Log monitoring with SEC and Nagios.

Risto Vaarandi risto.vaarandi at seb.ee
Fri Aug 31 13:14:45 CEST 2007

Previous message: Log monitoring with SEC and Nagios. [SEC=UNCLASSIFIED]
Next message: inundated with "host UP alert"s
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Nate Campi wrote:
> On Thu, Aug 30, 2007 at 11:11:17AM +1000, Stanley.Hopcroft at Dest.gov.au wrote:
>> Dear Risto
>>
>> (Thank you very much for SEC, the king of event correlators).
>  
> I also thank you, SEC saves my SA staff a lot of trouble every day.

Thanks - it's good to hear that :)

>>> few weeks ago I posted a question to this list about passive service 
>>> checks - I was actually experimenting with Nagios as an event log 
>>> monitoring GUI. I am tracking event logs with SEC and also 
>>> sending out 
>>> alerts with it, but I would still like to see correlated log 
>>> messages in 
>>> Nagios web interface as well.
>>>
>> I used to use (and enjoy) SEC to inject passive service check results
>> to Nagios.
> 
> I also do this, but it forces me to define a different check for every
> thing that I might see - because if I submit a second, different bad
> result (like a different system error message for a "syslog" check)
> it'll overwrite the last submitted results. There are ways around this
> on the SEC side if you want to keep state, but you'd probably like
> people to be able to wipe events clear independently on the Nagios side
> (like with a passive submission from the CGI) and not have that old
> result come back. I hate to state that like it's fact when I'm at best
> an intermediate Nagios admin, no expert. Am I overlooking anything here?
> 
> You could have a feedback loop between Nagios logs and SEC that helps
> detect the passive submission that clears your prior alerts, but that
> seems overly complicated. If it was like a traditional NMS that just
> accepts arbitrary events, then it might be more like what Risto is
> looking for.
> 
> What exactly are your needs, Risto?

I'd just like to display correlated alerts in Nagios web page. Right 
now, I have settled for a strategy where all events come in with a 
CRITICAL severity, and the user has to submit a passive check by hand, 
in order to set the service back to OK-state.

The service definition looks like follows:

define service{
         use                             generic-service
         hostgroup_name                  linux
         service_description             Syslog
         is_volatile                     1
         active_checks_enabled           0
         max_check_attempts              1
         normal_check_interval           5
         retry_check_interval            1
         contact_groups                  nagios-admin
         check_command                   check_passive
         }

I have disabled host checks altogether, so that service alerts from the 
Syslog delay are displayed with a minimal lag (it is now just around 5-6 
seconds, while with host checks enables it was sometimes several 
minutes, since every submitted passive service check triggered a host 
check).

The only thing I am missing is a way to disable host checks on a service 
basis - for example, the service definition could have a special 
parameter called 'enable_host_check' that the user can set to 0. The 
reason I'd like to have this parameter in the future is that I have 
active checks for the 'linux' hostgroup as well, like

define service{
         use                             generic-service
	hostgroup_name                  linux
         service_description             SSH
         max_check_attempts              3
         normal_check_interval           3
         retry_check_interval            1
	contact_groups                  nagios-admin
         check_command                   check_ssh
         }

It would be good to have host check enabled for such services, so that 
no service alert is generated if the host is down.

However, that was just a small suggestion and not a complaint :)
I'd like to thank people who are developing Nagios ;)

br,
risto

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: Log monitoring with SEC and Nagios. [SEC=UNCLASSIFIED]
Next message: inundated with "host UP alert"s
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list