System Log monitoring with nagios?
Jim Mozley
jim.mozley at exponential-e.com
Mon Mar 22 11:07:27 CET 2004
Jeffery P. Humes wrote:
> What is everyone out there doing for system log monitoring with Nagios.
>
> I am just looking to monitor the normal logs for regex and report the
> stuff I want.
A check of the archives should find submissions from myself and (even
better) Stanley Hopcroft regarding this.
In summary, apart from using the syslog monitoring plugins one can use
SEC/swatch or similar to watch the log file(s) and then a script to pass
events of interest into Nagios as passive checks.
From a previous post (in thread "check_log not working properly"):
The following is a setup for using syslog-ng, swatch and a script to
pass passive events into Nagios. This is based on getting syslog
messages from a set of network devices, although the same principle
would apply to hosts. I've tried to make the example fairly generic, for
instance we generate the nagios config for this automatically from
device configurations, so please don't copy/paste this without
understanding what's going on.
1. Define services in Nagios. For instance if you want to monitor MPLS
messages for each network device define an MPLS service as below.
#Service definition template
define service{
name mpls-service-template
active_checks_enabled no
passive_checks_enabled 1
parallelize_check 1
obsess_over_service 0
check_freshness 0
freshness_threshold 28800
notifications_enabled 1
event_handler_enabled 1
flap_detection_enabled 1
process_perf_data 1
retain_status_information 1
retain_nonstatus_information 1
register 0
is_volatile 1
check_period none
max_check_attempts 1
normal_check_interval 5
retry_check_interval 1
contact_groups network-admins
notification_interval 120
notification_period 24x7
notification_options w,c,r
}
define service{
use mpls-service-template ; template
host_name host1
service_description mpls
check_command ""
}
2. Configure syslog-ng. Once you have got your config file ready you
will need to disable the native syslog daemon and start syslog-ng.
syslog-ng config; this is for Solaris the source may need to change for
linux/BSD:
options {
keep_hostname(off);
long_hostnames(off);
sync(1);
log_fifo_size(2048);
bad_hostname("%");
};
source all {
sun-stream("/dev/log" door("/etc/.syslog_door"));
internal();
udp();
};
# Put each day's log in a separate file within a directory for
# each host.
destination d_hosts {
file("/var/log/hosts/$HOST/$HOST-$YEAR$MONTH$DAY"
owner(root) group(syslog) perm(0660) dir_perm(0750)
create_dirs(yes));
};
# To send messages to swatch
destination d_swatch {
program("/usr/local/bin/swatch --config-file=/etc/swatchrc
--read-pipe=\
"cat /dev/fd/0\"");
};
# log all messages in a directory per host
log {
source(all);
destination(d_hosts);
};
# send all logs to swatch
log {
source(all);
destination(d_swatch);
};
3. Install and configure swatch.
Sample line from swatchrc
watchfor /pattern-i-want-to-match/
exec /path/to/my/script.pl $*
So for instance if you are looking out for MPLS messages and your
devices include "MPLS" in these syslog message match the pattern /MPLS/
4. Create the script
This should build a passive command based on the contents of the syslog
message.
For instance it might contain element such as:
if ( $syslogmsg =~ /down/ ) {
$nagios_code = 2; # Critical
}
You will need to extract the hostname from the syslog message (and
possibly the service unless this is hardcoded - it is in this example).
In the end you want to build a message such as:
my $cmd = "[$epoch]
PROCESS_SERVICE_CHECK_RESULT;$host;$service;$nagios_code;$msg";
And fire it into nagios:
my $echo = '/usr/bin/echo';
my $pipe = '/usr/local/nagios/var/rw/nagios.cmd';
system "$echo \"$cmd\" >> $pipe";
(As an aside I tried the perl way of doing this rather than a system
command and had a problem on Solaris I couldn't resolve.)
I would recommend you take a look at Al Toby's module on CPAN for
passing commands to Nagios.
There are also some shell script examples of passing Nagios commands
supplied with the distribution.
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list