Difference between pages "Pandora: Documentation es: Monitorizacion logs" and "Pandora: Documentation en: Log Monitoring"

From Pandora FMS Wiki
(Difference between pages)
Jump to: navigation, search
(Instalación y configuración de LogStash)
 
(Installing and configuring LogStash)
 
Line 1: Line 1:
[[Pandora:Documentation|Volver a Indice de Documentacion Pandora FMS]]
+
[[Pandora:Documentation_en|Go back Pandora FMS documentation index]]
  
= Recolección de logs =
+
= Log Collection =
  
==Introducción==
+
==Introduction==
  
Hasta ahora Pandora FMS no tenía una solución a este problema, pero con la versión 5.0 '''Pandora FMS Enterprise''' ofrece una solución para poder gestionar cientos de megabytes de datos diarios. Esta solución permite reutilizar los mismos agentes de la monitorización para la recolección específica de datos de logs, utilizando una sintaxis muy similar a la actual para la monitorización de logs.
+
Up to now, Pandora FMS did not provide a solution to this problem, but with version 5.0, '''Pandora FMS Enterprise''' offers a solution to manage hundreds of megabytes of daily data. This solution allows you to reuse the same monitoring agents for specific log data collection, using a syntax very similar to the current one for log monitoring.
  
La monitorización de logs en Pandora FMS se plantea de dos formas diferentes:
+
Log monitoring in Pandora FMS is approached in two different ways:
#'''Basada en módulos''': representa logs en Pandora FMS como monitores asíncronos, pudiendo asociar alertas a las entradas detectadas que cumplan una serie de condiciones preconfiguradas por el usuario. La representación modular de los logs nos permite:
 
##Crear módulos que cuenten las ocurrencias de una expresión regular en un log.
 
##Obtener las líneas y el contexto de los mensajes de log
 
#'''Basada en visualización combinada''': permite al usuario visualizar en una única consola toda la información de logs de múltiples orígenes que se desee capturar, organizando la información secuencialmente utilizando la marca de tiempo en que se procesaron los logs.
 
  
A partir de la versión 7.0NG 712, Pandora FMS incorpora '''ElasticSearch''' para almacenar la información de logs, lo que implica una mejora sustancial del rendimiento.
+
#'''Based on modules''': it represents logs in Pandora as asynchronous monitors, being able to associate alerts to the detected inputs that fulfill a series of preconfigured conditions by the user. The modular representation of the logs allows you to:
<br><br>
+
##Create modules that count the occurrences of a regular expression in a log.
 +
##Obtain the lines and context of log messages
 +
#'''Based on combined display''': it allows the user to view in a single console all the information from logs of multiple origins that you may want to capture, organizing the information sequentially using the timestamp in which the logs were processed.
 +
 
 +
From version 7.0NG 712, Pandora FMS incorporates '''ElasticSearch''' to store log information, which implies a significative performance improvement.
  
== Cómo funciona ==
+
== How it works ==
El proceso es simple:
+
The process is simple:
  
 
<center><br><br>
 
<center><br><br>
Line 23: Line 23:
 
</center><br><br>
 
</center><br><br>
  
* Los logs analizados por los agentes ('''eventlog''' o ficheros de texto), son reenviados hacia el servidor de Pandora FMS, en forma "literal" (RAW) dentro del XML de reporte del agente:
+
* The logs analyzed by the agents ('''eventlog''' or text files) are forwarded to Pandora Server in RAW form within the XML reporting agent:
 
+
* Pandora server (DataServer) receives the XML agent, which contains information about both monitoring and logs.
* El servidor de Pandora FMS (DataServer) recibe el XML del agente, que contiene información tanto de monitorización como de logs.
+
* When the DataServer processes XML data, it identifies log information, keeping in the primary database the references about the agent that was reported and the source of the log, automatically sending information to ElasticSearch in order to be stored.
 
+
* Pandora FMS stores the data in Elasticsearch indexes generating a daily index for each Pandora FMS instance.
* Cuando el DataServer procesa los datos del XML identifica la información de los logs, guardando en la base de datos principal las referencias del agente que ha reportado y el origen del log, enviando automáticamente la información a ElasticSearch.
+
* Pandora FMS server has a maintenance task that deletes indexes in the interval defined by the system admin (90 days by default).
  
* Pandora FMS almacena los datos en índices de ElasticSearch generando diariamente un índice único por cada instancia de Pandora FMS.
+
== Configuration ==
  
* El servidor de Pandora FMS dispone de una tarea de mantenimiento que elimina los índices en el intervalo definido por el administrador del sistema (por defecto, 90 días).
+
=== Server Configuration ===
  
== Configuración ==
+
The new storage log system,based on ElasticSearch requires configuring several components.
  
=== Configuración del servidor ===
+
{{Warning|From Pandora FMS version 745 onwards, there is no need to use LogStash, since the Pandora FMS server communicates directly with ElasticSearch, so LogStash related configurations do not need to be applied.}}
  
El nuevo sistema de almacenamiento de logs, basado en ElasticSearch, requiere configurar los diferentes componentes.
+
==== Server Requirements ====
  
{{Warning|A partir de la versión 745 de Pandora FMS ya no es necesario el uso de LogStash, ya que el servidor de Pandora FMS se comunica directamente con el servidor de ElasticSearch, por lo que las configuraciones relativas a LogStash no deberán aplicarse.}}
+
Each component (Pandora FMS Server, Elasticsearch) can be distributed on separate servers.
  
