This Nagios Log Server demo does not allow you to change all configuration settings (for security purposes). The demo automatically resets every hour on the top of the hour. Support and Documentation. Support Forum - Problems, comments, etc, should be directed to the support forum. This document describes how to setup encryption between Nagios Log Server and nxlog on Windows using self signed certificates. This document is intended for use by Nagios Log Server Administrators who would like encryption between NLS and their Windows.
R1<------------------------------------>Nagios syslog server
192.168.57.2----------------------------192.168.57.128
R1 config:
R1#show run
Building configuration...
*Dec 24 16:42:17.775: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 5799 bytes
!
! Last configuration change at 16:42:17 UTC Thu Dec 24 2015
upgrade fpd auto
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.57.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
logging history emergencies
logging trap debugging
logging source-interface FastEthernet0/0
logging host 192.168.57.128
no cdp log mismatch duplex
!
snmp-server community loc RO
snmp-server community public RO
snmp-server community private RW
snmp-server location FOB
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps gatekeeper
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps xgcp
snmp-server enable traps ospfv3 state-change
snmp-server enable traps ospfv3 errors
snmp-server enable traps ip local pool
snmp-server enable traps memory bufferpeak
snmp-server enable traps dial
snmp-server enable traps dsp card-status
snmp-server enable traps dsp oper-state
snmp-server enable traps dsp video-usage
snmp-server enable traps dsp video-out-of-resource
snmp-server enable traps entity-sensor threshold
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps flash insertion removal
snmp-server enable traps srp
snmp-server enable traps ds3
snmp-server enable traps envmon
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ima
snmp-server enable traps bgp cbgp2
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
![Server Server](/uploads/1/2/4/8/124872757/204345532.png)
snmp-server enable traps event-manager
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps isis
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps bfd
snmp-server enable traps gdoi gm-start-registration
snmp-server enable traps gdoi gm-registration-complete
snmp-server enable traps gdoi gm-re-register
snmp-server enable traps gdoi gm-rekey-rcvd
snmp-server enable traps gdoi gm-rekey-fail
snmp-server enable traps gdoi ks-rekey-pushed
snmp-server enable traps gdoi gm-incomplete-cfg
snmp-server enable traps gdoi ks-no-rsa-keys
snmp-server enable traps gdoi ks-new-registration
snmp-server enable traps gdoi ks-reg-complete
snmp-server enable traps firewall serverstatus
snmp-server enable traps ike policy add
snmp-server enable traps ike policy delete
snmp-server enable traps ike tunnel start
snmp-server enable traps ike tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
![Log Log](/uploads/1/2/4/8/124872757/587540555.jpg)
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps nhrp nhs
snmp-server enable traps nhrp nhc
snmp-server enable traps nhrp nhp
snmp-server enable traps nhrp quota-exceeded
snmp-server enable traps ipsla
snmp-server enable traps ccme
snmp-server enable traps srst
snmp-server enable traps voice
snmp-server enable traps dnis
snmp-server enable traps alarms informational
snmp-server enable traps rf
snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
!
!
control-plane
!
!
!
mgcp profile default
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
transport input all
!
!
end
R1#
--------------------------
Show log result on R1:
R1#show log
Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 670 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 672 messages logged, xml disabled,
filtering disabled
Exception Logging: size (8192 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
Trap logging: level debugging, 635 message lines logged
Logging to 192.168.57.128 (udp port 514, audit disabled,
link up),
610 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
Logging Source-Interface: VRF Name:
FastEthernet0/0
Log Buffer (8192 bytes):
----------------------------------------------------------------------
Nagios config:
I do not receive any log from R1 send to Nagios log server.
Please advise.
Thanks
Loc
Overview
This KB article explains how to configure syslog to send multi-line logs to Nagios Log Server (NLS).
What is a multi-line log? This is when the data that encompasses the entire event is spread across multiple lines in the log file. For example:
Normally when you configure syslog to send a custom log file to NLS it is sent on a line-by-line basis. This can make it complicated to review the logs on NLS as it will be displayed as multiple events.
