{
"query": {
"query_string": {
"query": "("NTP server status changes to unreachable" OR "Global time setting changed by NTP") AND devname:(ABC)",
"default_field": "logdesc"
}
}
}
If you are looking for help in this forum it help to describe the issue and setup you have in detail. The more effort you put into explaining your use case and issue, the better the chance to receive a good and relevant answer.
Whenever I personally see a short post like your wiothout any context I tend to avoid it as it usually end up in a protracted back and forth to extract the relevant information and define the exact issue, which requires a lot of effort.
Please also do not start multiple different threads around the same issue.
Preceding your second query in an hour with "Urgent" doesn't achieve anything. It's a community forum. It's a Saturday. It's not at all urgent for those of us who might answer your query, though you are so far going about it the wrong way. You opened a thread in Oct 2023 with "I'm new in elastic Search and consulting" - that doesn't really apply now !? And that 2023 post had exactly the "back and forth" Christian described.
Free advice:
- If you have an urgent need and a support contract, open a support ticket at Elastic
- If you have urgent needs and no support contract, urgently get a support contract, which will come with some form of SLA.
- Alternatively, urgently find another consultant.
- Otherwise describe your issue in MUCH more detail, e.g. which versions, integrations, sample documents, what have you tried, what doesn't work as expected, etc. And then be patient!
1 Like
NTP server status changes to unreachable : which 2 fields in Elastic can be used for comparison for time unsync issue ?
=
There are no Out of the box capabilites / fields in Elasticsearch that will accomplish this.
As others have said, this is a public forum, there is no urgent, and we will only put the effort in that you do.
That said:
You are going to need to something like the following or perhaps this git hub which is old but pretty close here
-
Write a script to output the status into a log file (you can use chatgpt to do this) I did it took 2 mins.
-
Create a cron job to run it, example every 1 minute
-
Then use Filebeat, Logstash or Elastic agent to ship those logs to elasticsearch
-
Then analyze or alert on that data
Sample Script and cron generated by ChatGPT. Please check as it may not be accurate
#!/bin/bash
LOG_FILE="/var/log/ntp_check.log"
TIMESTAMP=$(date "+%Y-%m-%d %H:%M:%S")
log() {
echo "[$TIMESTAMP] $1" | tee -a "$LOG_FILE"
}
log "Checking NTP synchronization status..."
# Check for chronyd
if systemctl is-active --quiet chronyd; then
log "Using chronyd:"
chronyc tracking | tee -a "$LOG_FILE"
chronyc sources | tee -a "$LOG_FILE"
if chronyc sources -v | grep '\^\*' >/dev/null; then
log "NTP is synchronized."
else
log "NTP is NOT synchronized."
fi
exit 0
fi
# Check for ntpd
if systemctl is-active --quiet ntpd; then
log "Using ntpd:"
ntpq -p | tee -a "$LOG_FILE"
if ntpq -pn | grep '^\*' >/dev/null; then
log "NTP is synchronized."
else
log "NTP is NOT synchronized."
fi
exit 0
fi
# Check for systemd-timesyncd
if systemctl is-active --quiet systemd-timesyncd; then
log "Using systemd-timesyncd:"
STATUS=$(timedatectl status)
echo "$STATUS" >> "$LOG_FILE"
echo "$STATUS" | grep "NTP synchronized: yes" >/dev/null && \
log "NTP is synchronized." || \
log "NTP is NOT synchronized."
exit 0
fi
log "No known NTP service is running."
exit 1
Sample cron
To run the NTP check script every minute using cron, follow these steps:
Step 1: Save the Script
Assume you save the script as:
bash
CopyEdit
/usr/local/bin/check_ntp.sh
Make it executable:
bash
CopyEdit
sudo chmod +x /usr/local/bin/check_ntp.sh
Step 2: Create a Cron Job
Edit the root user’s crontab (since logging to /var/log usually requires root privileges):
bash
CopyEdit
sudo crontab -e
Add this line to run the script every minute:
cron
CopyEdit
* * * * * /usr/local/bin/check_ntp.sh
This line tells cron to run the script every minute of every hour, day, month, and weekday.
This will be my only response, unless you respond with well constructed question.
Thank you for your reply. What about write an alert in Watcher? can do it for time syn issue ? thanks
After you have the data, yes you can write a watcher alert but you need to get the ntp sync data first... just a watcher without the data will not work.
What version of Elastic Stack are you on?
From you :
-
Write a script to output the status into a log file - about time sync issues first
-
Create a cron job to run it, example every 1 minute
-
Then use Filebeat, Logstash or Elastic agent to ship those logs to elasticsearch
-
Then analyze or alert on that data
what about if i check from firewall log that there is an error message talking about "NTP server status changes to unreachable" ? if the number of this error was a lot, does it also represent time unsync issue ? thanks
Now, i am using version 7.17.7
Perhaps... I don't know.... not my area of speciality. I do not know which FW logs you have and whether that is accurate... you will need to decide what "Data" you want to determine if NTP is out of sync.
if you provide samples of those logs perhaps someone can help otherwise we are just guessing...
You have options I would look into them, and then come back with details... we can not really solve this for you ... you are going to need to determine what data you will use first, that is up to you.
Perhaps you should take a look at
Thank you for your reply. Do you have linkedin ? THANKS
1 Like