==== Requisitos para el servidor ====
+
If you choose to place Elasticsearch and LogStash on the same server these are recommended:
 
 
Es posible distribuir cada componente (Pandora FMS Server, ElasticSearch) en servidores independientes.
 
 
 
Si decide alojar ElasticSearch y LogStash en el mismo servidor, recomendamos:
 
  
 
* Centos 7.
 
* Centos 7.
* Al menos 4GB de RAM, aunque se recomiendan 6GB de RAM por cada instancia de ElasticSearch.
+
* At least 4GB of RAM, although 6GB of RAM are recommended for each ElasticSearch instance.
* Al menos 2 CPU cores.
+
* At least 2 CPU cores
* Al menos 20 GB de espacio en disco para el sistema.
+
* At least 20GB of disk space for the system.
* Al menos 50 GB de espacio en disco para los datos de ElasticSearch (el número puede variar dependiendo de la cantidad de datos que se desee almacenar).
+
* At least 50GB of disk space for ElasticSearch data (the amount can be different depending on the amount of data to be stored).
* Conectividad desde el servidor y la consola de Pandora FMS a la API de ElasticSearch (por defecto puerto 9200/TCP ).
+
* Connectivity wfrom Pandora FMS server to Elasticsearch API (port 9200/TCP by default).
  
<br><br>
+
==== Installing and configuring ElasticSearch ====
==== Instalación y configuración de ElasticSearch ====
+
Before you begin installing these components, install Java on the machine:
Antes de empezar con la instalación de estos componentes es necesaria la instalación de Java en la máquina:
 
  
 
  yum install java
 
  yum install java
  
Una vez instalado Java, instalar ElasticSearch siguiendo la documentación oficial: https://www.elastic.co/guide/en/elasticsearch/reference/7.6/install-elasticsearch.html
+
Once installed, install Elasticsearch following the official documentation: https://www.elastic.co/guide/en/elasticsearch/reference/7.6/install-elasticsearch.html
  
En caso de una instalación en sistemas CentOS/Red Hat, la instalación recomendada es por medio de rpm: https://www.elastic.co/guide/en/elasticsearch/reference/7.6/rpm.html
+
When installing in CentOS/Red Hat systems, the recommended installation is by means of rpm:
 +
https://www.elastic.co/guide/en/elasticsearch/reference/7.6/rpm.html
  
Configurar el servicio:
 
  
Configuraremos las opciones de red y, opcionalmente, las ubicaciones de datos (y logs del propio ElasticSearch) en el fichero de configuración ubicado en ''/etc/elasticsearch/elasticsearch.yml''
+
Configure the service:
 +
 
 +
Configure network options and ‘’optionally’’ data locations (and logs from Elasticsearch itself) in the configuration file located at ''/etc/elasticsearch/elasticsearch.yml''
  
 
  # ---------------------------------- Network -----------------------------------
 
  # ---------------------------------- Network -----------------------------------
Line 74: Line 71:
 
  http.port: 9200
 
  http.port: 9200
 
  # ----------------------------------- Paths ------------------------------------
 
  # ----------------------------------- Paths ------------------------------------
  # Path to directory where to store the data (separate multiple locations by comma):
+
  # Path to directory where to store the data (separate multiple locations by a comma):
 
  path.data: /var/lib/elastic
 
  path.data: /var/lib/elastic
 
  # Path to log files:
 
  # Path to log files:
 
  path.logs: /var/log/elastic
 
  path.logs: /var/log/elastic
  
 
+
Uncomment and define the following lines as follows: Enter the server's IP in the network.host parameter.
Será necesario descomentar y definir también las siguientes líneas como siguen:  
 
  
 
  cluster.name: elkudemy
 
  cluster.name: elkudemy
Line 87: Line 83:
 
  network.host: ["127.0.0.1", “IP"]
 
  network.host: ["127.0.0.1", “IP"]
  
* <b>cluster.name</b>: Será el nombre que recibirá el cluster.  
+
* <b>cluster.name</b>: Cluster name.  
* <b>node.name</b>: Para nombrar el nodo, con ${HOSTNAME} tomará el nombre del host.  
+
* <b>node.name</b>: To name the node, with ${HOSTNAME} it will take that of the host.  
* <b>bootstrap.memory_lock</b>: Siempre deberá ser "true".  
+
* <b>bootstrap.memory_lock</b>: It must always be "true".  
* <b>network.host</b>: La IP del servidor.  
+
* <b>network.host</b>: Server IP.  
  
Habrá que determinar las opciones de recursos asignados a ElasticSearch, ajustando los parámetros disponibles en el fichero de configuración ubicado en ''/etc/elasticsearch/jvm.options''. Se recomienda utilizar al menos 2GB de espacio en XMS.  
+
 
 +
The options of the resources allocated to ElasticSearch must be adapted, adjusting the parameters available in the configuration file located at ''/etc/elasticsearch/jvm.options''. Use at least 2GB in XMS.
  