In the example above, you can see the first line starts with the date time format yyyy.mm.dd hh:mm:ss:ms. Every entry recorded in this log file will always have this first line formatted this way. Syslog can be configured to identify this string and then send the entire data to NLS as a multi-line log.
NLS will also have an extra configuration input added to handle the incoming multi-line data.
This KB article will walk you through the steps to implement this.
Scenario Details
To properly demonstrate how this works, the following KB article will use the log file /var/log/AuditLog.log to send to NLS.
To simulate a multiple line log entry being added to the log, a second file will be created called /var/log/test.log with the following contents:
The following command in a terminal session will append the data to the /var/log/AuditLog.log:
Using those steps you will be able to successfully follow this KB article and confirm the functionality works. Every time the command is executed above, a multi-line entry is added to the /var/log/AuditLog.log log file. Even though technically the date is incorrect this will not matter, it's simply an example.
Configure Nagios Log Server
The first step is to configure the NLS input to identify multi-line logs.
Log into your NLS web interface and navigate to Administration > Global Configuration.
Under Inputs use the + Add input input drop down list and click Custom. This will add a new block underneath.
Give it a name such as Syslog Multiline.
In the text area add the following:
Click the Save button.
Then click the Verfiy button above to ensure this is a valid configuration.
Once the verification process is OK, in the left pane under Configuration Editor click Apply Configuration.
Click the Apply button.
Click Yes, Apply Now
Once this process has finished you can continue onto the next section. You'll return back to NLS once syslog has been configured.
The input that was just added is listening on port 6677, this will be used in the steps below when configuring syslog.
What was does all of that mean?
The line codec => multiline { tells Logstash to use the multiline codec filter.
The pattern tells Logstash that the following sting format is first line of a log entry:
- This is a regular expression (regex)
- The ^ means that the line begins with this pattern
- [0-9]{4} indicates that there are four digits in the range 0 to 9 (the year)
- The . period matches a single character, without caring what that character is. This represents the character that separates the year and the month, it's just co-incidental that this character is actually a . period.
- [0-9]{2} indicates that there are two digits in the range 0 to 9 (the month)
- The . period matches a single character.
- [0-9]{2} indicates that there are two digits in the range 0 to 9 (the day)
Basically it's saying this is the format of the string which needs to be matched:
Remember the example we have:
The negate line:
true means that a received message not matching the pattern will constitute a match of the multiline filter and the what will be applied.
The what line:
previous says that any line not starting with the pattern should be merged with the previous line.
The type line:
Is how this received entry is indexed as, it will help with searches later.
Configure syslog
Establish a terminal session to the Linux server that has the log file in question.
Syslog is going to be configured to watch the /var/log/AuditLog.log log file and send it to NLS. This example will use the NLS with the address 10.25.5.99 and it is listening on port 5566.
In your terminal session execute these commands:
This will create a syslog configuration file called /etc/rsyslog.d/90-nagioslogserver_var_log_AuditLog.log.conf.
A change needs to be made to this configuration file, edit the file in the vi editor using the following command:
When using the vi editor, to make changes press i on the keyboard first to enter insert mode. Press Esc to exit insert mode.
Make the changes highlighted in bold:
You can see that the line $template clean,'%rawmsg%' was added and ;clean was added to the end of the second last line.
This will change the rsyslog configuration to apply the clean filter, which is just sending the raw message using rsyslog's %rawmsg% macro.
When you have finished, save the changes in vi by typing:
and press Enter.
Finally you need to restart the rsyslog service with the following command:
Test
Now you can test that it is working by executing the following command on your Linux machine:
Now open the NLS web interface and navigate to Dashboards.
You should now see an entry like the following:
Summary
This KB article showed you how to use syslog to send multi-line log files to Nagios Log Server. Armed with this information you should be able to apply this to your situation.
Final Thoughts
For any support related questions please visit the Nagios Support Forums at: