Logstash filters

Service Monitoring
1

Hello,

I have encounter a little issue when i configuring a filter from Oracle logs monitoring. My idea is to add more oracle errors in the same filter like this:

# cat  filter-60-ORA-609.conf

filter {
  if [message] =~ /ORA-1653/ {
    grok {
      match => ["message","(?<oracle-error-message>ORA-[0-9]*)"]
      id => "oracle-error-message"
      add_tag => "oracle-error-message"
      tag_on_failure => ["_grokparsefailure","oracle-error-message_failed"]
    }
  }
}

filter {
  if [message] =~ /ORA-1654/ {
    grok {
      match => ["message","(?<oracle-error-message>ORA-[0-9]*)"]
      id => "oracle-error-message"
      add_tag => "oracle-error-message"
      tag_on_failure => ["_grokparsefailure","oracle-error-message_failed"]
    }
  }
}

When I generate some logs which contains error codes like the two mentioned, i can see both events in Kibana, but in Icinga2 output only first generate an alarm (ORA-1653) .

Can someone suggest me how can i add more specifics ORA-XXXX errors in the same file and make the icinga2 output to work for every event, not only for first ?

Cheers,
Petre

2

Hi,

This depends heavily on how you proceed with the parsing of the logs. I don’t see any configuration on how you forward the data to Icinga.

By the way, you could make your filter a bit more universal.

filter {
  if [message] =~ /ORA-/ {
    grok {
      match => ["message","(?<oracle-error-message>ORA-[0-9]*)"]
      id => "oracle-error-message"
      add_tag => "oracle-error-message"
      tag_on_failure => ["_grokparsefailure","oracle-error-message_failed"]
    }
    if [oracle-error-message] in ["ORA-1653","ORA-1654"] {
      # do something to forward it into icinga     
    }
  }
}

That way you can add more and more errorcodes to your if clause and all errorcodes are treated the same. Please note that I hacked this code into discourse right now and did not test if it’s not full of typos.

1 Like
3

Hello,

I succed to forward multiple logs messages with different errors messages in the following way :
[root@cormoran oracle]# cat filter-60-ORA-XXXX.conf
filter {
if [message] =~ /ORA-1653/ {
grok {
match => [“message”,"(?ORA-[0-9])"]
id => “ORA-1653”
add_tag => “oracle-error-message”
tag_on_failure => ["_grokparsefailure",“oracle-error-message_failed”]
}
}
}
filter {
if [message] =~ /ORA-1654/ {
grok {
match => [“message”,"(?ORA-[0-9])"]
id => “ORA-1654”
add_tag => “oracle-error-message”
tag_on_failure => ["_grokparsefailure",“oracle-error-message_failed”]
}
}
}

Now i have another problem, i can’t raise the alarm in icinga for different hosts depends of the tag “fields.name” from kibana .

I tried with the following outputs for icinga2:

}
icinga_host => “%{hostname}”
icinga_service => “Oracle AlertLog”
}
}
}
}
icinga_host => “%{icinga_host}”
icinga_service => “Oracle AlertLog”
}
}
}
But the same error everytime:
[2019-05-11T11:01:52,541][WARN ][logstash.outputs.icinga ] Request failed {:host=>“10.130.41.25”, :port=>5665, :path=>"/v1/actions/process-check-result?service=%25%7Bfields.name%7D%21Oracle+AlertLog", :body=>"{“exit_status”:“2”,“plugin_output”:“ORA-1654”}", :error=>#<StandardError: StandardError>}
[2019-05-11T11:01:52,542][WARN ][logstash.outputs.icinga ] Response: {:response_code=>“404”, :response_body=>"{“error”:404.0,“status”:“No objects found.”}"}

Which is the correct value for icinga_host ?

Cheers,
Petre

4

I’m sorry, that really depends on the rest of your Logstash and Icinga configuration. icinga_host has to be set to the exact value like the name of the host object in Icinga 2 you want to send the check result for. “exact” meaning including shortname vs. fqdn, capitalization etc.

5

Hi,

I set it in the following way and it’s working:

icinga_host => “%{[beat][name]}”

Thank you very much!
I think the topic can be closed :slight_smile:

Cheers,
Petre