Nagios Support Forum

Not able to find events in dashboard from RHEL syslog.

Unique Host Reports indicates several thousands of logs for those servers but nothing is visible in dashboard.

rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.emerg :omusrmsg:*
cron.* -/var/log/cron
mail.* -/var/log/maillog
local7.* -/var/log/boot.log
*.debug,auth.none,authpriv.none,cron.none,mail.none,local6.none -/var/log/messages
kern.* -/var/log/kern.log



##/etc/rsyslog.d/99-nagioslogserver.conf

$WorkDirectory /var/lib/rsyslog # Where spool files will live NAGIOSLOGSERVER
$ActionQueueFileName nlsFwdRule0 # Unique name prefix for spool files NAGIOSLOGSERVER
$ActionQueueHighWaterMark 8000 # NAGIOSLOGSERVER
$ActionQueueLowWaterMark 2000 # NAGIOSLOGSERVER
$ActionQueueMaxDiskSpace 1g # 1GB space limit (use as much as possible) NAGIOSLOGSERVER
$ActionQueueSaveOnShutdown on # Save messages to disk on shutdown NAGIOSLOGSERVER
$ActionQueueType LinkedList # Use asynchronous processing NAGIOSLOGSERVER
$ActionResumeRetryCount -1 # Infinite retries if host is down NAGIOSLOGSERVER
*.* @@10.34.1.41:5544 # NAGIOSLOGSERVER

Hello @arsaravanan

Thanks for reaching out and want to get a copy of the System Profile along with the Apache logs so we can further see what is going on.

Please provide a profile from the system. It can be gathered under Admin > System > System Status > Download System Profile or from the command line with:
This will create /tmp/system-profile.tar.gz.

Note that this file can be very large and may not be able to be uploaded through the ticketing system. You can split the file into smaller files with the split command on the NLS(or other Linux machine) command line:
The above command will split the system-profile.tar.gz into 45MB segments and save them to files with the naming convention system-profile-nn. Please send each split in an individual Private Message.

I'd also like to get a copy of the current settings index. This can be gathered by running:
The file it creates and that we'd like to see is /tmp/nagioslogserver.tar.gz.

Please [pm] the System Profile and '/tmp/nagioslogserver.tar.gz'.

Thanks,
Perry

uploading the required files again.

Hello @arsaravanan

Thanks for sending over the info, see some apache logs that are of interest but nothing that sticks out and want to dig into this a bit more. You stated that you are seeing log events coming over. Let's verify:

List the logstash:
Example results:

curl 'localhost:9200/_cat/indices?pretty'
green open logstash-2022.01.04 5 1 39858 0 22.9mb 11.5mb
green open nagioslogserver_history 1 1 7979 0 3.7mb 1.9mb
green open kibana-int 5 1 5 0 76.5kb 38.3kb
green open nagioslogserver 1 1 735 6 741.6kb 263.8kb
green open logstash-2021.12.28 5 1 192 0 193kb 100.5kb

Let's list out the latest log events captured:
Just in case you do not see the events logged verify that the rsyslog service is running:
And verify that rsyslog is sending data across on port 5544: We know that running the api backend will help verify that the apache web service is running:

• *With verbose output

Let us know what you find on the backend api, and also verify the date, time, and timezone are sync'ed across devices as well. Thanks,
Perry

Outputs from commands given,

(1)

[root@usmipaa51 ~]# curl 'localhost:9200/_cat/indices?pretty'
yellow open logstash-2021.12.31 5 1 773113 0 151.6mb 151.6mb
yellow open logstash-2021.12.27 5 1 434901 0 84.4mb 84.4mb
yellow open logstash-2021.12.19 5 1 427760 0 83.2mb 83.2mb
yellow open logstash-2022.01.04 5 1 783835 0 153.8mb 153.8mb
yellow open logstash-2022.01.03 5 1 773911 0 151.9mb 151.9mb
yellow open logstash-2021.12.24 5 1 447317 0 87.7mb 87.7mb
yellow open logstash-2022.01.08 5 1 784015 0 154mb 154mb
yellow open nagioslogserver 1 1 42627 3 8.3mb 8.3mb
yellow open logstash-2021.12.28 5 1 623421 0 120.7mb 120.7mb
yellow open logstash-2022.01.02 5 1 802851 0 157.5mb 157.5mb
yellow open logstash-2021.12.17 5 1 484806 0 94.7mb 94.7mb
yellow open logstash-2021.12.20 5 1 435156 0 84.7mb 84.7mb
yellow open logstash-2021.12.23 5 1 433096 0 84.8mb 84.8mb
yellow open logstash-2021.12.25 5 1 437180 0 85.2mb 85.2mb
yellow open logstash-2022.01.07 5 1 772540 0 151.1mb 151.1mb
yellow open logstash-2021.12.26 5 1 435024 0 85.4mb 85.4mb
yellow open logstash-2022.01.09 5 1 658940 0 145mb 145mb
yellow open nagioslogserver_history 1 1 9273 0 2mb 2mb
yellow open logstash-2021.12.11 5 1 414151 0 81.5mb 81.5mb
yellow open logstash-2021.12.14 5 1 437867 0 85mb 85mb
yellow open logstash-2021.12.12 5 1 406117 0 79.7mb 79.7mb
yellow open logstash-2021.12.18 5 1 440560 0 85.2mb 85.2mb
yellow open logstash-2021.12.30 5 1 763159 0 149.2mb 149.2mb
yellow open logstash-2021.12.29 5 1 753568 0 144.2mb 144.2mb
yellow open logstash-2021.12.21 5 1 436621 0 85.1mb 85.1mb
yellow open logstash-2021.12.16 5 1 532746 0 105.4mb 105.4mb
yellow open logstash-2022.01.05 5 1 778496 0 153.1mb 153.1mb
yellow open logstash-2022.01.01 5 1 789740 0 155.1mb 155.1mb
yellow open logstash-2021.12.22 5 1 452979 0 88.5mb 88.5mb
yellow open logstash-2022.01.06 5 1 780337 0 153.1mb 153.1mb
yellow open logstash-2021.12.13 5 1 413750 0 81mb 81mb
yellow open nagioslogserver_log 5 1 1943978 0 171.1mb 171.1mb
yellow open kibana-int 5 1 13 1 132.3kb 132.3kb
yellow open logstash-2021.12.15 5 1 442956 0 87.2mb 87.2mb



(2)

[root@usmipaa51 ~]# date
Sun Jan 9 07:41:54 EST 2022
[root@usmipaa51 ~]# ls -l /etc/localtime
lrwxrwxrwx 1 root root 30 Oct 22 2020 /etc/localtime -> /usr/share/zoneinfo/US/Eastern
[root@usmipaa51 ~]# php -r 'echo date("D M j G:i:s T Y")."\n";'
Sun Jan 9 7:41:54 EST 2022
[root@usmipaa51 ~]# grep "date.timezone =" /etc/php.ini
date.timezone = US/Eastern
[root@usmipaa51 ~]# grep date.timezone /etc/php.ini
; http://php.net/date.timezone
date.timezone = US/Eastern
[root@usmipaa51 ~]#



