-
Notifications
You must be signed in to change notification settings - Fork 0
/
filter-50-notification.conf
76 lines (75 loc) · 3.98 KB
/
filter-50-notification.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
filter {
if [icinga][facility] == "Notification" {
if [message] =~ /^Sending / {
grok {
match => ["message","Sending '%{WORD:[icinga][notificationtype]}' notification '%{DATA:[icinga][object]}' for user '%{DATA:[user][name]}'"]
id => "icinga_sendingnotification"
add_tag => "icinga_sendingnotification"
tag_on_failure => ["_grokparsefailure","icinga_sendingnotification_failed"]
add_field => {
"[icinga][eventtype]" => "sending_notification"
}
}
} else if [message] =~ /^Completed sending / {
grok {
match => ["message","Completed sending '%{WORD:[icinga][notificationtype]}' notification '%{DATA:[icinga][object]}' for checkable '%{DATA:[icinga][object]}' and user '%{DATA:[user][name]}'."]
id => "icinga_completedsendingnotification"
add_tag => "icinga_completedsendingnotification"
tag_on_failure => ["_grokparsefailure","icinga_completedsendingnotification_failed"]
add_field => {
"[icinga][eventtype]" => "completed_sending_notification"
}
}
} else if [message] =~ /^Type '.+', TypeFilter:.+/ {
grok {
match => ["message","Type '%{WORD:[icinga][notificationtype]}', TypeFilter: %{DATA:[icinga][typefilter]}\(%{WORD}=%{NUMBER:[icinga][ftype]}, %{WORD}=%{NUMBER:[icinga][typefilterid]}\)"]
id => "icinga_notificationtype"
add_tag => "icinga_notificationtype"
tag_on_failure => ["_grokparsefailure","icinga_notificationtype_failed"]
add_field => {
"[icinga][eventtype]" => "notification_typeevaluation"
}
}
} else if [message] =~ /^Attempting to send( | )notifications for notification object/ {
grok {
match => ["message","Attempting to send%{SPACE}notifications for notification object '%{DATA:[icinga][object]}'."]
id => "icinga_notificationattempt"
add_tag => "icinga_notificationattempt"
tag_on_failure => ["_grokparsefailure","icinga_notificationattempt_failed"]
add_field => {
"[icinga][eventtype]" => "notification_attempt"
}
}
} else if [message] =~ /^State ('.+'|'.+',) StateFilter: .+/ {
grok {
match => ["message","State '%{WORD:[icinga][state]}', StateFilter: %{DATA:[icinga][statefilter]}\(%{WORD}=%{NUMBER:[icinga][fstate]}, %{WORD}=%{NUMBER:[icinga][statefilterid]}\)"]
id => "icinga_notificationstate"
add_tag => "icinga_notificationstate"
tag_on_failure => ["_grokparsefailure","icinga_notificationstate_failed"]
add_field => {
"[icinga][eventtype]" => "notification_state_evaluation"
}
}
} else if [message] =~ /^User '.+' notification '.+', Type '.+', TypeFilter: .+/ {
grok {
match => ["message","User '%{USER:[user][name]}' notification '%{DATA:[icinga][object]}', Type '%{WORD:[icinga][notificationtype]}', TypeFilter: %{DATA:[icinga][typefilter]}\(%{WORD}=%{NUMBER:[icinga][ftype]}, %{WORD}=%{NUMBER:[icinga][typefilterid]}\)"]
id => "icinga_notificationusertypeevaluation"
add_tag => "icinga_notificationusertypeevaluation"
tag_on_failure => ["_grokparsefailure","icinga_notificationusertypeevaluation_failed"]
add_field => {
"[icinga][eventtype]" => "notification_user_type_evaluation"
}
}
} else if [message] =~ /^User '.+' notification '.+', State '.+', StateFilter: .+/ {
grok {
match => ["message","User '%{USER:[user][name]}' notification '%{DATA:[icinga][object]}', State '%{WORD:[icinga][notificationtype]}', StateFilter: %{DATA:[icinga][statefilter]}\(%{WORD}=%{NUMBER:[icinga][fstate]}, %{WORD}=%{NUMBER:[icinga][statefilterid]}\)"]
id => "icinga_notificationuserstateevaluation"
add_tag => "icinga_notificationuserstateevaluation"
tag_on_failure => ["_grokparsefailure","icinga_notificationuserstateevaluation_failed"]
add_field => {
"[icinga][eventtype]" => "notification_user_state_evaluation"
}
}
}
}
}