Seeking advice on parsing Nagios logs using pre-built pattern files from

Good morning everyone. I'm early in the Elastic Stack learning curve, and I'm working on parsing some nagios logs this morning. I Have nagios logging to syslog, and can use the pattern file located on the herokuapp grok debugger site to parse individual lines. (Patterns here: Grok Debugger)

I know that I can set up conditionals in my logstash filter to use each established pattern in the provided file such as:

match => { "message" => "%{NAGIOSTIME} %{NAGIOS_CURRENT_HOST_STATE}" }
match => { "message" => "%{NAGIOSTIME} %{NAGIOS_CURRENT_SERVICE_STATE}" }

but, from the looks of the file provided on herokuapp, I feel like most of the parsing work is already done for me, and I just don't know how to use it.

For example, I have two different log lines:

[1618027200] CURRENT HOST STATE: AdmissionGate1;UP;HARD;1;PING OK - Packet loss = 0%, RTA = 4.88 ms
[1618027200] CURRENT SERVICE STATE: AdmissionGate2;HTTP;OK;HARD;1;HTTP OK: HTTP/1.1 302 Found - 480 bytes in 0.120 second response time

Will I need to build a config file with separate match patterns, or is there a graceful way to just use all of the patterns in the file?

I'm very grateful for any advice provided.

Thank you!

The patterns include one that is an alternation of all the patterns, so I think you should be able to do

match => { "message" => "^%{NAGIOSLOGLINE}" }
1 Like

Wow @Badger , it IS that easy. Thanks so much for the speedy reply. I had seen this, and tried it, but of course, had a syntax error, and my file didn't parse. It now does its job beautifully.

Thanks again,


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.