 
  # Xms represents the initial size of total heap space
 
  # Xms represents the initial size of total heap space
 
  # Xmx represents the maximum size of total heap space
 
  # Xmx represents the maximum size of total heap space
  -Xms2g
+
  -Xms512m
  -Xmx2g
+
  -Xmx512m
  
La asignación de recursos se asignará en función del uso que se quiera dar a ElasticSearch. Recomendamos seguir la documentación oficial de ElasticSearch: https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
+
The resources will be assigned according to the use of ElasticSearch. It is recommended to follow the official ElasticSearch documentation:
 +
https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
  
Iniciar el servicio:
+
Start the service:
  
 
  systemctl start elasticsearch
 
  systemctl start elasticsearch
  
 +
'''Note''': If the service fails to start, check the logs located at /var/log/elasticsearch/
  
<b>Nota:</b> Si el servicio no consigue iniciarse, revise los logs ubicados en /var/log/elasticsearch/
+
To check ElasticSearch installation, just execute the following command:
 
 
Para comprobar la instalación de ElasticSearch bastará con ejecutar el siguiente comando:  
 
  
 
  curl -q http://{IP}:9200/
 
  curl -q http://{IP}:9200/
  
Que debería ofrecer una respuesta similar a la siguiente:  
+
Which should return an output similar to this one:  
  
 
  {
 
  {
Line 135: Line 132:
 
<br><br>
 
<br><br>
  
==== Instalación y configuración de LogStash ====
+
==== Installing and configuring LogStash ====
  
{{Warning|A partir de la versión 745 de Pandora FMS <b>no</b> es necesaria la instalación de LogStash.}}
+
{{Warning|From Pandora FMS version 745 onwards, there is <b>no</b> need to install LogStash.}}
  
Instalar LogStash 5.6.2 desde el RPM descargable de la página web del proyecto ElasticSearch: https://artifacts.elastic.co/downloads/logstash/logstash-5.6.2.rpm
+
Install LogStash 5.6.2 from the downloadable RPM from the Elasticsearch project website: https://artifacts.elastic.co/downloads/logstash/logstash-5.6.2.rpm
  
Una vez descargado el paquete, lo instalamos ejecutando:
+
Once the package is downloaded, install it executing:
  
 
  rpm -i logstash-X.X.X.rpm
 
  rpm -i logstash-X.X.X.rpm
  
Configurar el servicio:
+
Configure the service
 +
 
 +
Within logstash configuration, there are three configuration blocks:
 +
* Input: Indicates how information reaches logstash, format, port, and the identifier used to store information internally in Elastic.
 +
* Filter: You can add a post-processing here, but in this case it is not necessary, so it will be left empty.
 +
* Output: Here comes the IP configuration and port where Elasticsearch will be listening. This is the place where the information processed by Logstash will be saved.
  
Dentro de la configuración de Logstash existen tres bloques de configuración:
 
* Input: indica cómo le llega la información a Logstash, formato, puerto y un identificador que se utilizará para almacenar la información internamente en Elastic.
 
* Filter: es posible agregar un post-procesado aquí, pero para nuestro caso no será necesario, por lo que lo dejaremos vacío.
 
* Output: aquí viene la configuración de la IP y puerto donde estará escuchando ElasticSearch; es el sitio donde se guardará la información procesada por Logstash.
 
  
Fichero de configuración:
+
Configuration file:
  
 
  /etc/logstash/conf.d/logstash.conf
 
  /etc/logstash/conf.d/logstash.conf
  
  
Ejemplo de fichero de configuración:
+
Example of a configuration file:
  
 
  # This input block will listen on port 10514 for logs to come in.
 
  # This input block will listen on port 10514 for logs to come in.
 
  # host should be an IP on the Logstash server.
 
  # host should be an IP on the Logstash server.
  # codec => "json" indicates that we expect the lines we're receiving to be in JSON format
+
  # codec => "json" indicates that the lines received are expected to be in JSON format
 
  # type => "rsyslog" is an optional identifier to help identify messaging streams in the pipeline.
 
  # type => "rsyslog" is an optional identifier to help identify messaging streams in the pipeline.
 
  input {
 
  input {
Line 171: Line 169:
 
   }
 
   }
 
  }
 
  }
  # This is an empty filter block. You can later add other filters here to further process
+
  # This is an empty filter block. You may later add other filters here to further process
 
  # your log lines
 
  # your log lines
 
  filter { }
 
  filter { }
Line 178: Line 176:
 
  }
 
  }
  
En los apartados de "host" debemos introducir la IP del servidor en lugar de “0.0.0.0”.
+
Enter the server IP in the "host" parameter, instead of “0.0.0.0”.
  
En el archivo "logstash-sample.conf" deberemos cambiar también "localhost", donde debe introducirse la IP del servidor.
+
The situation is very similar in the case of the "logstash-sample.conf" file, where the server IP must be entered in the "localhost" parameter.
  
Iniciar el servicio:
+
Start the service:
  
 
  systemctl start logstash
 
  systemctl start logstash
  
 
+
'''Note''': If you try to install LogStash in Centos 6 despite our recommendation, you can start it with the following command:
<b>Nota</b> Si está intentando instalar LogStash en Centos 6 en contra de nuestra recomendación, puede iniciarlo con el siguiente comando:
 
  
 
  initctl start logstash
 
  initctl start logstash
  
==== Parámetros de configuración en Pandora FMS Server ====
+
==== Configuration parameters in Pandora FMS Server ====
  
{{Warning|A partir de la versión 745 de Pandora FMS no será necesario configurar el fichero de configuración del servidor, ya que toda la configuración se realizará desde la consola al habilitar la recolección de logs.}}
+
{{Warning|From Pandora FMS version 745 there is no need to configure the server configuration file, since all confinguration is set through the console when enabling loc collection.}}
  
Será necesario agregar la siguiente configuración al archivo de configuración de Pandora FMS Server (/etc/pandora/pandora_server.conf) para que Pandora FMS DataServer procese la información de logs.
+
You will need to add the following configuration to Pandora FMS Server configuration file (/etc/pandora/pandora_server.conf) so that Pandora FMS DataServer processes the log information.
  
