Introduction
There may be situations where you want to create alerts based on the Log Server audit log. For example, you may want to send email alerts when a new Nagios Log Server user is created, modified and deleted.
Setup
- Navigate to Configure > Global Config.
- Click the Add Input button.
- Enter a descriptive Block Name.
- Enter the following code in the code field.
file {
type => "nlsauditlog"
path => "/usr/local/nagioslogserver/var/auditlog.log"
} - Click the Add Filter button.
- Enter a descriptive Block name and add filter code that will gather the information you desire from the log. Example:
if [type] == 'nlsauditlog' {
grok{
match => {
"message" => [
"%{TIMESTAMP_ISO8601:date} created=%{INT:created} created_by=%{WORD:created_by} type=%{WORD:audit_log_type} message=%{DATA:message} source=%{DATA:source} ip_address=%{IP:ip_address}",
"%{TIMESTAMP_ISO8601:date} created=%{INT:created} created_by=%{WORD:created_by} type=%{WORD:audit_log_type} message=%{DATA:message} node=%{UUID:node} source=%{GREEDYDATA:source}"
]
}
overwrite => [ 'message' ]
}
} - Click Save & Apply.
Now, you can reference the documentation linked below to use the dashboards to create a query to use in the alert:
Analyzing-Logs-With-Nagios-Log-Server
Alerting-On-Log-Events-With-Nagios-Log-Server