(3)
[root@usmipaa51 ~]# curl -XGET -k 'https://localhost/nagioslogserver/index ... 6e96a6bbc6'
{
"took": 11,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 662543,
"max_score": 1,
"hits": [
{
"_index": "logstash-2022.01.09",
"_type": "syslog",
"_id": "AX452_Vd1SC5Z841kwAi",
"_score": 1,
"_source": {
"message": "Created slice User Slice of root.\n",
"@version": "1",
"@timestamp": "2022-01-09T00: 00: 01.000Z",
"type": "syslog",
"host": "usmipia26.delphidrive.com",
"priority": 30,
"timestamp": "Jan 8 19: 00: 01",
"logsource": "usmipia26",
"program": "systemd",
"severity": 6,
"facility": 3,
"facility_label": "system",
"severity_label": "Informational",
"tags": [
"dns"
]
}
},
{
"_index": "logstash-2022.01.09",
"_type": "syslog",
"_id": "AX452_Vd1SC5Z841kwAn",
"_score": 1,
"_source": {
"message": "Started Session 3057113 of user nagios.\n",
"@version": "1",
"@timestamp": "2022-01-09T00: 00: 01.000Z",
"type": "syslog",
"host": "usmipia26.delphidrive.com",
"priority": 30,
"timestamp": "Jan 8 19: 00: 01",
"logsource": "usmipia26",
"program": "systemd",
"severity": 6,
"facility": 3,
"facility_label": "system",
"severity_label": "Informational",
"tags": [
"dns"
]
}
},
{
"_index": "logstash-2022.01.09",
"_type": "syslog",
"_id": "AX452_Vd1SC5Z841kwAs",
"_score": 1,
"_source": {
"message": "Started Session 3057117 of user nagios.\n",
"@version": "1",
"@timestamp": "2022-01-09T00: 00: 01.000Z",
"type": "syslog",
"host": "usmipia26.delphidrive.com",
"priority": 30,
"timestamp": "Jan 8 19: 00: 01",
"logsource": "usmipia26",
"program": "systemd",
"severity": 6,
"facility": 3,
"facility_label": "system",
"severity_label": "Informational",
"tags": [
"dns"
]
}
},
{
"_index": "logstash-2022.01.09",
"_type": "syslog",
"_id": "AX452_Vd1SC5Z841kwAx",
"_score": 1,
"_source": {
"message": "Started Session 3057121 of user debug.\n",
"@version": "1",
"@timestamp": "2022-01-09T00: 00: 01.000Z",
"type": "syslog",
"host": "usmipia26.delphidrive.com",
"priority": 30,
"timestamp": "Jan 8 19: 00: 01",
"logsource": "usmipia26",
"program": "systemd",
"severity": 6,
"facility": 3,
"facility_label": "system",
"severity_label": "Informational",
"tags": [
"dns"
]
}
},
{
"_index": "logstash-2022.01.09",
"_type": "syslog",
"_id": "AX452_Vd1SC5Z841kwA2",
"_score": 1,
"_source": {
"message": "(nagios) CMD (\/usr\/bin\/php -q \/usr\/local\/nagiosxi\/cron\/cleaner.php >> \/usr\/local\/nagiosxi\/var\/cleaner.log 2>&1)\n",
"@version": "1",
"@timestamp": "2022-01-09T00: 00: 01.000Z",
"type": "syslog",
"host": "usmipia26.delphidrive.com",
"priority": 78,
"timestamp": "Jan 8 19: 00: 01",
"logsource": "usmipia26",
"program": "CROND",
"pid": "91210",
"severity": 6,
"facility": 9,
"facility_label": "clock",
"severity_label": "Informational",
"tags": [
"dns"
]
}
},
{
"_index": "logstash-2022.01.09",
"_type": "syslog",
"_id": "AX452_Vd1SC5Z841kwA7",
"_score": 1,
"_source": {
"message": "(debug) CMD ([
! -e \/omd\/sites\/debug\/etc\/check_mk\/conf.d\/microcore.mk -a -d \/omd\/sites\/debug\/var\/check_mk\/notify\/bulk
] && cmk --notify send-bulks)\n",
"@version": "1",
"@timestamp": "2022-01-09T00: 00: 01.000Z",
"type": "syslog",
"host": "usmipia26.delphidrive.com",
"priority": 78,
"timestamp": "Jan 8 19: 00: 01",
"logsource": "usmipia26",
"program": "CROND",
"pid": "91213",
"severity": 6,
"facility": 9,
"facility_label": "clock",
"severity_label": "Informational",
"tags": [
"dns"
]
}
},
{
"_index": "logstash-2022.01.09",
"_type": "syslog",
"_id": "AX452_Vd1SC5Z841kwA-",
"_score": 1,
"_source": {
"message": "(nagios) CMD (\/usr\/bin\/php -q \/usr\/local\/nagiosxi\/cron\/eventman.php >> \/usr\/local\/nagiosxi\/var\/eventman.log 2>&1)\n",
"@version": "1",
"@timestamp": "2022-01-09T00: 00: 01.000Z",
"type": "syslog",
"host": "usmipia26.delphidrive.com",
"priority": 78,
"timestamp": "Jan 8 19: 00: 01",
"logsource": "usmipia26",
"program": "CROND",
"pid": "91218",
"severity": 6,
"facility": 9,
"facility_label": "clock",
"severity_label": "Informational",
"tags": [
"dns"
]
}
},
{
"_index": "logstash-2022.01.09",
"_type": "syslog",
"_id": "AX452_Vd1SC5Z841kwA_",
"_score": 1,
"_source": {
"message": "(nagios) CMD (\/usr\/bin\/php -q \/usr\/local\/nagiosxi\/cron\/cmdsubsys.php >> \/usr\/local\/nagiosxi\/var\/cmdsubsys.log 2>&1)\n",
"@version": "1",
"@timestamp": "2022-01-09T00: 00: 01.000Z",
"type": "syslog",
"host": "usmipia26.delphidrive.com",
"priority": 78,
"timestamp": "Jan 8 19: 00: 01",
"logsource": "usmipia26",
"program": "CROND",
"pid": "91223",
"severity": 6,
"facility": 9,
"facility_label": "clock",
"severity_label": "Informational",
"tags": [
"dns"
]
}
},
{
"_index": "logstash-2022.01.09",
"_type": "syslog",
"_id": "AX452_Vd1SC5Z841kwBH",
"_score": 1,
"_source": {
"message": "pam_unix(sudo: session): session closed for user root\n",
"@version": "1",
"@timestamp": "2022-01-09T00: 00: 02.000Z",
"type": "syslog",
"host": "usmipia26.delphidrive.com",
"priority": 86,
"timestamp": "Jan 8 19: 00: 02",
"logsource": "usmipia26",
"program": "sudo",
"severity": 6,
"facility": 10,
"facility_label": "security\/authorization",
"severity_label": "Informational",
"tags": [
"dns"
]
}
},
{
"_index": "logstash-2022.01.09",
"_type": "syslog",
"_id": "AX452_r81SC5Z841kwBP",
"_score": 1,
"_source": {
"message": "Removed slice User Slice of root.\n",
"@version": "1",
"@timestamp": "2022-01-09T00: 00: 03.000Z",
"type": "syslog",
"host": "usmipia26.delphidrive.com",
"priority": 30,
"timestamp": "Jan 8 19: 00: 03",
"logsource": "usmipia26",
"program": "systemd",
"severity": 6,
"facility": 3,
"facility_label": "system",
"severity_label": "Informational",
"tags": [
"dns"
]
}
}
]
}
}


(4)



[root@usmipaa51 ~]# systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2021-12-28 09:17:56 EST; 1 weeks 4 days ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 1098 (rsyslogd)
CGroup: /system.slice/rsyslog.service
└─1098 /usr/sbin/rsyslogd -n