'''Importante''': Todo log que llegue a Pandora FMS sin tener activa esta configuración será '''descartado'''.
+
'''Important:''' Any log that reaches pandora without having this configuration active, will be '''discarded'''.
  
 
  logstash_host eli.artica.lan
 
  logstash_host eli.artica.lan
 
  logstash_port 10516
 
  logstash_port 10516
 
 
  
 
==== Pandora FMS SyslogServer ====
 
==== Pandora FMS SyslogServer ====
  
A partir de la actualización 717 de Pandora FMS 7.0NG aparece un nuevo componente: SyslogServer.
+
From Pandora FMS version 717, a new component appeared: SyslogServer.
  
Este componente permite a Pandora FMS analizar el syslog de la máquina donde está ubicado, analizando su contenido y almacenando las referencias en nuestro servidor de ElasticSearch.
+
This component allows Pandora FMS to analyze the Syslog of the machine where it is located, analyzing its content and storing the references in the ElasticSearch server.
  
La ventaja principal del SyslogServer consiste en complementar la unificación de logs. Apoyándose en las características de exportado de Syslog de los entornos Linux y Unix, SyslogServer permite la consulta de logs independientemente del origen, buscando en un único punto común (visor de logs de la consola de Pandora FMS).
+
The main advantage of SyslogServer lies in complementing log unification. Based on the exportation characteristics of SYSLOG from Linux and Unix environments, SyslogServer allows to consult logs regardless of their origin, searching in a single common point (Pandora FMS console log viewer).
  
La instalación de Syslog se realizará tanto en cliente como en servidor, y para ejecutarla será necesario lanzar el siguiente comando:  
+
Syslog installation is done both in client and server and to execute it, launch the following command:
  
 
  yum install rsyslog
 
  yum install rsyslog
  
Una vez instalado Syslog en los equipos con los que queramos trabajar, será importante tener en cuenta que habrá que acceder al fichero de configuración para habilitar el input '''TCP''' y '''UDP'''.  
+
Bear in mind once Syslog is installed on the computers you wish to work with, you need to access the configuration file to enable TCP and UDP input.
  
 
  /etc/rsyslog.conf
 
  /etc/rsyslog.conf
  
Tras realizar este ajuste será necesario detener y volver a arrancar el servicio '''rsyslog'''.  
+
After adjusting this, stop and restart the rsyslog service.
  
Una vez el servicio vuelva a estar corriendo, podemos realizar una comprobación de puertos para ver que el '''514''' está accesible.  
+
After the service runs again, check the ports to see whether port 514 can be accessed.
  
 
  netstat -ltnp
 
  netstat -ltnp
  
Después de activar el servicio y comprobar los puertos, debemos configurar el cliente para que pueda enviar los logs al servidor. Para ello accederemos una vez más al fichero de configuración de '''rsyslog'''.  
+
After enabling the service and checking the ports, configure the client so that it sends logs to the server. To that end, go to the rsyslog configuration file once more.
  
 
  /etc/rsyslog.conf
 
  /etc/rsyslog.conf
  
Será necesario localizar y habilitar la línea que permite configurar el host remoto. Habrá que especificar qué queremos enviar, con lo que quedará como sigue:  
+
Locate and enable the line that allows to configure the remote host. Specify what you wish to send, which will look as follows:
  
 
  *.* @@remote-host:514
 
  *.* @@remote-host:514
<br>
 
{{Tip|El envío de logs genera un agente contenedor con el nombre del cliente por lo que se recomienda crear los agentes con “'''alias as name'''” haciendo que coincida con el hostname del cliente, así se evitará duplicidad en los agentes.}}
 
  
Para más información de la configuración de rsyslog, visitar la web oficial: https://www.rsyslog.com/
+
{{Tip|Log sending generates a container agent with the client name, so it is recommended to create agents with “alias as name” matching the client's hostname avoiding agent duplication.}}
 +
 
 +
For more information about rsyslog configuration, visit their official website: https://www.rsyslog.com/
  
Para activar esta funcionalidad simplemente tendremos que habilitarlo en la configuración, agregando a pandora_server.conf el siguiente contenido:
+
To enable this feature, enable it in the configuration, adding the following content to pandora_server. configuration:
  
  
Line 251: Line 246:
  
  
Necesitará un servidor LogStash/ElasticSearch habilitado y configurado; por favor, revise los puntos precedentes para saber cómo configurarlo.
+
A LogStash/ElasticSearch server must be enabled and configured. Review the preceding points to learn how to configure it.
  
'''syslogserver''' Booleano, habilita (1) o deshabilita (0) el motor de análisis de SYSLOG local.
+
'''syslogserver''' Boolean, enables (1) or disables (0) the local SYSLOG analysis engine.
  
'''syslog_file''' Ubicación del fichero donde se están entregando las entradas de los SYSLOG.
+
'''syslog_file''' Location of the file where the SYSLOG entries are delivered.
  
''' syslog_threads''' Número de hilos máximo que se utilizarán en el sistema productor/consumidor del SyslogServer.
+
''' syslog_threads''' Maximum number of threads to be used in the SyslogServer producer/consumer system.
  
'''syslog_max''' Es la ventana de procesado máxima para SyslogServer; será el número máximo de entradas del SYSLOG que se procesarán en cada iteración.
+
'''syslog_max''' It is the maximum processing window for SyslogServer, it will be the maximum number of SYSLOG entries that will be processed in each iteration.
  
