Logstash filter not working for Nagios

rijinmp · April 19, 2017, 1:29pm

My Logstash Conf

input { beats
{ port => "5043"
type => "nagios"
}

udp {
port => 9010
type => "ossec"
}
}

filter {
if [type] == "ossec" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}: Alert Level: %{NONNEGINT:Alert_Level}; Rule: %{NONNEGINT:Rule} - %{DATA:Description}; Location: %{DATA:Location}; (user: %{USER:User};%{SPACE})?(srcip: %{IP:Src_IP};%{SPACE})?(user: %{USER:User};%{SPACE})?(dstip: %{IP:Dst_IP};%{SPACE})?(src_port: %{NONNEGINT:Src_Port};%{SPACE})?(dst_port: %{NONNEGINT:Dst_Port};%{SPACE})?%{GREEDYDATA:Details}" }
add_field => [ "ossec_server", "%{host}" ]
}
mutate {
remove_field => [ "message","syslog_timestamp", "syslog_program", "syslog_host", "syslog_message", "syslog_pid", "@version", "type", "host" ]
}
}

if [type] == "nagios" {
grok {
match => { "message" => "[%{NUMBER:nagios_epoch}] %{NAGIOS_TYPE_SERVICE_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt_times};%{GREEDYDATA:Details}" }

mutate {
remove_field => [ "message","nagios_epoch" ]
}

}
}

output {
elasticsearch { hosts => ["192.168.136.49:9200"] }
stdout { codec => rubydebug }
}

Here Ossec filter is working well . Filtering the ossec logs and diplaying .

But for nagios this filter is not working . Logs are showing without any change from Nagios .

Tested Log :

[1491834604] SERVICE ALERT: 192.168.136.18;Load;OK;HARD;5;OK - load average: 3.53, 1.79, 0.70

Only this log is present in log file created for testing ( @Nagios machine )

Kibana Output :

April 18th 2017, 23:54:39.785 @timestamp:April 18th 2017, 23:54:39.785 offset:94 @version:1 input_type:log beat.hostname:localhost.localdomain beat.name:localhost.localdomain beat.version:5.3.0 host:localhost.localdomain source:/usr/local/nagios/var/nagios1.log message:[1491834604] SERVICE ALERT: 192.168.136.18;Load;OK;HARD;5;OK - load average: 3.53, 1.79, 0.70 type:log tags:beats_input_codec_plain_applied _id:AVuCT087479KC7HNy-Mo _type:log _index:logstash-2017.04.18 _score: -

Filter is tested with grokdebug.herokuapp website . Suitable for this log .

Ossec logs are filtered and working well . When i am checking with
" ./bin/logstash --config.test_and_exit " command , configuration is ok .

Ossec server and Nagios servers are in different machines .
Logs are reached in logstash from both machines . But Nagios filter is not working .

Tank you all

magnusbaeck · April 24, 2017, 5:15am

Filebeat is assigning your events the type "log" and the beats input won't overwrite this. Adjust your Filebeat config to give them the right type from the beginning and things should work just fine.

rijinmp · April 25, 2017, 4:24pm

Ok Thanks Magnubaeck . I will check

rijinmp · April 25, 2017, 4:38pm

Hai i am chenged the configuration in logstash filter . Changed the type from "nagios" to "log" at input{ } and filter { if [type]=="log" .

Now filter is parsing logs . Working well .

But i am looking for the usage of "nagios" type . i will change type in filebeat and logstash conf to "nagios" . And i will update the result .

rijinmp · April 25, 2017, 4:39pm

Thanks for your valuable time Mr. Magnus Bäck

system · May 23, 2017, 4:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.