Jan 06 03:05:01 usmipaa51 rsyslogd[1098]: imjournal: journal reloaded... [v8.24.0-57.el7_9.1 try http://www.rsyslog.com/e/0 ]
Jan 06 19:53:01 usmipaa51 rsyslogd[1098]: imjournal: journal reloaded... [v8.24.0-57.el7_9.1 try http://www.rsyslog.com/e/0 ]
Jan 06 19:53:01 usmipaa51 rsyslogd[1098]: imjournal: journal reloaded... [v8.24.0-57.el7_9.1 try http://www.rsyslog.com/e/0 ]
Jan 07 12:39:01 usmipaa51 rsyslogd[1098]: imjournal: journal reloaded... [v8.24.0-57.el7_9.1 try http://www.rsyslog.com/e/0 ]
Jan 07 12:39:01 usmipaa51 rsyslogd[1098]: imjournal: journal reloaded... [v8.24.0-57.el7_9.1 try http://www.rsyslog.com/e/0 ]
Jan 08 05:27:32 usmipaa51 rsyslogd[1098]: imjournal: journal reloaded... [v8.24.0-57.el7_9.1 try http://www.rsyslog.com/e/0 ]
Jan 08 05:27:32 usmipaa51 rsyslogd[1098]: imjournal: journal reloaded... [v8.24.0-57.el7_9.1 try http://www.rsyslog.com/e/0 ]
Jan 08 22:14:32 usmipaa51 rsyslogd[1098]: imjournal: journal reloaded... [v8.24.0-57.el7_9.1 try http://www.rsyslog.com/e/0 ]
Jan 08 22:14:32 usmipaa51 rsyslogd[1098]: imjournal: journal reloaded... [v8.24.0-57.el7_9.1 try http://www.rsyslog.com/e/0 ]
Jan 09 03:27:03 usmipaa51 rsyslogd[1098]: [origin software="rsyslogd" swVersion="8.24.0-57.el7_9.1" x-pid="1098" x-info="http://www.rsyslog.com...was HUPed
Hint: Some lines were ellipsized, use -l to show in full.
[root@usmipaa51 ~]#




(5)

Reports indicating log count but can't view in dashboard or not readable for.



IP Address (Hostname) Log Count
nlskpaa37.delphidrive.com 86,366
nlskpaa38.delphidrive.com 75,911
nlskpia09.delphidrive.com 43,708
nlskpaa40.delphidrive.com 43,198
nlskpaa39.delphidrive.com 43,114
nlskpia10.delphidrive.com 32,562
mxchjrzp-bu04.delphidrive.com 3,440
mxchjrzp-str01.delphidrive.com 3,440

Hello @arsaravanan

Thanks for following up, according to the "Log Count" that you provided and we see from the other api results look norm.

Want to dig further into this and find out why this data is not showing up on the web console.

Please provide a screenshot of the query host report with the development tools on the Network Tab: (see example) Then grab the apache logs so we can compare:
Send over the '/tmp/apachelogs.tar.gz' when you get a chance.

Thanks
Perry

I'm seeing a lot of these:

{:timestamp=>"2021-12-29T10:06:20.347000-0500", :message=>"Failed parsing date from field", :field=>"timestamp", :value=>"Dec 29 20:36:19", :exception=>"Invalid format: \"Dec 29 20:36:19\"", :config_parsers=>"yyyy-MM-dd HH:mm:ss", :config_locale=>"default=en_US", :level=>:warn}

I'm wondering if the date format on the logs isn't proper.

You can edit this file:
Then change this:
To this:
Then run these commands:
Then wait for some logs to come in for the RHEL rsyslog and then PM me your /var/log/logstash/logstash.log file.

Then undo the debugging and run these commands again:
Thank you!