{{Warning|Es necesario que modifique la configuración de su dispositivo para que los logs se envíen al servidor de Pandora FMS.}}
+
{{Warning|It is necessary to modify the configuration of your device so that logs are sent to Pandora FMS server.}}
  
==== Recomendaciones ====
+
==== Recommendations ====
  
===== Rotación de logs para ElasticSearch y Logstash =====
+
===== Log rotation for Elasticsearch and Logstash =====
  
'''Importante''': como recomendación, crear una nueva entrada para el demonio de rotado de logs en /etc/logrotate.d, para evitar que los logs de ElasticSearch o LogStash crezcan sin medida:
+
'''Important:''' It is recommended to create a new entry for daemon rotation logs in /etc/logrotate.d, to prevent Elasticsearch or LogStash logs from endlessly growing:
  
 
  cat > /etc/logrotate.d/elastic <<EOF
 
  cat > /etc/logrotate.d/elastic <<EOF
Line 283: Line 278:
 
  EOF
 
  EOF
  
===== Purgado de índices =====
+
===== Index Purging =====
  
Puede consultar en todo momento el listado de índices y el tamaño que ocupan lanzando una petición cURL contra su servidor ElasticSearch:
+
You may check at any time the list of indexes and their size by launching a cURL petition against its ElasticSearch server:
  
  curl -q <nowiki>http://elastic:9200/_cat/indices?</nowiki>
+
  curl -q <nowiki>http://elastic:9200/_cat/indices</nowiki>?
  
Donde "elastic" se refiere a la IP del servidor.
+
Where "elastic" is the server's IP.
  
Para eliminar cualquiera de estos índices puede ejecutar la orden DELETE:
+
To remove any of these indexes, execute the DELETE command:
  
  curl -q -XDELETE <nowiki>http://elastic:9200/{index-name}</nowiki>
+
  curl -q -XDELETE <nowiki>http://elastic:9200/logstash-2017.09.06</nowiki>
  
Donde "elastic" se refiere a la IP del servidor, e "{index-name}" es el fichero de salida del comando anterior.
+
Where "elastic" is the server's IP, and "{index-name}" is the output file of the previous command.
  
Esta operación liberará el espacio utilizado por el índice eliminado.
+
This will free up the space used by the removed index.
  
=== Configuración de la consola ===
+
=== Console Settings ===
Para activar el sistema de visualización de logs deberá activar la siguiente configuración:
+
To enable the log system display, enable the following configuration:
  
 
<br><center>
 
<br><center>
Line 306: Line 301:
 
<br></center>
 
<br></center>
  
Luego podemos configurar el comportamiento del visor de logs en la pestaña 'Log Collector':
+
Then set the log viewer performance in the 'Log Collector' tab:
  
 
<br><center>
 
<br><center>
Line 312: Line 307:
 
<br></center>
 
<br></center>
  
En esta pantalla podremos configurar:
+
On this screen configure:
  
* Dirección IP o FQDN del servidor que aloja el servicio ElasticSearch
+
* IP or FQDN address of the server that hosts the Elasticsearch service
  
* Puerto a través del que se está prestando el servicio ElasticSearch
+
* Port through which the service is being given to Elasticsearch
  
* Número de logs mostrados: Para agilizar la respuesta de la consola se ha añadido la carga dinámica de registros. Para usarla, el usuario debe hacer scroll hasta el final de la página, lo que obliga a cargar el siguiente grupo de registros disponible. El tamaño de estos grupos se puede configurar en este campo como el número de registros por grupo.
+
* Number of logs being shown. To speed up the response of the console, record dynamic loading has been added. To use this, the user must scroll to the bottom of the page, forcing the loading of the next set of available records. The size of these groups can be set in this field as the number of records per group.
  
* Días para purgado: Para evitar que el tamaño del sistema se sobrecargue, se puede definir un número máximo de días que se almacenará la información de logs; a partir de esa fecha se borrarán automáticamente en el proceso de limpieza de Pandora FMS.
+
* Days to purge: To prevent the size of the system, you can define a maximum number of days in which the log information will be stored, from that date they will be automatically deleted in Pandora FMS cleaning process.
  
== Migración al sistema LogStash + ElasticSearch ==
+
== Migration to LogStash + Elasticsearch system ==
  
Una vez configurado el nuevo sistema de almacenamiento de logs, puede migrar todos los datos almacenados previamente en Pandora FMS, en forma distribuída en directorios al nuevo sistema.
+
After setting the new log storage system, migrate all data previously stored in Pandora FMS to the new system, in a distributed way among the directories.
  
  
Para migrar al nuevo sistema, deberá ejecutar el siguiente script que puede encontrar en /usr/share/pandora_server/util/
+
To migrate it to the new system, run the following script that can be found in /usr/share/pandora_server/util/
  
  
Line 333: Line 328:
 
  /usr/share/pandora_server/util/pandora_migrate_logs.pl /etc/pandora/pandora_server.conf
 
  /usr/share/pandora_server/util/pandora_migrate_logs.pl /etc/pandora/pandora_server.conf
  
== Visualización y búsqueda ==
+
== Display and Search ==
  
En una herramienta de colección de logs nos interesan principalmente dos cosas: buscar información -filtrando por fecha, fuentes de datos y/o palabras clave- y ver esa información dibujada en ocurrencias por unidad de tiempo. En este ejemplo, estamos buscando todos los mensajes de log de todos los orígenes en la última hora:
+
In a log collecting tool, two things are the main concerns: looking for information, filtering by date, data sources and/or keywords, and seeing that information drawn in occurrences by time unit. In this example, all log messages from all sources in the last hour are looked for:
  
