showing remote logs in dashboard

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
exp-user1
Posts: 65
Joined: Mon Oct 21, 2019 1:56 pm

showing remote logs in dashboard

Post by exp-user1 »

Hello,

How could I show the monitored log in one of dashboard fields.
I am monitoring .bash_history and showing the path that shows username would be very helpful.

thanks,
Gader
User avatar
pbroste
Posts: 1288
Joined: Tue Jun 01, 2021 1:27 pm

Re: showing remote logs in dashboard

Post by pbroste »

Hello @exp-user1

Thanks for reaching out and want to check into this a bit more to see if this is possible.

Want to see an example output of your bash_history that you are interested in parsing so we can run through to see if can be done.

Thanks,
Perry
expertus
Posts: 8
Joined: Fri Oct 02, 2015 6:48 am

Re: showing remote logs in dashboard

Post by expertus »

Hi pbroste,

I added the files "/home/*/.bash_history" (* represents many user_names) to be monitored by Nagios LS. However, I only see the commands history in message field, but I couldn't know which user are those commands for.


thanks,
Last edited by expertus on Tue Dec 07, 2021 11:42 am, edited 1 time in total.
User avatar
pbroste
Posts: 1288
Joined: Tue Jun 01, 2021 1:27 pm

Re: showing remote logs in dashboard

Post by pbroste »

Hello @expertus

Thanks for following up with the details, looks like you are pulling history over and filtering for the user. I mentioned your case to our team during our stand-up this morning and the following questions came up. Question, are you pulling individual rsyslog.d file or multiple? Can you also post the definition so we can see what is currently has been defined while we look for what can be done.

Thanks,
Perry
expertus
Posts: 8
Joined: Fri Oct 02, 2015 6:48 am

Re: showing remote logs in dashboard

Post by expertus »

Hello,

I used Linux files to add multiple .bash_history files as source log.


Code: Select all

ls -l /etc/rsyslog.d/
total 60
-rw-r----- 1 root root 722 Nov 16 11:57 89-nagioslogserver_home_user1_.bash_history.conf
-rw-r----- 1 root root 709 Nov 16 11:57 90-nagioslogserver_home_user2_.bash_history.conf
-rw-r----- 1 root root 713 Nov 16 11:57 90-nagioslogserver_home_user3_.bash_history.conf
Thanks.
Last edited by expertus on Tue Dec 07, 2021 11:43 am, edited 1 time in total.
User avatar
pbroste
Posts: 1288
Joined: Tue Jun 01, 2021 1:27 pm

Re: showing remote logs in dashboard

Post by pbroste »

Hello @expertus

I took some time today and spun up a log server vm test instance. I have a couple of questions and examples on what I did to my setup so we can collaborate further on the configuration.

On my test instance, I put the following in the '.bashrc', to make sure that it appends and the second for realtime logging. Not sure if they are needed but added them in case.

Code: Select all

shopt -s histappend
PROMPT_COMMAND="history -a;$PROMPT_COMMAND"
I added the following also to log to my '/var/log/messages; since that is where 'local1.notice' is logging. Options to create localx.notice in rsyslog into separate log

Code: Select all

trap 'logger -p local1.notice -t bash -i -- "${USER}":"$BASH_COMMAND"' DEBUG
Here is an example of what I currently see, in my example root was running all the commands.
root.png
Let us know how your tinkering goes so we can dial things in on this,
Perry
You do not have the required permissions to view the files attached to this post.
exp-user1
Posts: 65
Joined: Mon Oct 21, 2019 1:56 pm

Re: showing remote logs in dashboard

Post by exp-user1 »

Thanks pbroste for your reply,

where did you add?
trap 'logger -p local1.notice -t bash -i -- "${USER}":"$BASH_COMMAND"' DEBUG
in /etc/rsyslog.conf ?

Moreover, we already have the line below to send all logs "*.*" to Nagios log server:
*.* @@logcollector:5544

why should we add local1.notice ?

Regards,
Expertus.
User avatar
pbroste
Posts: 1288
Joined: Tue Jun 01, 2021 1:27 pm

Re: showing remote logs in dashboard

Post by pbroste »

Hello @exp-user1

Thanks for following up, to further this we did move logger to local7.* on my test environment by setting up, here we are setting up to log bash_history into it's own '/var/log/bash.log'.

Code: Select all

/etc/rsyslog.d/bash.conf
local6.* /var/log/bash.log
Restarting rsyslog to update config:

Code: Select all

service rsyslog restart
Starting this line: trap 'logger -p local7.notice -t bash -i -- "${USER}":"$BASH_COMMAND"' DEBUG in ~/.bash_profile for this example, or similar per your system environment.

Thanks,
Perry
exp-user1
Posts: 65
Joined: Mon Oct 21, 2019 1:56 pm

Re: showing remote logs in dashboard

Post by exp-user1 »

Hello pbroste,

I was able to see bash commands on Nagios log server after adding the following config:

Code: Select all

cat /etc/rsyslog.d/bash-log.conf
local7.notice  @@Nagioslogserver-ip:5544
and added the line " trap 'logger -p local7.notice -t bash -i -- "${USER}":"$BASH_COMMAND"' DEBUG" in /etc/bashrc to make it reflected on all users (using bash).

but I keep seeing " PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/~}"'"


check attached file from the logserver side. command history is OK in green, but why it is showing also the printf line?
THanks.
You do not have the required permissions to view the files attached to this post.
User avatar
pbroste
Posts: 1288
Joined: Tue Jun 01, 2021 1:27 pm

Re: showing remote logs in dashboard

Post by pbroste »

Hello @exp-user1

I noticed that as well on my test VM and made the following changes and no longer receive the 'root printf...' logline. I also setup logging on root and testuser.

The .bash_profile:
shopt -s histappend
PROMPT_COMMAND="history -a;$PROMPT_COMMAND"
trap 'logger -p local5.info -t bash -i -- "${USER}":"$BASH_COMMAND"' DEBUG
Logging to /var/log/bash.log contains this line:
local5.info /var/log/bash.log
The results:
2021-11-22 16_36_25-Dashboard · Nagios Log Server — Mozilla Firefox.png
Thanks,
Perry
You do not have the required permissions to view the files attached to this post.
Locked