[root@usmipaa51 ~]# tail -100 /var/log/logstash/logstash.log
{:timestamp=>"2022-01-17T22:37:30.682000-0500", :message=>"filter received", :event=>{"message"=>"Received disconnect from 10.34.1.42 port 40178:11: disconnected by user\n", "@version"=>"1", "@timestamp"=>"2022-01-18T09:37:30.000Z", "type"=>"syslog", "host"=>"10.34.136.240", "priority"=>86, "timestamp"=>"Jan 18 04:37:30", "logsource"=>"nlskpia09", "program"=>"sshd", "pid"=>"16570", "severity"=>6, "facility"=>10, "facility_label"=>"security/authorization", "severity_label"=>"Informational"}, :level=>:debug, :file=>"(eval)", :line=>"83", :method=>"filter_func"}
{:timestamp=>"2022-01-17T22:37:30.683000-0500", :message=>"filter received", :event=>{"message"=>"Disconnected from 10.34.1.42 port 40178\n", "@version"=>"1", "@timestamp"=>"2022-01-18T09:37:30.000Z", "type"=>"syslog", "host"=>"10.34.136.240", "priority"=>86, "timestamp"=>"Jan 18 04:37:30", "logsource"=>"nlskpia09", "program"=>"sshd", "pid"=>"16570", "severity"=>6, "facility"=>10, "facility_label"=>"security/authorization", "severity_label"=>"Informational"}, :level=>:debug, :file=>"(eval)", :line=>"83", .:method=>"filter_func"}
{:timestamp=>"2022-01-17T22:37:30.683000-0500", :message=>"filter received", :event=>{"message"=>"pam_unix(sshd:session): session closed for user sid_nagios_wintel\n", "@version"=>"1", "@timestamp"=>"2022-01-18T09:37:30.000Z", "type"=>"syslog", "host"=>"10.34.136.240", "priority"=>86, "timestamp"=>"Jan 18 04:37:30", "logsource"=>"nlskpia09", "program"=>"sshd", "pid"=>"16463", "severity"=>6, "facility"=>10, "facility_label"=>"security/authorization", "severity_label"=>"Informational"}, :level=>:debug, :file=>"(eval)", :line=>"83", :method=>"filter_func"}
{:timestamp=>"2022-01-17T22:37:30.684000-0500", :message=>"filter received", :event=>{"message"=>"Removed session 14518.\n", "@version"=>"1", "@timestamp"=>"2022-01-18T09:37:30.000Z", "type"=>"syslog", "host"=>"10.34.136.240", "priority"=>38, "timestamp"=>"Jan 18 04:37:30", "logsource"=>"nlskpia09", "program"=>"systemd-logind", "severity"=>6, "facility"=>4, "facility_label"=>"security/authorization", "severity_label"=>"Informational"}, :level=>:debug, :file=>"(eval)", :line=>"83", :method=>"filter_func"}
{:timestamp=>"2022-01-17T22:37:30.684000-0500", :message=>"filter received", :event=>{"message"=>"Removed slice User Slice of sid_nagios_wintel.\n", "@version"=>"1", "@timestamp"=>"2022-01-18T09:37:30.000Z", "type"=>"syslog", "host"=>"10.34.136.240", "priority"=>30, "timestamp"=>"Jan 18 04:37:30", "logsource"=>"nlskpia09", "program"=>"systemd", "severity"=>6, "facility"=>3, "facility_label"=>"system", "severity_label"=>"Informational"}, :level=>:debug, :file=>"(eval)", :line=>"83", :method=>"filter_func"}
{:timestamp=>"2022-01-17T22:37:30.685000-0500", :message=>"filter received", :event=>{"message"=>"job 17851 (pid=110614): read() returned error 11\n", "@version"=>"1", "@timestamp"=>"2022-01-18T14:07:30.000Z", "type"=>"syslog", "host"=>"10.34.1.42", "priority"=>13, "timestamp"=>"Jan 18 09:07:30", "logsource"=>"usmipaa52", "program"=>"nagios", "severity"=>5, "facility"=>1, "facility_label"=>"user-level", "severity_label"=>"Notice"}, :level=>:debug, :file=>"(eval)", :line=>"83", :method=>"filter_func"}
{:timestamp=>"2022-01-17T22:37:30.685000-0500", :message=>"output received", :event=>{"message"=>"job 17851 (pid=110614): read() returned error 11\n", "@version"=>"1", "@timestamp"=>"2022-01-18T14:07:30.000Z", "type"=>"syslog", "host"=>"10.34.1.42", "priority"=>13, "timestamp"=>"Jan 18 09:07:30", "logsource"=>"usmipaa52", "program"=>"nagios", "severity"=>5, "facility"=>1, "facility_label"=>"user-level", "severity_label"=>"Notice"}, :level=>:debug, :file=>"(eval)", :line=>"91", :method=>"output_func"}
{:timestamp=>"2022-01-17T22:37:30.685000-0500", :message=>"output received", :event=>{"message"=>"Received disconnect from 10.34.1.42 port 40178:11: disconnected by user\n", "@version"=>"1", "@timestamp"=>"2022-01-18T09:37:30.000Z", "type"=>"syslog", "host"=>"10.34.136.240", "priority"=>86, "timestamp"=>"Jan 18 04:37:30", "logsource"=>"nlskpia09", "program"=>"sshd", "pid"=>"16570", "severity"=>6, "facility"=>10, "facility_label"=>"security/authorization", "severity_label"=>"Informational"}, :level=>:debug, :file=>"(eval)", :line=>"91", :method=>"output_func"}
{:timestamp=>"2022-01-17T22:37:30.686000-0500", :message=>"output received", :event=>{"message"=>"Disconnected from 10.34.1.42 port 40178\n", "@version"=>"1", "@timestamp"=>"2022-01-18T09:37:30.000Z", "type"=>"syslog", "host"=>"10.34.136.240", "priority"=>86, "timestamp"=>"Jan 18 04:37:30", "logsource"=>"nlskpia09", "program"=>"sshd", "pid"=>"16570", "severity"=>6, "facility"=>10, "facility_label"=>"security/authorization", "severity_label"=>"Informational"}, :level=>:debug, :file=>"(eval)", :line=>"91", :method=>"output_func"}
{:timestamp=>"2022-01-17T22:37:30.686000-0500", :message=>"output received", :event=>{"message"=>"pam_unix(sshd:session): session closed for user sid_nagios_wintel\n", "@version"=>"1", "@timestamp"=>"2022-01-18T09:37:30.000Z", "type"=>"syslog", "host"=>"10.34.136.240", "priority"=>86, "timestamp"=>"Jan 18 04:37:30", "logsource"=>"nlskpia09", "program"=>"sshd", "pid"=>"16463", "severity"=>6, "facility"=>10, "facility_label"=>"security/authorization", "severity_label"=>"Informational"}, :level=>:debug, :file=>"(eval)", :line=>"91", :method=>"output_func"}
{:timestamp=>"2022-01-17T22:37:30.687000-0500", :message=>"output received", :event=>{"message"=>"Removed session 14518.\n", "@version"=>"1", "@timestamp"=>"2022-01-18T09:37:30.000Z", "type"=>"syslog", "host"=>"10.34.136.240", "priority"=>38, "timestamp"=>"Jan 18 04:37:30", "logsource"=>"nlskpia09", "program"=>"systemd-logind", "severity"=>6, "facility"=>4, "facility_label"=>"security/authorization", "severity_label"=>"Informational"}, :level=>:debug, :file=>"(eval)", :line=>"91", :method=>"output_func"}
{:timestamp=>"2022-01-17T22:37:30.687000-0500", :message=>"output received", :event=>{"message"=>"Removed slice User Slice of sid_nagios_wintel.\n", "@version"=>"1", "@timestamp"=>"2022-01-18T09:37:30.000Z", "type"=>"syslog", "host"=>"10.34.136.240", "priority"=>30, "timestamp"=>"Jan 18 04:37:30", "logsource"=>"nlskpia09", "program"=>"systemd", "severity"=>6, "facility"=>3, "facility_label"=>"system", "severity_label"=>"Informational"}, :level=>:debug, :file=>"(eval)", :line=>"91", :method=>"output_func"}
{:timestamp=>"2022-01-17T22:37:30.687000-0500", :message=>"output received", :event=>{"message"=>"job 17851 (pid=110614): read() returned error 11\n", "@version"=>"1", "@timestamp"=>"2022-01-18T14:07:30.000Z", "type"=>"syslog", "host"=>"10.34.1.42", "priority"=>13, "timestamp"=>"Jan 18 09:07:30", "logsource"=>"usmipaa52", "program"=>"nagios", "severity"=>5, "facility"=>1, "facility_label"=>"user-level", "severity_label"=>"Notice"}, :level=>:debug, :file=>"(eval)", :line=>"91", :method=>"output_func"}
{:timestamp=>"2022-01-17T22:37:31.117000-0500", :message=>"Running grok filter", :event=>#<LogStash::Event:0x317e74 @metadata_accessors=#<LogStash::Util::Accessors:0x5ae5f477 @store={}, @lut={}>, @cancelled=false, @data={"message"=>"<14>Jan 18 09:07:31 usmipaa52 nagios: SERVICE ALERT: usinkok-ap81.delphidrive.com;CPU Usage;OK;SOFT;2;OK (Sample Period 432 sec) - Average CPU Utilisation 7.94%\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.116Z", "type"=>"syslog", "host"=>"10.34.1.42"}, @metadata={}, @accessors=#<LogStash::Util::Accessors:0x33c1d540 @store={"message"=>"<14>Jan 18 09:07:31 usmipaa52 nagios: SERVICE ALERT: usinkok-ap81.delphidrive.com;CPU Usage;OK;SOFT;2;OK (Sample Period 432 sec) - Average CPU Utilisation 7.94%\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.116Z", "type"=>"syslog", "host"=>"10.34.1.42"}, @lut={"host"=>[{"message"=>"<14>Jan 18 09:07:31 usmipaa52 nagios: SERVICE ALERT: usinkok-ap81.delphidrive.com;CPU Usage;OK;SOFT;2;OK (Sample Period 432 sec) - Average CPU Utilisation 7.94%\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.116Z", "type"=>"syslog", "host"=>"10.34.1.42"}, "host"]}>>, :level=>:debug, :file=>"logstash/filters/grok.rb", :line=>"277", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.118000-0500", :message=>"Regexp match object", :names=>["POSINT:priority", "SYSLOGTIMESTAMP:timestamp", "TIMESTAMP_ISO8601:timestamp8601", "NONNEGINT:facility", "NONNEGINT:priority", "SYSLOGHOST:logsource", "PROG:program", "POSINT:pid", "GREEDYDATA:message"], :captures=>["14", "Jan 18 09:07:31", nil, nil, nil, "usmipaa52", "nagios", nil, "SERVICE ALERT: usinkok-ap81.delphidrive.com;CPU Usage;OK;SOFT;2;OK (Sample Period 432 sec) - Average CPU Utilisation 7.94%\n"], :level=>:debug, :file=>"grok-pure.rb", :line=>"192", :method=>"match_and_capture"}
