Good morning everyone. I'm early in the Elastic Stack learning curve, and I'm working on parsing some nagios logs this morning. I Have nagios logging to syslog, and can use the pattern file located on the herokuapp grok debugger site to parse individual lines. (Patterns here: Grok Debugger)
I know that I can set up conditionals in my logstash filter to use each established pattern in the provided file such as:
match => { "message" => "%{NAGIOSTIME} %{NAGIOS_CURRENT_HOST_STATE}" }
match => { "message" => "%{NAGIOSTIME} %{NAGIOS_CURRENT_SERVICE_STATE}" }
but, from the looks of the file provided on herokuapp, I feel like most of the parsing work is already done for me, and I just don't know how to use it.
For example, I have two different log lines:
[1618027200] CURRENT HOST STATE: AdmissionGate1;UP;HARD;1;PING OK - Packet loss = 0%, RTA = 4.88 ms
[1618027200] CURRENT SERVICE STATE: AdmissionGate2;HTTP;OK;HARD;1;HTTP OK: HTTP/1.1 302 Found - 480 bytes in 0.120 second response time
Will I need to build a config file with separate match patterns, or is there a graceful way to just use all of the patterns in the file?
I'm very grateful for any advice provided.
Thank you!
Kevin