Logstash to Nagios - IIS logging

More fun with Logstash, Nagios, and IIS logging.  We have all of our environment website logs dump into Logstash via NXlog, and stuff is tagged/outputted.

The below gives us a passive monitor that CRITs on 400/500 codes and OKs on 200/300 codes.  Not sure how this'll really work out, but the monitor should get flooded with enough 400/500 during a serious outage to cause a notification to go out.  We'll have to test that.  This is working like a charm at the moment, though!

20-filters_tagging.conf
<snipped>
if [SourceName] == "IIS" {
        if [s-ip] =~ /^192.168.(\d{1,3}).(\d{1,3})/ {
                grok {
                        match => ["sc-status", "[2,3,4,5]\d\d"]
                        add_tag => ["nagios_check_iislog","UAT","IIS"]
                        add_field => ["nagios_service", "UATPSV-IIS_Traffic"]
                        tag_on_failure => []
                }
                grok {
                        match => ["sc-status", "[2,3]\d\d"]
                        add_tag => ["UAT-IIS200-300"]
                        tag_on_failure => []
                }
                grok {
                        match => ["sc-status", "[4,5]\d\d"]
                        add_tag => ["UAT-IIS400-500"]
                        tag_on_failure => []
                }
        }
}

92-outputs_nagios.conf
# Begin IIS alerts #
if "nagios_check_iislog" in [tags] {
        if "UAT-IIS400-500" in [tags] {
                nagios_nsca {
                        host => "nagios.domain.com"
                        port => 5667
                        send_nsca_config => "/etc/nagios/send_nsca.cfg"
                        nagios_host => "localhost"
                        nagios_service => "%{nagios_service}"
                        nagios_status => 2
                        message_format => "%{EventTime} %{SourceModuleName} %{cs-method} %{sc-status} node:%{s-ip}"
                }
        }
        if "UAT-IIS200-300" in [tags] {
                nagios_nsca {
                        host => "nagios.domain.com"
                        port => 5667
                        send_nsca_config => "/etc/nagios/send_nsca.cfg"
                        nagios_host => "localhost"
                        nagios_service => "%{nagios_service}"
                        nagios_status => 0
                        message_format => "%{EventTime} %{SourceModuleName} %{cs-method} %{sc-status} node:%{s-ip}"
                }
        }
} # End IIS alerts #

Comments

Popular posts from this blog

DFSR - eventid 4312 - replication just won't work

Fixing duplicate SPNs (service principal name)

Logstash to Nagios - alerting based on Windows Event ID