{:timestamp=>"2022-01-17T22:37:31.119000-0500", :message=>"Event now: ", :event=>#<LogStash::Event:0x317e74 @metadata_accessors=#<LogStash::Util::Accessors:0x5ae5f477 @store={}, @lut={}>, @cancelled=false, @data={"message"=>"SERVICE ALERT: usinkok-ap81.delphidrive.com;CPU Usage;OK;SOFT;2;OK (Sample Period 432 sec) - Average CPU Utilisation 7.94%\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.116Z", "type"=>"syslog", "host"=>"10.34.1.42", "priority"=>"14", "timestamp"=>"Jan 18 09:07:31", "logsource"=>"usmipaa52", "program"=>"nagios"}, @metadata={}, @accessors=#<LogStash::Util::Accessors:0x33c1d540 @store={"message"=>"SERVICE ALERT: usinkok-ap81.delphidrive.com;CPU Usage;OK;SOFT;2;OK (Sample Period 432 sec) - Average CPU Utilisation 7.94%\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.116Z", "type"=>"syslog", "host"=>"10.34.1.42", "priority"=>"14", "timestamp"=>"Jan 18 09:07:31", "logsource"=>"usmipaa52", "program"=>"nagios"}, @lut={"message"=>[{"message"=>"SERVICE ALERT: usinkok-ap81.delphidrive.com;CPU Usage;OK;SOFT;2;OK (Sample Period 432 sec) - Average CPU Utilisation 7.94%\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.116Z", "type"=>"syslog", "host"=>"10.34.1.42", "priority"=>"14", "timestamp"=>"Jan 18 09:07:31", "logsource"=>"usmipaa52", "program"=>"nagios"}, "message"]}>>, :level=>:debug, :file=>"logstash/filters/grok.rb", :line=>"292", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.120000-0500", :message=>"Date filter: received event", :type=>"syslog", :level=>:debug, :file=>"logstash/filters/date.rb", :line=>"311", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.120000-0500", :message=>"Date filter looking for field", :type=>"syslog", :field=>"timestamp", :level=>:debug, :file=>"logstash/filters/date.rb", :line=>"314", :method=>"filter"}
{:timestamp=>"2022-01-18T14:07:31.000Z", :message=>"Date parsing done", :value=>"Jan 18 09:07:31", :level=>:debug, :file=>"logstash/filters/date.rb", :line=>"348", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.248000-0500", :message=>"Pushing flush onto pipeline", :level=>:debug, :file=>"logstash/pipeline.rb", :line=>"458", :method=>"flush"}
{:timestamp=>"2022-01-17T22:37:31.249000-0500", :message=>"filter received", :event=>{"message"=>"SERVICE ALERT: usinkok-ap81.delphidrive.com;CPU Usage;OK;SOFT;2;OK (Sample Period 432 sec) - Average CPU Utilisation 7.94%\n", "@version"=>"1", "@timestamp"=>"2022-01-18T14:07:31.000Z", "type"=>"syslog", "host"=>"10.34.1.42", "priority"=>14, "timestamp"=>"Jan 18 09:07:31", "logsource"=>"usmipaa52", "program"=>"nagios", "severity"=>6, "facility"=>1, "facility_label"=>"user-level", "severity_label"=>"Informational"}, :level=>:debug, :file=>"(eval)", :line=>"83", :method=>"filter_func"}
{:timestamp=>"2022-01-17T22:37:31.250000-0500", :message=>"output received", :event=>{"message"=>"SERVICE ALERT: usinkok-ap81.delphidrive.com;CPU Usage;OK;SOFT;2;OK (Sample Period 432 sec) - Average CPU Utilisation 7.94%\n", "@version"=>"1", "@timestamp"=>"2022-01-18T14:07:31.000Z", "type"=>"syslog", "host"=>"10.34.1.42", "priority"=>14, "timestamp"=>"Jan 18 09:07:31", "logsource"=>"usmipaa52", "program"=>"nagios", "severity"=>6, "facility"=>1, "facility_label"=>"user-level", "severity_label"=>"Informational"}, :level=>:debug, :file=>"(eval)", :line=>"91", :method=>"output_func"}
{:timestamp=>"2022-01-17T22:37:31.429000-0500", :message=>"Flushing buffer at interval", :instance=>"#<LogStash::Outputs::ElasticSearch::Buffer:0x429a96a5 @operations_mutex=#<Mutex:0x46a50a2e>, @max_size=500, @operations_lock=#<Java::JavaUtilConcurrentLocks::ReentrantLock:0x3a79c9e>, @submit_proc=#<Proc:0x326edfb4@/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.7.1-java/lib/logstash/outputs/elasticsearch/common.rb:57>, @logger=#<Cabin::Channel:0x6ed65cbb @metrics=#<Cabin::Metrics:0x7d53b5ea @metrics_lock=#<Mutex:0x3fec589a>, @metrics={}, @channel=#<Cabin::Channel:0x6ed65cbb ...>>, @subscriber_lock=#<Mutex:0x5aa49aa2>, @level=:debug, @subscribers={497630=>#<Cabin::Subscriber:0x66573f1f @output=#<Cabin::Outputs::IO:0x3ba283c7 @io=#<File:/var/log/logstash/logstash.log>, @lock=#<Mutex:0x452d7f9b>>, @options={}>, 497632=>#<Cabin::Subscriber:0x1a8f6489 @output=#<Cabin::Outputs::IO:0x457f0f00 @io=#<IO:fd 1>, @lock=#<Mutex:0x6aec00d3>>, @options={:level=>:fatal}>}, @data={}>, @last_flush=2022-01-17 22:37:30 -0500, @flush_interval=1, @stopping=#<Concurrent::AtomicBoolean:0x5c7457ad>, @buffer=[], @flush_thread=#<Thread:0x638863d1 run>>", :interval=>1, :level=>:debug, :file=>"logstash/outputs/elasticsearch/buffer.rb", :line=>"90", :method=>"interval_flush"}
{:timestamp=>"2022-01-17T22:37:31.430000-0500", :message=>"Flushing buffer at interval", :instance=>"#<LogStash::Outputs::ElasticSearch::Buffer:0x1e049551 @operations_mutex=#<Mutex:0x10c378e1>, @max_size=500, @operations_lock=#<Java::JavaUtilConcurrentLocks::ReentrantLock:0x14fcfe21>, @submit_proc=#<Proc:0x6beacba9@/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.7.1-java/lib/logstash/outputs/elasticsearch/common.rb:57>, @logger=#<Cabin::Channel:0x6ed65cbb @metrics=#<Cabin::Metrics:0x7d53b5ea @metrics_lock=#<Mutex:0x3fec589a>, @metrics={}, @channel=#<Cabin::Channel:0x6ed65cbb ...>>, @subscriber_lock=#<Mutex:0x5aa49aa2>, @level=:debug, @subscribers={497630=>#<Cabin::Subscriber:0x66573f1f @output=#<Cabin::Outputs::IO:0x3ba283c7 @io=#<File:/var/log/logstash/logstash.log>, @lock=#<Mutex:0x452d7f9b>>, @options={}>, 497632=>#<Cabin::Subscriber:0x1a8f6489 @output=#<Cabin::Outputs::IO:0x457f0f00 @io=#<IO:fd 1>, @lock=#<Mutex:0x6aec00d3>>, @options={:level=>:fatal}>}, @data={}>, @last_flush=2022-01-17 22:37:30 -0500, @flush_interval=1, @stopping=#<Concurrent::AtomicBoolean:0x60e5a245>, @buffer=[], @flush_thread=#<Thread:0x131b458e run>>", :interval=>1, :level=>:debug, :file=>"logstash/outputs/elasticsearch/buffer.rb", :line=>"90", :method=>"interval_flush"}
{:timestamp=>"2022-01-17T22:37:31.429000-0500", :message=>"Flushing buffer at interval", :instance=>"#<LogStash::Outputs::ElasticSearch::Buffer:0x65dcecdf @operations_mutex=#<Mutex:0x6b1b1e14>, @max_size=500, @operations_lock=#<Java::JavaUtilConcurrentLocks::ReentrantLock:0x6f2487af>, @submit_proc=#<Proc:0x281eafa0@/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.7.1-java/lib/logstash/outputs/elasticsearch/common.rb:57>, @logger=#<Cabin::Channel:0x6ed65cbb @metrics=#<Cabin::Metrics:0x7d53b5ea @metrics_lock=#<Mutex:0x3fec589a>, @metrics={}, @channel=#<Cabin::Channel:0x6ed65cbb ...>>, @subscriber_lock=#<Mutex:0x5aa49aa2>, @level=:debug, @subscribers={497630=>#<Cabin::Subscriber:0x66573f1f @output=#<Cabin::Outputs::IO:0x3ba283c7 @io=#<File:/var/log/logstash/logstash.log>, @lock=#<Mutex:0x452d7f9b>>, @options={}>, 497632=>#<Cabin::Subscriber:0x1a8f6489 @output=#<Cabin::Outputs::IO:0x457f0f00 @io=#<IO:fd 1>, @lock=#<Mutex:0x6aec00d3>>, @options={:level=>:fatal}>}, @data={}>, @last_flush=2022-01-17 22:37:30 -0500, @flush_interval=1, @stopping=#<Concurrent::AtomicBoolean:0x1bc6ff09>, @buffer=[], @flush_thread=#<Thread:0x50141a21 run>>", :interval=>1, :level=>:debug, :file=>"logstash/outputs/elasticsearch/buffer.rb", :line=>"90", :method=>"interval_flush"}
