Home » Categories » Products » Nagios Log Server » Documentation » Monitoring Configuration

Nagios Log Server - Sending Multiline Log Files Using Syslog

Overview

This KB article explains how to configure syslog to send multi-line logs to Nagios Log Server (NLS).

What is a multi-line log? This is when the data that encompasses the entire event is spread across multiple lines in the log file. For example:

2017.02.13 14:42:07:198 EST | Audit | write2216 | express_admin | System | UserDeleteRequest

    <?xml version="1.0" encoding="UTF-8"?>
<BroadsoftDocument protocol="OCI" xmlns="C">
  <userId xmlns="">express_admin</userId>
  <command xsi:type="UserDeleteRequest" xmlns="" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <userId>2136658700</userId>
  </command>
</BroadsoftDocument>

Normally when you configure syslog to send a custom log file to NLS it is sent on a line-by-line basis. This can make it complicated to review the logs on NLS as it will be displayed as multiple events.

In the example above, you can see the first line starts with the date time format yyyy.mm.dd hh:mm:ss:ms. Every entry recorded in this log file will always have this first line formatted this way.  Syslog can be configured to identify this string and then send the entire data to NLS as a multi-line log.

NLS will also have an extra configuration input added to handle the incoming multi-line data.

This KB article will walk you through the steps to implement this.

 

 

Scenario Details

To properly demonstrate how this works, the following KB article will use the log file /var/log/AuditLog.log to send to NLS.

To simulate a multiple line log entry being added to the log, a second file will be created called /var/log/test.log with the following contents:

2017.02.13 14:42:07:198 EST | Audit | write2216 | express_admin | System | UserDeleteRequest

    <?xml version="1.0" encoding="UTF-8"?>
<BroadsoftDocument protocol="OCI" xmlns="C">
  <userId xmlns="">express_admin</userId>
  <command xsi:type="UserDeleteRequest" xmlns="" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <userId>2136658700</userId>
  </command>
</BroadsoftDocument>

 

The following command in a terminal session will append the data to the /var/log/AuditLog.log:

more /var/log/test.log >> /var/log/AuditLog.log

 

Using those steps you will be able to successfully follow this KB article and confirm the functionality works. Every time the command is executed above, a multi-line entry is added to the /var/log/AuditLog.log log file. Even though technically the date is incorrect this will not matter, it's simply an example.

 

 

Configure Nagios Log Server

The first step is to configure the NLS input to identify multi-line logs.

Log into your NLS web interface and navigate to Administration > Global Configuration.

Under Inputs use the + Add input input drop down list and click Custom. This will add a new block underneath.

Give it a name such as Syslog Multiline.

In the text area add the following:

tcp {
    codec => multiline {
        pattern => '^[0-9]{4}.[0-9]{2}.[0-9]{2}'
        negate => true
        what => previous
    }
    port => 6677
    type => 'syslog_multiline'
}

 

Click the Save button.

Then click the Verfiy button above to ensure this is a valid configuration.

Once the verification process is OK, in the left pane under Configuration Editor click Apply Configuration.

Click the Apply button.

Click Yes, Apply Now

Once this process has finished you can continue onto the next section. You'll return back to NLS once syslog has been configured.

The input that was just added is listening on port 6677, this will be used in the steps below when configuring syslog.

 

What was does all of that mean?

The line codec => multiline { tells Logstash to use the multiline codec filter.

 

The pattern tells Logstash that the following sting format is first line of a log entry:

pattern => '^[0-9]{4}.[0-9]{2}.[0-9]{2}'

 

  • This is a regular expression (regex)

  • The ^ means that the line begins with this pattern

  • [0-9]{4} indicates that there are four digits in the range 0 to 9 (the year)

  • The . period matches a single character, without caring what that character is. This represents the character that separates the year and the month, it's just co-incidental that this character is actually a . period.

  • [0-9]{2} indicates that there are two digits in the range 0 to 9 (the month)

  • The . period matches a single character.

  • [0-9]{2} indicates that there are two digits in the range 0 to 9 (the day)

 

Basically it's saying this is the format of the string which needs to be matched:

dddd.dd.dd

Remember the example we have:

2017.02.13 14:42:07:198 EST | Audit | write2216 | express_admin | System | UserDeleteRequest

 

The negate line:

negate => true

true means that a received message not matching the pattern will constitute a match of the multiline filter and the what will be applied.

