About filters...

[xdatanet]

I'm trying to use filters.

I have some inputs that sets [type] value or [tags] value...

The Nagios sample refers to [program]:

if [program] == 'apache_access' { [...]

I would to filter event ID and write a filter like this:

if [EventID] == '1234' do some grok, mutate,...

but this does not work!

If I use:

if [type] == 'eventlog' it works but I need to manage specifically events, the 1234 events.

I suspect the parsing of the logs occurs after the filter and I cannot use the whole filters but only those setted in input.

Please explain me how it works...

Regards,
Graziano.

[xdatanet]

I solved.

The problem is that I'm searching a string in place of a number (integer).

if [EventID] == 1717 without '' works.

Another question. Why Logstash plugins in NagiosLS are at 2.0.3 version?

I'd need mutate => copy but it was introduced in 3.1.5 plugin version.

Regards,
Graziano.

[jmichaelson]

Hi @xdatanet, glad to see you got the eventid problem taken care of. To answer your remaining question, Nagios Log Server 2024R1 and earlier ship with Logstash 2.4.1. When version 2024R2 ships (soon), it will have a much newer version of Logstash, which will give you access to a wider variety of inputs and filters.

[xdatanet]

Jason,
just a question about the 2024R2.

I hope I didn't understand correctly the webinar. Have I to reinstall a fresh new 2024R2 version and then migrate all my data or can I upgrade from 1.3 to 2??

Regards,
Graziano.

[jmichaelson]

If you want to access your data from the same location, you'll have to stand up a new cluster and migrate your existing log data into that cluster. How long that takes will, of course, depend on the volume of data in your existing cluster, and the performance of the old and new clusters.

[xdatanet]

Sorry,
what was unclear about my question?

Do I need to upgrade my actual 2024R1.3 nodes to 2024R2 like previous update from 1.2 or do I need to redeploy another cluster with the new version and then migrate the data to it???

Because if I had to deploy another cluster there would be many many work to do on every client that sends (new ip, new network security rules)... Oh my god....

Regards,
Graziano.

[jmichaelson]

You will have to stand up a new cluster. Due to the underlying infrastructure changes, there won't be an upgrade-in-place process.

[kg2857]

If the current cluster has multiple hosts as it should, you should be sending logs to a VIP, so adding new hosts shouldn't be much of an issue.

[jmichaelson]

@kg2857, in general that's correct. With the forthcoming R2 release, Elasticsearch 1.7.6 is being replaced with OpenSearch 2.14.x. The migration unfortunately isn't a simple matter of being able to add a new node to an existing cluster. It would have been great if it was, but I'm not even sure its possible to have an Elasticsearch cluster with multiple major versions in it.

[xdatanet]

If the current cluster has multiple hosts as it should, you should be sending logs to a VIP, so adding new hosts shouldn't be much of an issue.

It was worse than it looked...

Graziano.