{:timestamp=>"2022-01-17T22:37:31.431000-0500", :message=>"Flushing buffer at interval", :instance=>"#<LogStash::Outputs::ElasticSearch::Buffer:0x10394199 @operations_mutex=#<Mutex:0x1efeadee>, @max_size=500, @operations_lock=#<Java::JavaUtilConcurrentLocks::ReentrantLock:0x1ac12ae9>, @submit_proc=#<Proc:0x5ac103d@/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.7.1-java/lib/logstash/outputs/elasticsearch/common.rb:57>, @logger=#<Cabin::Channel:0x6ed65cbb @metrics=#<Cabin::Metrics:0x7d53b5ea @metrics_lock=#<Mutex:0x3fec589a>, @metrics={}, @channel=#<Cabin::Channel:0x6ed65cbb ...>>, @subscriber_lock=#<Mutex:0x5aa49aa2>, @level=:debug, @subscribers={497630=>#<Cabin::Subscriber:0x66573f1f @output=#<Cabin::Outputs::IO:0x3ba283c7 @io=#<File:/var/log/logstash/logstash.log>, @lock=#<Mutex:0x452d7f9b>>, @options={}>, 497632=>#<Cabin::Subscriber:0x1a8f6489 @output=#<Cabin::Outputs::IO:0x457f0f00 @io=#<IO:fd 1>, @lock=#<Mutex:0x6aec00d3>>, @options={:level=>:fatal}>}, @data={}>, @last_flush=2022-01-17 22:37:30 -0500, @flush_interval=1, @stopping=#<Concurrent::AtomicBoolean:0x2559e485>, @buffer=[], @flush_thread=#<Thread:0x18e3f821 run>>", :interval=>1, :level=>:debug, :file=>"logstash/outputs/elasticsearch/buffer.rb", :line=>"90", :method=>"interval_flush"}
{:timestamp=>"2022-01-17T22:37:31.443000-0500", :message=>"Running grok filter", :event=>#<LogStash::Event:0x2b6b981e @metadata_accessors=#<LogStash::Util::Accessors:0x14d2e907 @store={}, @lut={}>, @cancelled=false, @data={"message"=>"<85>Jan 17 22:37:31 usmipaa51 sudo: nagios : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/elasticsearch status\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.443Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1"}, @metadata={}, @accessors=#<LogStash::Util::Accessors:0x2ae58c9b @store={"message"=>"<85>Jan 17 22:37:31 usmipaa51 sudo: nagios : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/elasticsearch status\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.443Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1"}, @lut={"host"=>[{"message"=>"<85>Jan 17 22:37:31 usmipaa51 sudo: nagios : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/elasticsearch status\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.443Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1"}, "host"]}>>, :level=>:debug, :file=>"logstash/filters/grok.rb", :line=>"277", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.444000-0500", :message=>"Regexp match object", :names=>["POSINT:priority", "SYSLOGTIMESTAMP:timestamp", "TIMESTAMP_ISO8601:timestamp8601", "NONNEGINT:facility", "NONNEGINT:priority", "SYSLOGHOST:logsource", "PROG:program", "POSINT:pid", "GREEDYDATA:message"], :captures=>["85", "Jan 17 22:37:31", nil, nil, nil, "usmipaa51", "sudo", nil, " nagios : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/elasticsearch status\n"], :level=>:debug, :file=>"grok-pure.rb", :line=>"192", :method=>"match_and_capture"}
{:timestamp=>"2022-01-17T22:37:31.444000-0500", :message=>"Event now: ", :event=>#<LogStash::Event:0x2b6b981e @metadata_accessors=#<LogStash::Util::Accessors:0x14d2e907 @store={}, @lut={}>, @cancelled=false, @data={"message"=>" nagios : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/elasticsearch status\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.443Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1", "priority"=>"85", "timestamp"=>"Jan 17 22:37:31", "logsource"=>"usmipaa51", "program"=>"sudo"}, @metadata={}, @accessors=#<LogStash::Util::Accessors:0x2ae58c9b @store={"message"=>" nagios : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/elasticsearch status\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.443Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1", "priority"=>"85", "timestamp"=>"Jan 17 22:37:31", "logsource"=>"usmipaa51", "program"=>"sudo"}, @lut={"message"=>[{"message"=>" nagios : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/elasticsearch status\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.443Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1", "priority"=>"85", "timestamp"=>"Jan 17 22:37:31", "logsource"=>"usmipaa51", "program"=>"sudo"}, "message"]}>>, :level=>:debug, :file=>"logstash/filters/grok.rb", :line=>"292", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.445000-0500", :message=>"Date filter: received event", :type=>"syslog", :level=>:debug, :file=>"logstash/filters/date.rb", :line=>"311", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.445000-0500", :message=>"Date filter looking for field", :type=>"syslog", :field=>"timestamp", :level=>:debug, :file=>"logstash/filters/date.rb", :line=>"314", :method=>"filter"}
{:timestamp=>"2022-01-18T03:37:31.000Z", :message=>"Date parsing done", :value=>"Jan 17 22:37:31", :level=>:debug, :file=>"logstash/filters/date.rb", :line=>"348", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.445000-0500", :message=>"Running grok filter", :event=>#<LogStash::Event:0x33e3d1d3 @metadata_accessors=#<LogStash::Util::Accessors:0x27bfc6a @store={}, @lut={}>, @cancelled=false, @data={"message"=>"<86>Jan 17 22:37:31 usmipaa51 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.445Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1"}, @metadata={}, @accessors=#<LogStash::Util::Accessors:0x36e6774a @store={"message"=>"<86>Jan 17 22:37:31 usmipaa51 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.445Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1"}, @lut={"host"=>[{"message"=>"<86>Jan 17 22:37:31 usmipaa51 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.445Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1"}, "host"]}>>, :level=>:debug, :file=>"logstash/filters/grok.rb", :line=>"277", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.446000-0500", :message=>"Regexp match object", :names=>["POSINT:priority", "SYSLOGTIMESTAMP:timestamp", "TIMESTAMP_ISO8601:timestamp8601", "NONNEGINT:facility", "NONNEGINT:priority", "SYSLOGHOST:logsource", "PROG:program", "POSINT:pid", "GREEDYDATA:message"], :captures=>["86", "Jan 17 22:37:31", nil, nil, nil, "usmipaa51", "sudo", nil, "pam_unix(sudo:session): session opened for user root by (uid=0)\n"], :level=>:debug, :file=>"grok-pure.rb", :line=>"192", :method=>"match_and_capture"}
{:timestamp=>"2022-01-17T22:37:31.446000-0500", :message=>"Event now: ", :event=>#<LogStash::Event:0x33e3d1d3 @metadata_accessors=#<LogStash::Util::Accessors:0x27bfc6a @store={}, @lut={}>, @cancelled=false, @data={"message"=>"pam_unix(sudo:session): session opened for user root by (uid=0)\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.445Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1", "priority"=>"86", "timestamp"=>"Jan 17 22:37:31", "logsource"=>"usmipaa51", "program"=>"sudo"}, @metadata={}, @accessors=#<LogStash::Util::Accessors:0x36e6774a @store={"message"=>"pam_unix(sudo:session): session opened for user root by (uid=0)\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.445Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1", "priority"=>"86", "timestamp"=>"Jan 17 22:37:31", "logsource"=>"usmipaa51", "program"=>"sudo"}, @lut={"message"=>[{"message"=>"pam_unix(sudo:session): session opened for user root by (uid=0)\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.445Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1", "priority"=>"86", "timestamp"=>"Jan 17 22:37:31", "logsource"=>"usmipaa51", "program"=>"sudo"}, "message"]}>>, :level=>:debug, :file=>"logstash/filters/grok.rb", :line=>"292", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.447000-0500", :message=>"Date filter: received event", :type=>"syslog", :level=>:debug, :file=>"logstash/filters/date.rb", :line=>"311", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.447000-0500", :message=>"Date filter looking for field", :type=>"syslog", :field=>"timestamp", :level=>:debug, :file=>"logstash/filters/date.rb", :line=>"314", :method=>"filter"}