 
<br><center>
 
<br><center>
 
[[image:LogsVistaNew.png|850px]]
 
[[image:LogsVistaNew.png|850px]]
<i>Vista de ocurrencias a lo largo del tiempo</i>
+
<i>View of occurrences over time</i>
 
<br></center>
 
<br></center>
  
 
<br>
 
<br>
 
<br>
 
<br>
Existe una serie de opciones para filtrar la información que muestra el visor:
+
There is a series of filters that can be used to display information:  
* Filtro de tipo de búsqueda: Podemos buscar por coincidencia exacta, todas las palabras o cualquier palabra.
+
*Filter by search type: it searches by exact match all words or any word.
* Filtro por contenido del mensaje: Busca en el contenido del mensaje el texto indicado.
+
* Filter by message content: it searches the desired text in the content of the message.
* Filtro por origen de log (source id).
+
* Filter by log source (source id).
* Filtro por agente: limita los resultados de búsqueda a los generados por el agente seleccionado.
+
* Agent Filter: it narrows down the search results to those generated by the selected agent.
* Filtro por grupo: limita la selección de agentes en el filtro por agente.
+
* Filter by group: it limits the selection of agents in the agent filter.
* Filtro por fecha.
+
* Filter by date.
  
El campo más importante -y útil- para nosotros será la cadena de búsqueda (search en la captura). Esto puede ser una simple cadena de texto, como en el caso anterior, o una expresión comodín, como por ejemplo una dirección IP:
+
 
 +
The most important and useful field will be the search string (search on the screenshot). This can be a simple text string, as in the previous case or a wildcard expression, as for example an IP address:
  
 
  192.168*
 
  192.168*
  
<b>Nota</b>: Las búsquedas deben realizarse utilizando palabras completas o subcadenas iniciales de las palabras a buscar. Algunos ejemplos:
+
<b>Note</b>: Searches should be done using complete words or beginning sub-strings of the search words.
 +
For example:
  
 
  192.168.80.14
 
  192.168.80.14
 
  192.168*
 
  192.168*
  Alerta en sistema
+
  Warning in somelongtext
  Alerta en sis
+
  Warning in some*
Error
 
  
Debemos seleccionar uno de los 3 tipos de búsqueda:
+
One of the three types of search must be selected:
 
+
*Exact match: Literal string search.
* <b>Coincidencia exacta</b>: búsqueda de cadena literal.
 
  
 
<br><center>
 
<br><center>
Line 372: Line 367:
 
<br></center>
 
<br></center>
  
* <b>Todas las palabras</b>: búsqueda de todas las palabras indicadas, independientemente del orden en una misma línea, teniendo en cuenta que cada palabra está separada por espacios.
+
* All words: Search of all the indicated words, regardless of the order, taking into account that each word is separated by spaces.
  
 
<br><center>
 
<br><center>
Line 378: Line 373:
 
<br></center>
 
<br></center>
  
* <b>Cualquier palabra</b>: búsqueda de cualquier palabra indicada, independientemente del orden, teniendo en cuenta que cada palabra está separada por espacios.
+
* Any word: Search of any indicated word, regardless of the order, taking into account that each word is separated by spaces.
  
 
<br><center>
 
<br><center>
Line 384: Line 379:
 
<br></center>
 
<br></center>
  
Si marcamos la opción de ver el contexto del contenido filtrado, obtendremos una vista general de la situación con información de otras líneas de logs relacionadas con nuestra búsqueda:
+
If the option to see the context of the filtered content is checked, the result will be an overview of the situation with information about other log lines related to your search:
  
 
<br><center>
 
<br><center>
Line 390: Line 385:
 
<br></center>
 
<br></center>
  
 +
=== Display and advanced search ===
  
=== Visualización y búsqueda avanzadas ===
+
Log data display advanced options are available from Pandora FSM 7.0NG OUM727.
  
A partir de Pandora FSM 7.0NG OUM727 están disponibles las opciones avanzadas para visualización de datos de log.
+
With this feature, log entries can be turned into a graphic, sorting out the information according to '''data capture templates'''.
  
Con esta característica podremos graficar las entradas de log, clasificando la información en base a '''modelos de captura de datos'''.
+
These data capture templates are basically regular expressions and identifiers, that allow analyzing data sources and showing them as a graphic.
  
Estos modelos de captura de datos son básicamente expresiones regulares e identificadores, que nos permitirán analizar los orígenes de datos y mostrarlos como un gráfico.
 
  
 +
To access advanced options, press ''Advanced options''. A form, where the result view type can be chosen, will appear:
  
Para acceder a las opciones avanzadas pulse en ''Advanced options''. Se mostrará un formulario donde podrá elegir el tipo de vista de resultados:
+
- Show log entries (plain text).
 
+
- Show log graphic.
- Mostrar entradas de log (texto plano).
 
- Mostrar gráfica de log.
 
  
 
<center>
 
<center>
Line 409: Line 403:
 
</center>
 
</center>
  
Bajo la opción ''mostrar gráfica de log'' podemos seleccionar el modelo de captura.  
+
Under the ''show log graphic'' option, the capture template can be selected.  
  
