There may be situations where you want to create alerts based on the Log Server audit log. For example, you may want to send email alerts when a new Nagios Log Server user is created, modified and deleted.
file {
type => "nlsauditlog"
path => "/usr/local/nagioslogserver/var/auditlog.log"
}
if [type] == 'nlsauditlog' {
grok{
match => {
"message" => [
"%{TIMESTAMP_ISO8601:date} created=%{INT:created} created_by=%{WORD:created_by} type=%{WORD:audit_log_type} message=%{DATA:message} source=%{DATA:source} ip_address=%{IP:ip_address}",
"%{TIMESTAMP_ISO8601:date} created=%{INT:created} created_by=%{WORD:created_by} type=%{WORD:audit_log_type} message=%{DATA:message} node=%{UUID:node} source=%{GREEDYDATA:source}"
]
}
overwrite => [ 'message' ]
}
}
Now, you can reference the documentation linked below to use the dashboards to create a query to use in the alert:
Analyzing-Logs-With-Nagios-Log-Server
Alerting-On-Log-Events-With-Nagios-Log-Server
Article ID: 888
Created On: Fri, Jan 22, 2021 at 9:52 AM
Last Updated On: Fri, Jan 22, 2021 at 11:00 AM
Authored by: rspielman
Online URL: https://support.nagios.com/kb/article/send-alerts-based-on-the-log-server-audit-log-888.html