Skip to content

Commit

Permalink
Merge pull request #24 from Crited/feature/notification_15
Browse files Browse the repository at this point in the history
adds rules for notification logs
  • Loading branch information
widhalmt authored May 31, 2019
2 parents e243792 + 6147bd0 commit 7b81305
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 2 deletions.
2 changes: 1 addition & 1 deletion doc/30-namingscheme.md
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ grep -Pho "\[icinga\]\[[^\[]*?\]" filter-* | sort -u | sed -e "s@\[icinga\]\[@@;

These are all fieldnames in use for filter-50-configs to date:

*agent, apirequest, apiuser, bytes, checkablespending, checkablesrate, checkinterval, checknext, checkoriginal, checktime, clientendpoint, clienthost, clientport, code, component, configfilecount, connectedendpoints, context, count, currentepoch, currentmaster, date, dateend, datestart, dbinstance, detail, direction, endtime, epochcurrent, epochreceived, errorcode, eventtype, facility, filecount, filterversion, hostname, hostport, httpclientip, httpclientport, httpmethod, idlecheckables, items01min, items05min, items15min, itemscount, itemsrate, listenerhost, logposition, message, messagecount, messagetype, metriclist, name, nomessageduration, notification, notificationcount, notificationtype, object, objectdetails, objectname, objecttype, path, period, pid, plugin, port, pugin, query, receivedepoch, remainingclients, severity, signal, sslerrorcode, sslerrordetails, starttime, statefile, stride, timerange, timestamp, username, weekday, workerdetail, workerfacility, workerid, zone*
*agent, apirequest, apiuser, bytes, checkablespending, checkablesrate, checkinterval, checknext, checkoriginal, checktime, clientendpoint, clienthost, clientport, code, component, configfilecount, connectedendpoints, context, count, currentepoch, currentmaster, date, dateend, datestart, dbinstance, detail, direction, endtime, epochcurrent, epochreceived, errorcode, eventtype, facility, filecount, filterversion, fstate, ftype, hostname, hostport, httpclientip, httpclientport, httpmethod, idlecheckables, items01min, items05min, items15min, itemscount, itemsrate, listenerhost, logposition, message, messagecount, messagetype, metriclist, name, nomessageduration, notification, notificationcount, notificationtype, object, objectdetails, objectname, objecttype, path, period, pid, plugin, port, pugin, query, receivedepoch, remainingclients, severity, signal, sslerrorcode, sslerrordetails, starttime, state, statefile, statefilter, statefilterid, stride, timerange, timestamp, typefilter, typefilterid, user, username, weekday, workerdetail, workerfacility, workerid, zone*

### Arrays

Expand Down
51 changes: 50 additions & 1 deletion filter-50-notification.conf
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,56 @@ filter {
"[icinga][eventtype]" => "completed_sending_notification"
}
}
} else if [message] =~ /^Type '.+', TypeFilter:.+/ {
grok {
match => ["message","Type '%{WORD:[icinga][notificationtype]}', TypeFilter: %{DATA:[icinga][typefilter]}\(%{WORD}=%{NUMBER:[icinga][ftype]}, %{WORD}=%{NUMBER:[icinga][typefilterid]}\)"]
id => "icinga_notificationtype"
add_tag => "icinga_notificationtype"
tag_on_failure => ["_grokparsefailure","icinga_notificationtype_failed"]
add_field => {
"[icinga][eventtype]" => "notificationtypeevaluation"
}
}
} else if [message] =~ /^Attempting to send notifications for notification object/ {
grok {
match => ["message","Attempting to send notifications for notification object '%{DATA:[icinga][object]}'."]
id => "icinga_notificationattempt"
add_tag => "icinga_notificationattempt"
tag_on_failure => ["_grokparsefailure","icinga_notificationattempt_failed"]
add_field => {
"[icinga][eventtype]" => "notificationattempt"
}
}
} else if [message] =~ /^State ('.+'|'.+',) StateFilter: .+/ {
grok {
match => ["message","State '%{WORD:[icinga][state]}', StateFilter: %{DATA:[icinga][statefilter]}\(%{WORD}=%{NUMBER:[icinga][fstate]}, %{WORD}=%{NUMBER:[icinga][statefilterid]}\)"]
id => "icinga_notificationstate"
add_tag => "icinga_notificationstate"
tag_on_failure => ["_grokparsefailure","icinga_notificationstate_failed"]
add_field => {
"[icinga][eventtype]" => "notificationstateevaluation"
}
}
} else if [message] =~ /^User '.+' notification '.+', Type '.+', TypeFilter: .+/ {
grok {
match => ["message","User '%{USER:[icinga][user]}' notification '%{DATA:[icinga][object]}', Type '%{WORD:[icinga][notificationtype]}', TypeFilter: %{DATA:[icinga][typefilter]}\(%{WORD}=%{NUMBER:[icinga][ftype]}, %{WORD}=%{NUMBER:[icinga][typefilterid]}\)"]
id => "icinga_notificationusertypeevaluation"
add_tag => "icinga_notificationusertypeevaluation"
tag_on_failure => ["_grokparsefailure","icinga_notificationusertypeevaluation_failed"]
add_field => {
"[icinga][eventtype]" => "notificationusertypeevaluation"
}
}
} else if [message] =~ /^User '.+' notification '.+', State '.+', StateFilter: .+/ {
grok {
match => ["message","User '%{USER:[icinga][user]}' notification '%{DATA:[icinga][object]}', State '%{WORD:[icinga][notificationtype]}', StateFilter: %{DATA:[icinga][statefilter]}\(%{WORD}=%{NUMBER:[icinga][fstate]}, %{WORD}=%{NUMBER:[icinga][statefilterid]}\)"]
id => "icinga_notificationuserstateevaluation"
add_tag => "icinga_notificationuserstateevaluation"
tag_on_failure => ["_grokparsefailure","icinga_notificationuserstateevaluation_failed"]
add_field => {
"[icinga][eventtype]" => "notificationuserstateevaluation"
}
}
}
}
}

0 comments on commit 7b81305

Please sign in to comment.