El modelo por defecto, ''Apache log model'', ofrece la posibilidad de parsear logs de Apache en formato estándar (access_log), pudiendo extraer gráficas comparativas de tiempo de respuesta, agrupando por página visitada y código de respuesta:
+
The ''Apache log model'' template by default offers the possibility of parsing Apache logs in standard format (access_log), enabling retrieving time response comparative graphics, sorting by visited site and response code:
  
 
<center>
 
<center>
Line 417: Line 411:
 
</center>
 
</center>
  
Al pulsar en el botón de editar, editaremos el modelo de captura seleccionado. Con el botón de crear agregaremos un nuevo modelo de captura.
+
By pressing the edit button, the selected capture template is edited. With the create button, a new capture template is added.
  
  
Line 425: Line 419:
  
  
En el formulario que aparece, podremos elegir:
 
  
;Título: un nombre para el modelo de captura.
+
In the form, the following can be chosen:
;Una expresión regular de captura de datos: cada campo a extraer se identifica con la subexpresión entre los paréntesis ''(expresión a capturar)''.
 
;Los campos: en el orden en que los hemos capturado con la expresión regular. Los resultados se agruparán por la concatenación de los campos clave, que son aquellos cuyo nombre no esté entre guiones bajos:
 
  
clave, _valor_
+
;Title: capture template name.
 +
;A data capture regular expression: each field to be retrieved is identified with a subexpression between brackets ''(expression to be captured)''.
 +
;Field: the order in which they have been captured through the regular expression. The results will be sorted by key field concatenation, those whose name is not written between underscores:
  
 +
key, _value_
  
clave1,clave2,_valor_
 
  
 +
key,key2,_value_
  
clave1,_valor_,clave2
 
  
 +
key1,_value_,key2
  
''Observación:'' Si no especificamos un campo valor, será automáticamente el conteo de apariciones que coinciden con la expresión regular.
 
  
''Observación 2:'' Si especificamos una columna ''valor'' podremos elegir entre representar el valor acumulado (comportamiento por defecto) o marcar el checkbox para representar el promedio.
+
''Comments:'' If the value field is not specified, it will be the number of regular expression matches automatically.
  
''Ejemplo''
+
''Comments 2:'' If a ''value'' column is specified, you may choose either representing the accumulated value (performance by default) or checking the checkbox to represent the average.
  
Si quisiéramos extraer entradas de un log con el siguiente formato:
+
''Example''
 +
 
 +
If log entries must be retrieved with the following format:
  
 
  Sep 19 12:05:01 nova systemd: Starting Session 6132 of user root.
 
  Sep 19 12:05:01 nova systemd: Starting Session 6132 of user root.
Line 452: Line 447:
  
  
Para contar el número de veces que se ha iniciado sesión, agrupando por usuario, usaremos:
+
To count the number of loins by user, use:
  
  
Expresión regular
+
Regular expression
  
 
  Starting Session \d+ of user (.*?)\.
 
  Starting Session \d+ of user (.*?)\.
  
  
Campos:
+
Fields:
  
 
  username
 
  username
  
  
Este modelo de captura nos devolverá el número de inicios de sesión por usuario del intervalo de tiempo que seleccionemos.
+
This capture template will return the number of logins by user during the selected time range.
  
  
Line 472: Line 467:
 
</center>
 
</center>
  
== Configuración de los agentes ==
+
== Agent configuration ==
  
La recolección de logs se hace mediante los agentes, tanto en el agente Windows como en los agentes Unix (Linux, MacOsX, Solaris, HPUX, AIX, BSD, etc). En el caso de los agentes Windows, también se puede obtener información del visor de eventos de Windows, utilizando los mismos filtros que en el módulo de monitorización del visor de eventos.
+
Log collection is done by both Windows and Unix agents (Linux, MacOsX, Solaris, HP-UX, AIX, BSD, etc). In the case of Windows agents, you can also obtain information from the Windows Event Viewer, using the same filters as in the monitoring module event viewer.
  
Veamos dos ejemplos para capturar información de logs, en Windows y en Unix:
+
Here are two examples to capture log information on windows and Unix:
  
=== En Windows ===
+
=== Windows ===
  
 
  module_begin
 
  module_begin
Line 495: Line 490:
 
  module_end
 
  module_end
  
En ambos casos, la única diferencia de un módulo de monitorización a la definición de una fuente de log, es:
+
In both cases, the only difference from monitoring module to the definition of a log source is:
  
 
  module_type log  
 
  module_type log  
  
Esta nueva sintaxis solo la entiende el agente de la versión 5.0, por lo que debe actualizar los agentes si quiere utilizar esta nueva funcionalidad Enterprise.
+
This new syntax only understands the agent version 5.0, so update the agents if you want to use this new enterprise feature.
 +
 
  
{{Warning|Para definir módulos de log en Windows será necesario hacerlo directamente en el fichero de configuración del agente. Si se crean directamente desde la consola, los módulos se quedarán en estado no inicializado.}}
+
 +
{{Warning|To define log modules in Windows it will be necessary to do it in the agent configuration file. If these modules are created directly in the console, the modules will be not initialized.}}
  
=== Sistemas Unix ===
+
=== Unix Systems ===
  
En Unix se utiliza un nuevo plugin, que viene con el agente de la versión 5.0. Su sintaxis es bien sencilla:
+
In Unix, a new plugin that comes with agent version 5.0 is used. Its syntax is simple:
  
 
  module_plugin grep_log_module /var/log/messages Syslog \.\*
 
  module_plugin grep_log_module /var/log/messages Syslog \.\*
  
Similar al plugin de parseo de logs (grep_log), el plugin grep_log_module envía la información procesada del log al colector de logs con el nombre de "Syslog" como origen del log. Utiliza la expresion regular \.\* (en este caso "todo") como patrón a la hora de elegir qué líneas enviamos y cuáles no.
+
Similar to the parsing logs plugin (grep_log), grep_log_module plugin sends the processed log information to the log collector named "Syslog" as the source of the log. Use the \.\* regular expression (In this case "all") as the pattern when choosing which lines will be sent and which ones will not.
  