{:timestamp=>"2022-01-18T03:37:31.000Z", :message=>"Date parsing done", :value=>"Jan 17 22:37:31", :level=>:debug, :file=>"logstash/filters/date.rb", :line=>"348", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.469000-0500", :message=>"Running grok filter", :event=>#<LogStash::Event:0x6f2bd06 @metadata_accessors=#<LogStash::Util::Accessors:0x604ba9f7 @store={}, @lut={}>, @cancelled=false, @data={"message"=>"<86>Jan 17 22:37:31 usmipaa51 sudo: pam_unix(sudo:session): session closed for user root\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.469Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1"}, @metadata={}, @accessors=#<LogStash::Util::Accessors:0x6b8296a3 @store={"message"=>"<86>Jan 17 22:37:31 usmipaa51 sudo: pam_unix(sudo:session): session closed for user root\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.469Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1"}, @lut={"host"=>[{"message"=>"<86>Jan 17 22:37:31 usmipaa51 sudo: pam_unix(sudo:session): session closed for user root\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.469Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1"}, "host"]}>>, :level=>:debug, :file=>"logstash/filters/grok.rb", :line=>"277", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.470000-0500", :message=>"Regexp match object", :names=>["POSINT:priority", "SYSLOGTIMESTAMP:timestamp", "TIMESTAMP_ISO8601:timestamp8601", "NONNEGINT:facility", "NONNEGINT:priority", "SYSLOGHOST:logsource", "PROG:program", "POSINT:pid", "GREEDYDATA:message"], :captures=>["86", "Jan 17 22:37:31", nil, nil, nil, "usmipaa51", "sudo", nil, "pam_unix(sudo:session): session closed for user root\n"], :level=>:debug, :file=>"grok-pure.rb", :line=>"192", :method=>"match_and_capture"}
{:timestamp=>"2022-01-17T22:37:31.470000-0500", :message=>"Event now: ", :event=>#<LogStash::Event:0x6f2bd06 @metadata_accessors=#<LogStash::Util::Accessors:0x604ba9f7 @store={}, @lut={}>, @cancelled=false, @data={"message"=>"pam_unix(sudo:session): session closed for user root\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.469Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1", "priority"=>"86", "timestamp"=>"Jan 17 22:37:31", "logsource"=>"usmipaa51", "program"=>"sudo"}, @metadata={}, @accessors=#<LogStash::Util::Accessors:0x6b8296a3 @store={"message"=>"pam_unix(sudo:session): session closed for user root\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.469Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1", "priority"=>"86", "timestamp"=>"Jan 17 22:37:31", "logsource"=>"usmipaa51", "program"=>"sudo"}, @lut={"message"=>[{"message"=>"pam_unix(sudo:session): session closed for user root\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.469Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1", "priority"=>"86", "timestamp"=>"Jan 17 22:37:31", "logsource"=>"usmipaa51", "program"=>"sudo"}, "message"]}>>, :level=>:debug, :file=>"logstash/filters/grok.rb", :line=>"292", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.470000-0500", :message=>"Date filter: received event", :type=>"syslog", :level=>:debug, :file=>"logstash/filters/date.rb", :line=>"311", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.471000-0500", :message=>"Date filter looking for field", :type=>"syslog", :field=>"timestamp", :level=>:debug, :file=>"logstash/filters/date.rb", :line=>"314", :method=>"filter"}
{:timestamp=>"2022-01-18T03:37:31.000Z", :message=>"Date parsing done", :value=>"Jan 17 22:37:31", :level=>:debug, :file=>"logstash/filters/date.rb", :line=>"348", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.482000-0500", :message=>"Running grok filter", :event=>#<LogStash::Event:0x3916397b @metadata_accessors=#<LogStash::Util::Accessors:0x2952f686 @store={}, @lut={}>, @cancelled=false, @data={"message"=>"<85>Jan 17 22:37:31 usmipaa51 sudo: nagios : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/logstash status\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.481Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1"}, @metadata={}, @accessors=#<LogStash::Util::Accessors:0x775fd75e @store={"message"=>"<85>Jan 17 22:37:31 usmipaa51 sudo: nagios : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/logstash status\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.481Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1"}, @lut={"host"=>[{"message"=>"<85>Jan 17 22:37:31 usmipaa51 sudo: nagios : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/logstash status\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.481Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1"}, "host"]}>>, :level=>:debug, :file=>"logstash/filters/grok.rb", :line=>"277", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.482000-0500", :message=>"Regexp match object", :names=>["POSINT:priority", "SYSLOGTIMESTAMP:timestamp", "TIMESTAMP_ISO8601:timestamp8601", "NONNEGINT:facility", "NONNEGINT:priority", "SYSLOGHOST:logsource", "PROG:program", "POSINT:pid", "GREEDYDATA:message"], :captures=>["85", "Jan 17 22:37:31", nil, nil, nil, "usmipaa51", "sudo", nil, " nagios : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/logstash status\n"], :level=>:debug, :file=>"grok-pure.rb", :line=>"192", :method=>"match_and_capture"}
{:timestamp=>"2022-01-17T22:37:31.482000-0500", :message=>"Event now: ", :event=>#<LogStash::Event:0x3916397b @metadata_accessors=#<LogStash::Util::Accessors:0x2952f686 @store={}, @lut={}>, @cancelled=false, @data={"message"=>" nagios : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/logstash status\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.481Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1", "priority"=>"85", "timestamp"=>"Jan 17 22:37:31", "logsource"=>"usmipaa51", "program"=>"sudo"}, @metadata={}, @accessors=#<LogStash::Util::Accessors:0x775fd75e @store={"message"=>" nagios : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/logstash status\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.481Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1", "priority"=>"85", "timestamp"=>"Jan 17 22:37:31", "logsource"=>"usmipaa51", "program"=>"sudo"}, @lut={"message"=>[{"message"=>" nagios : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/logstash status\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.481Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1", "priority"=>"85", "timestamp"=>"Jan 17 22:37:31", "logsource"=>"usmipaa51", "program"=>"sudo"}, "message"]}>>, :level=>:debug, :file=>"logstash/filters/grok.rb", :line=>"292", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.483000-0500", :message=>"Date filter: received event", :type=>"syslog", :level=>:debug, :file=>"logstash/filters/date.rb", :line=>"311", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.483000-0500", :message=>"Date filter looking for field", :type=>"syslog", :field=>"timestamp", :level=>:debug, :file=>"logstash/filters/date.rb", :line=>"314", :method=>"filter"}
{:timestamp=>"2022-01-18T03:37:31.000Z", :message=>"Date parsing done", :value=>"Jan 17 22:37:31", :level=>:debug, :file=>"logstash/filters/date.rb", :line=>"348", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.484000-0500", :message=>"Running grok filter", :event=>#<LogStash::Event:0x6e4478dc @metadata_accessors=#<LogStash::Util::Accessors:0x393ad1da @store={}, @lut={}>, @cancelled=false, @data={"message"=>"<86>Jan 17 22:37:31 usmipaa51 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.484Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1"}, @metadata={}, @accessors=#<LogStash::Util::Accessors:0x35362b7a @store={"message"=>"<86>Jan 17 22:37:31 usmipaa51 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.484Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1"}, @lut={"host"=>[{"message"=>"<86>Jan 17 22:37:31 usmipaa51 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.484Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1"}, "host"]}>>, :level=>:debug, :file=>"logstash/filters/grok.rb", :line=>"277", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.484000-0500", :message=>"Regexp match object", :names=>["POSINT:priority", "SYSLOGTIMESTAMP:timestamp", "TIMESTAMP_ISO8601:timestamp8601", "NONNEGINT:facility", "NONNEGINT:priority", "SYSLOGHOST:logsource", "PROG:program", "POSINT:pid", "GREEDYDATA:message"], :captures=>["86", "Jan 17 22:37:31", nil, nil, nil, "usmipaa51", "sudo", nil, "pam_unix(sudo:session): session opened for user root by (uid=0)\n"], :level=>:debug, :file=>"grok-pure.rb", :line=>"192", :method=>"match_and_capture"}