 

The what line:

what => previous

previous says that any line not starting with the pattern should be merged with the previous line.

 

The type line:

type => 'syslog_multiline'

Is how this received entry is indexed as, it will help with searches later.

 


 

Configure syslog

Establish a terminal session to the Linux server that has the log file in question.

Syslog is going to be configured to watch the /var/log/AuditLog.log log file and send it to NLS. This example will use the NLS with the address 10.25.5.99 and it is listening on port 5566.

In your terminal session execute these commands:

cd /tmp
curl -s -O http://10.25.5.99/nagioslogserver/scripts/setup-linux.sh
sudo bash setup-linux.sh -s 10.25.5.99 -p 6677 -f "/var/log/AuditLog.log" -t syslog_multiline

 

This will create a syslog configuration file called  /etc/rsyslog.d/90-nagioslogserver_var_log_AuditLog.log.conf.

A change needs to be made to this configuration file, edit the file in the vi editor using the following command:

vi /etc/rsyslog.d/90-nagioslogserver_var_log_AuditLog.log.conf

When using the vi editor, to make changes press i on the keyboard first to enter insert mode. Press Esc to exit insert mode.

 

Make the changes highlighted in bold:

$ModLoad imfile
$InputFilePollInterval 10
$PrivDropToGroup adm
$WorkDirectory /var/lib/rsyslog

# Input for syslog_multiline
$InputFileName /var/log/AuditLog.log
$InputFileTag syslog_multiline:
$InputFileStateFile nls-state-var_log_AuditLog.log # Must be unique for each file being polled
# Uncomment the folowing line to override the default severity for messages
# from this file.
#$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor
$template clean,"%rawmsg%"

# Forward to Nagios Log Server and then discard, otherwise these messages
# will end up in the syslog file (/var/log/messages) unless there are other
# overriding rules.
if $programname == 'syslog_multiline' then @@10.25.5.99:6677;clean
if $programname == 'syslog_multiline' then ~

 

You can see that the line $template clean,"%rawmsg%" was added and ;clean was added to the end of the second last line.

This will change the rsyslog configuration to apply the clean filter, which is just sending the raw message using rsyslog's %rawmsg% macro.

 

When you have finished, save the changes in vi by typing:

:wq

and press Enter.

 

Finally you need to restart the rsyslog service with the following command:

service rsyslog restart

 

 

Test

Now you can test that it is working by executing the following command on your Linux machine:

more /var/log/test.log >> /var/log/AuditLog.log

 

Now open the NLS web interface and navigate to Dashboards.

You should now see an entry like the following:

 


 

 

 

Summary

This KB article showed you how to use syslog to send multi-line log files to Nagios Log Server. Armed with this information you should be able to apply this to your situation.

 

 

 

Final Thoughts

For any support related questions please visit the Nagios Support Forums at:

http://support.nagios.com/forum/

5 (1)
Article Rating (1 Votes)
Rate this article
  • Icon PDFExport to PDF
  • Icon MS-WordExport to MS Word
Attachments Attachments
There are no attachments for this article.
Related Articles RSS Feed
Nagios Log Server - Sending Nagios Core Logs To Nagios Log Server
Viewed 798 times since Thu, Sep 7, 2017
Nagios Log Server - Monitoring A New Log Source
Viewed 715 times since Thu, Jan 28, 2016
Nagios Log Server - Configuring NXLog To Send Additional Log Files
Viewed 4553 times since Wed, Mar 16, 2016
Nagios Log Server - Sending syslog with SSL/TLS
Viewed 624 times since Mon, Oct 22, 2018
Nagios Log Server - Configuring Input Filters
Viewed 859 times since Thu, Jan 28, 2016
Nagios Log Server - Using An Output To Create Nagios XI Passive Objects
Viewed 673 times since Thu, Sep 7, 2017
Nagios Log Server - Configuring Inputs
Viewed 858 times since Thu, Jan 28, 2016
Nagios Log Server - Sending NXLogs With SSL
Viewed 158 times since Mon, Nov 11, 2019
Nagios Log Server - Configuring NXLog To Send Multi-Line Log Files
Viewed 868 times since Thu, Oct 6, 2016
Nagios Log Server - Troubleshooting SELinux and rsyslog
Viewed 1278 times since Wed, Mar 30, 2016