<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head> <body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "> <font style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">We have issues with this as well. Maybe an option to log in micro epoch? I also wriote an event broker that opens a tcp connection to splunk and directly pipes all logging over, which allowed us to get around that issue but doing it in core would be nice.<br> Dan</font><br> <br> <div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in"> <font style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><b>From</b>: Deepak Kosaraju [mailto:deepak.kosaraju1@gmail.com] <br> <b>Sent</b>: Thursday, April 05, 2012 06:22 PM<br> <b>To</b>: Andreas Ericsson <ae@op5.se> <br> <b>Cc</b>: Nagios Developers List <nagios-devel@lists.sourceforge.net> <br> <b>Subject</b>: Re: [Nagios-devel] Log USERNAME when DISABLING/ENABLING checks/notifications... <br> </font> <br> </div> Andreas <div>Thanks for the prompt reply, So when can we expect Nagios 4, where can I track the beta release schedules for Nagios. </div> <div><br> </div> <div>When you are planning to change logging version it would be nice to look at the time [filed]. </div> <div><br> </div> <div><b>Here is the scenario: Between nagios and splunk,</b></div> <div>As splunk indexer sees the event from forwarder, the indexer records the time based on the event time and converts that to HRT format, and as nagios log doesn't have anything to say 2 events happened with-in milli seconds time different splunk indexer is treating both events happened at the same time based on epoch timestamp. </div> <div><br> </div> <div><b>Example:</b></div> <div> <div>[1333663803] HOST ALERT: devtest-d-a001-q;UP;SOFT;2;OK - 20.255.10.1: rta 0.619ms, lost 0%</div> <div>[1333663803] HOST ALERT: devtest-d-a002-q;UP;SOFT;2;OK - 20.255.10.2: rta 0.624ms, lost 0%</div> <div>[1333663803] HOST ALERT: devtest-d-a003-q;UP;SOFT;2;OK - 20.255.10.3: rta 0.647ms, lost 0%</div> <div>[1333663803] HOST ALERT: devtest-d-a004-q;UP;SOFT;2;OK - 20.255.10.4: rta 0.609ms, lost 0%</div> </div> <div><br> </div> <div>Now splunk indexer indexes all these events seems to be happened at same time, but in reality they are happened with some milli seconds difference in time. The real challenge is Splunk Search results show all these as one pile of event happened rather then showing them as individual events. I gave 4 as example but think about 30 check happen at same time. </div> <div><br> </div> <div>Its one of challenges we are have integrating between two smart tools nagios.log -> splunk engine, we couldn't get a break through on this.</div> <div><br> <div apple-content-edited="true"> <div> <div style="font-size: medium; "><span class="Apple-style-span" style="font-family: Scramble; "><font class="Apple-style-span" color="#15B4DE">With Regards</font></span></div> <div style="font-size: medium; "><span class="Apple-style-span" style="color: rgb(255, 128, 0); font-family: 'Lucida Calligraphy'; font-size: 16px; font-style: italic; ">Deepak Kosaraju</span></div> <div style="font-size: medium; "><font class="Apple-style-span" color="#FF8000" face="'Lucida Calligraphy'" size="4"><span class="Apple-style-span" style="font-size: 16px; "><i><span class="Apple-style-span" style="font-family: Verdana; font-style: normal; font-size: 10px; "><b><a href="http://www.kkdk.us/">www.kkdk.us</a></b></span></i></span></font></div> </div> </div> <br> <div> <div>On Apr 5, 2012, at 4:46 PM, Andreas Ericsson wrote:</div> <br class="Apple-interchange-newline"> <blockquote type="cite"> <div>On 04/05/2012 04:44 AM, Deepak Kosaraju wrote:<br> <blockquote type="cite">Hi All I don't know the technical reason why Nagios developers didn't<br> </blockquote> <blockquote type="cite">thought about this:<br> </blockquote> <blockquote type="cite"><br> </blockquote> <br> Because it can't be trusted, so it's not really worth anything. It<br> can be doable so it's trusted in future versions, and then we will<br> most likely add it. That can't be done until we change logging<br> version though, which most likely won't be done until Nagios 4. As a<br> consolation, Nagios 4 probably isn't that far off.<br> <br> <blockquote type="cite">I know its not a standard syntax for Username to be as part of<br> </blockquote> <blockquote type="cite">DISABLING/ENABLING checks/notifications but it would be nice if your<br> </blockquote> <blockquote type="cite">team can start thinking about add it as feature in next releases of<br> </blockquote> <blockquote type="cite">Nagios.<br> </blockquote> <blockquote type="cite"><br> </blockquote> <blockquote type="cite">Its really giving us HARD time to know who trigger the DISABLE and<br> </blockquote> <blockquote type="cite">ENABLE checks/notifications among the teams.<br> </blockquote> <blockquote type="cite"><br> </blockquote> <blockquote type="cite">This should apply to BOTH: HOST/SERVICE type of DISABLE/ENABLE<br> </blockquote> <blockquote type="cite">external commands.<br> </blockquote> <blockquote type="cite"><br> </blockquote> <br> It's likely we add this to all external commands rather than just some<br> of them. It's easier to discard the information once it's there than it<br> is to figure it out after you realize you need it, and it makes the code<br> simpler and therefore faster and less prone to bugs.<br> <br> -- <br> Andreas Ericsson <a href="mailto:andreas.ericsson@op5.se">andreas.ericsson@op5.se</a><br> OP5 AB <a href="http://www.op5.se">www.op5.se</a><br> Tel: +46 8-230225 Fax: +46 8-230231<br> <br> Considering the successes of the wars on alcohol, poverty, drugs and<br> terror, I think we should give some serious thought to declaring war<br> on peace.<br> </div> </blockquote> </div> <br> </div> </body> </html>