Send Alerts Based on the Log Server Audit Log

Introduction

There may be situations where you want to create alerts based on the Log Server audit log. For example, you may want to send email alerts when a new Nagios Log Server user is created, modified and deleted.

Setup

1. Navigate to Configure > Global Config.
2. Click the Add Input button.
3. Enter a descriptive Block Name.
4. Enter the following code in the code field.

   file {
       type => "nlsauditlog"
       path => "/usr/local/nagioslogserver/var/auditlog.log"
   }

5. Click the Add Filter button.
6. Enter a descriptive Block name and add filter code that will gather the information you desire from the log. Example: 

   if [type] == 'nlsauditlog' {
   grok{
           match => {
             "message" => [
               "%{TIMESTAMP_ISO8601:date} created=%{INT:created} created_by=%{WORD:created_by} type=%{WORD:audit_log_type} message=%{DATA:message} source=%{DATA:source} ip_address=%{IP:ip_address}",
               "%{TIMESTAMP_ISO8601:date} created=%{INT:created} created_by=%{WORD:created_by} type=%{WORD:audit_log_type} message=%{DATA:message} node=%{UUID:node} source=%{GREEDYDATA:source}"
             ]
           }
         overwrite => [ 'message' ]
   }
   }
   

7. Click Save & Apply.

   

Now, you can reference the documentation linked below to use the dashboards to create a query to use in the alert:

Analyzing-Logs-With-Nagios-Log-Server
Alerting-On-Log-Events-With-Nagios-Log-Server

Article ID: 888
Created On: Fri, Jan 22, 2021 at 9:52 AM
Last Updated On: Fri, Jan 22, 2021 at 11:00 AM
Authored by: rspielman

Online URL: https://support.nagios.com/kb/article/send-alerts-based-on-the-log-server-audit-log-888.html