{:timestamp=>"2022-01-17T22:37:31.485000-0500", :message=>"Event now: ", :event=>#<LogStash::Event:0x6e4478dc @metadata_accessors=#<LogStash::Util::Accessors:0x393ad1da @store={}, @lut={}>, @cancelled=false, @data={"message"=>"pam_unix(sudo:session): session opened for user root by (uid=0)\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.484Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1", "priority"=>"86", "timestamp"=>"Jan 17 22:37:31", "logsource"=>"usmipaa51", "program"=>"sudo"}, @metadata={}, @accessors=#<LogStash::Util::Accessors:0x35362b7a @store={"message"=>"pam_unix(sudo:session): session opened for user root by (uid=0)\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.484Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1", "priority"=>"86", "timestamp"=>"Jan 17 22:37:31", "logsource"=>"usmipaa51", "program"=>"sudo"}, @lut={"message"=>[{"message"=>"pam_unix(sudo:session): session opened for user root by (uid=0)\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.484Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1", "priority"=>"86", "timestamp"=>"Jan 17 22:37:31", "logsource"=>"usmipaa51", "program"=>"sudo"}, "message"]}>>, :level=>:debug, :file=>"logstash/filters/grok.rb", :line=>"292", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.485000-0500", :message=>"Date filter: received event", :type=>"syslog", :level=>:debug, :file=>"logstash/filters/date.rb", :line=>"311", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.485000-0500", :message=>"Date filter looking for field", :type=>"syslog", :field=>"timestamp", :level=>:debug, :file=>"logstash/filters/date.rb", :line=>"314", :method=>"filter"}
{:timestamp=>"2022-01-18T03:37:31.000Z", :message=>"Date parsing done", :value=>"Jan 17 22:37:31", :level=>:debug, :file=>"logstash/filters/date.rb", :line=>"348", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.502000-0500", :message=>"Running grok filter", :event=>#<LogStash::Event:0x678af935 @metadata_accessors=#<LogStash::Util::Accessors:0x1cea80f2 @store={}, @lut={}>, @cancelled=false, @data={"message"=>"<86>Jan 17 22:37:31 usmipaa51 sudo: pam_unix(sudo:session): session closed for user root\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.502Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1"}, @metadata={}, @accessors=#<LogStash::Util::Accessors:0x3a9dff60 @store={"message"=>"<86>Jan 17 22:37:31 usmipaa51 sudo: pam_unix(sudo:session): session closed for user root\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.502Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1"}, @lut={"host"=>[{"message"=>"<86>Jan 17 22:37:31 usmipaa51 sudo: pam_unix(sudo:session): session closed for user root\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.502Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1"}, "host"]}>>, :level=>:debug, :file=>"logstash/filters/grok.rb", :line=>"277", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.502000-0500", :message=>"Regexp match object", :names=>["POSINT:priority", "SYSLOGTIMESTAMP:timestamp", "TIMESTAMP_ISO8601:timestamp8601", "NONNEGINT:facility", "NONNEGINT:priority", "SYSLOGHOST:logsource", "PROG:program", "POSINT:pid", "GREEDYDATA:message"], :captures=>["86", "Jan 17 22:37:31", nil, nil, nil, "usmipaa51", "sudo", nil, "pam_unix(sudo:session): session closed for user root\n"], :level=>:debug, :file=>"grok-pure.rb", :line=>"192", :method=>"match_and_capture"}
{:timestamp=>"2022-01-17T22:37:31.503000-0500", :message=>"Event now: ", :event=>#<LogStash::Event:0x678af935 @metadata_accessors=#<LogStash::Util::Accessors:0x1cea80f2 @store={}, @lut={}>, @cancelled=false, @data={"message"=>"pam_unix(sudo:session): session closed for user root\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.502Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1", "priority"=>"86", "timestamp"=>"Jan 17 22:37:31", "logsource"=>"usmipaa51", "program"=>"sudo"}, @metadata={}, @accessors=#<LogStash::Util::Accessors:0x3a9dff60 @store={"message"=>"pam_unix(sudo:session): session closed for user root\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.502Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1", "priority"=>"86", "timestamp"=>"Jan 17 22:37:31", "logsource"=>"usmipaa51", "program"=>"sudo"}, @lut={"message"=>[{"message"=>"pam_unix(sudo:session): session closed for user root\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:31.502Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1", "priority"=>"86", "timestamp"=>"Jan 17 22:37:31", "logsource"=>"usmipaa51", "program"=>"sudo"}, "message"]}>>, :level=>:debug, :file=>"logstash/filters/grok.rb", :line=>"292", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.504000-0500", :message=>"Date filter: received event", :type=>"syslog", :level=>:debug, :file=>"logstash/filters/date.rb", :line=>"311", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:31.504000-0500", :message=>"Date filter looking for field", :type=>"syslog", :field=>"timestamp", :level=>:debug, :file=>"logstash/filters/date.rb", :line=>"314", :method=>"filter"}
{:timestamp=>"2022-01-18T03:37:31.000Z", :message=>"Date parsing done", :value=>"Jan 17 22:37:31", :level=>:debug, :file=>"logstash/filters/date.rb", :line=>"348", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:32.033000-0500", :message=>"Running grok filter", :event=>#<LogStash::Event:0x26be9d33 @metadata_accessors=#<LogStash::Util::Accessors:0xb6ae34e @store={}, @lut={}>, @cancelled=false, @data={"message"=>"<85>Jan 17 22:37:32 usmipaa51 polkitd[723]: Registered Authentication Agent for unix-process177598541 (system bus name :1.447863 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:32.033Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1"}, @metadata={}, @accessors=#<LogStash::Util::Accessors:0xf2da43f @store={"message"=>"<85>Jan 17 22:37:32 usmipaa51 polkitd[723]: Registered Authentication Agent for unix-process177598541 (system bus name :1.447863 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:32.033Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1"}, @lut={"host"=>[{"message"=>"<85>Jan 17 22:37:32 usmipaa51 polkitd[723]: Registered Authentication Agent for unix-process177598541 (system bus name :1.447863 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)\n", "@version"=>"1", "@timestamp"=>"2022-01-18T03:37:32.033Z", "type"=>"syslog", "host"=>"0:0:0:0:0:0:0:1"}, "host"]}>>, :level=>:debug, :file=>"logstash/filters/grok.rb", :line=>"277", :method=>"filter"}
{:timestamp=>"2022-01-17T22:37:32.035000-0500", :message=>"Regexp match object", :names=>["POSINT:priority", "SYSLOGTIMESTAMP:timestamp", "TIMESTAMP_ISO8601:timestamp8601", "NONNEGINT:facility", "NONNEGINT:priority", "SYSLOGHOST:logsource", "PROG:program", "POSINT:pid", "GREEDYDATA:message"], :captures=>["85", "Jan 17 22:37:32", nil, nil, nil, "usmipaa51", "polkitd", "723", "Registered Authentication Agent for unix-process177598541 (system bus name :1.447863 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)\n"], :level=>:debug, :file=>"grok-pure.rb", :line=>"192", :method=>"match_and_capture"}
{:timestamp=>"2022-01-17T22:37:32.035000-0500", :message=>"Event now: ", :event=>#<LogStash::Event:0x26be9d33 @metadata_accessors=#

I do not see any errors in that one.

Please create a ticket for this and include a link back to this forum thread so we can get a remote session setup:
- In that new ticket attach a fresh copy of your Log Server profile

https://support.nagios.com/tickets/

Thank you!