "/usr/local/nagioslogserver/logstash/etc/conf.d" directory in one of the conf files? If so I'm not currently seeing that.
Re: Real-Time Alert
Posted: Wed May 26, 2021 3:02 pm
by dh0125e
I'm fairly confident I've nailed this down to the Apply Config even though it passes validation check is NOT being written to logstash and implemented. I added a new input type/port and it's not there either in the back end config, nor do I see logstash listening.
Where can I find more information on exactly what the Apply is doing for Logstash configurations from the log server ui?
Re: Real-Time Alert
Posted: Thu May 27, 2021 10:24 am
by gsmith
Hi
The Apply Config updates:
/usr/local/nagioslogserver/logstash/etc/conf.d:
000_inputs.conf
500_filters.conf
501_live_filters.conf
998_live_outputs.conf
999_outputs.conf
Sounds like you suspect bug - we haven't heard anything around this.
Let us know how it works out please.
Thanks
Re: Real-Time Alert
Posted: Thu May 27, 2021 10:32 am
by dh0125e
It's definitely not making changes to those files. No inputs or real-time alerts have their definitions being pushed even when the configuration passes validation.
I'm doing a fresh install right now to ensure there was nothing funky during install that's causing the issue.
Re: Real-Time Alert
Posted: Thu May 27, 2021 10:37 am
by gsmith
Hi
Ok, sounds good. Could be a permissions issue.
Here's what I have:
-rw-rw-r--. 1 apache apache 594 May 27 09:05 000_inputs.conf
-rw-rw-r--. 1 apache apache 1921 May 27 09:05 500_filters.conf
-rw-rw-r--. 1 apache apache 861 May 27 09:05 501_live_filters.conf
-rw-rw-r--. 1 apache apache 242 May 27 09:05 998_live_outputs.conf
-rw-rw-r--. 1 apache apache 392 May 27 09:05 999_outputs.conf
Good luck and let us know how what you find please.
Thanks
Re: Real-Time Alert
Posted: Thu May 27, 2021 12:38 pm
by dh0125e
The install was bad ... I'm now seeing configs change when applying. I'm going to get back to getting my realtime alerts to work and follow up if I my syntax doesn't work.
Re: Real-Time Alert
Posted: Thu May 27, 2021 2:23 pm
by gsmith
Sounds good - I'll leave this open for you.
Thanks