  
[[Pandora:Documentation|Volver a Indice de Documentacion Pandora FMS]]
+
[[Pandora:Documentation_en|Go back to Pandora FMS documentation index]]
  
 
[[Category: Pandora FMS]]
 
[[Category: Pandora FMS]]
 
[[Category:Documentation]]
 
[[Category:Documentation]]

Revision as of 14:56, 11 May 2020

Go back Pandora FMS documentation index

1 Log Collection

1.1 Introduction

Up to now, Pandora FMS did not provide a solution to this problem, but with version 5.0, Pandora FMS Enterprise offers a solution to manage hundreds of megabytes of daily data. This solution allows you to reuse the same monitoring agents for specific log data collection, using a syntax very similar to the current one for log monitoring.

Log monitoring in Pandora FMS is approached in two different ways:

  1. Based on modules: it represents logs in Pandora as asynchronous monitors, being able to associate alerts to the detected inputs that fulfill a series of preconfigured conditions by the user. The modular representation of the logs allows you to:
    1. Create modules that count the occurrences of a regular expression in a log.
    2. Obtain the lines and context of log messages
  2. Based on combined display: it allows the user to view in a single console all the information from logs of multiple origins that you may want to capture, organizing the information sequentially using the timestamp in which the logs were processed.

From version 7.0NG 712, Pandora FMS incorporates ElasticSearch to store log information, which implies a significative performance improvement.

1.2 How it works

The process is simple:



LogsEsquema.png



  • The logs analyzed by the agents (eventlog or text files) are forwarded to Pandora Server in RAW form within the XML reporting agent:
  • Pandora server (DataServer) receives the XML agent, which contains information about both monitoring and logs.
  • When the DataServer processes XML data, it identifies log information, keeping in the primary database the references about the agent that was reported and the source of the log, automatically sending information to ElasticSearch in order to be stored.
  • Pandora FMS stores the data in Elasticsearch indexes generating a daily index for each Pandora FMS instance.
  • Pandora FMS server has a maintenance task that deletes indexes in the interval defined by the system admin (90 days by default).

1.3 Configuration

1.3.1 Server Configuration

The new storage log system,based on ElasticSearch requires configuring several components.

Template warning.png

From Pandora FMS version 745 onwards, there is no need to use LogStash, since the Pandora FMS server communicates directly with ElasticSearch, so LogStash related configurations do not need to be applied.

 


1.3.1.1 Server Requirements

Each component (Pandora FMS Server, Elasticsearch) can be distributed on separate servers.

If you choose to place Elasticsearch and LogStash on the same server these are recommended:

  • Centos 7.
  • At least 4GB of RAM, although 6GB of RAM are recommended for each ElasticSearch instance.
  • At least 2 CPU cores
  • At least 20GB of disk space for the system.
  • At least 50GB of disk space for ElasticSearch data (the amount can be different depending on the amount of data to be stored).
  • Connectivity wfrom Pandora FMS server to Elasticsearch API (port 9200/TCP by default).

1.3.1.2 Installing and configuring ElasticSearch

Before you begin installing these components, install Java on the machine:

yum install java

Once installed, install Elasticsearch following the official documentation: https://www.elastic.co/guide/en/elasticsearch/reference/7.6/install-elasticsearch.html

When installing in CentOS/Red Hat systems, the recommended installation is by means of rpm: https://www.elastic.co/guide/en/elasticsearch/reference/7.6/rpm.html


Configure the service:

Configure network options and ‘’optionally’’ data locations (and logs from Elasticsearch itself) in the configuration file located at /etc/elasticsearch/elasticsearch.yml

# ---------------------------------- Network -----------------------------------
# Set the bind address to a specific IP (IPv4 or IPv6):
http.host: 0.0.0.0
# Set a custom port for HTTP:
http.port: 9200
# ----------------------------------- Paths ------------------------------------
# Path to directory where to store the data (separate multiple locations by a comma):
path.data: /var/lib/elastic
# Path to log files:
path.logs: /var/log/elastic

Uncomment and define the following lines as follows: Enter the server's IP in the network.host parameter.

cluster.name: elkudemy
node.name: ${HOSTNAME}
bootstrap.memory_lock: true
network.host: ["127.0.0.1", “IP"]
  • cluster.name: Cluster name.
  • node.name: To name the node, with ${HOSTNAME} it will take that of the host.
  • bootstrap.memory_lock: It must always be "true".
  • network.host: Server IP.


The options of the resources allocated to ElasticSearch must be adapted, adjusting the parameters available in the configuration file located at /etc/elasticsearch/jvm.options. Use at least 2GB in XMS.

# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
-Xms512m
-Xmx512m

The resources will be assigned according to the use of ElasticSearch. It is recommended to follow the official ElasticSearch documentation: https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html

Start the service:

systemctl start elasticsearch

Note: If the service fails to start, check the logs located at /var/log/elasticsearch/

To check ElasticSearch installation, just execute the following command:

curl -q http://{IP}:9200/

Which should return an output similar to this one:

{
  "name" : "3743885b95f9",
  "cluster_name" : "docker-cluster",
  "cluster_uuid" : "7oJV9hXqRwOIZVPBRbWIYw",
  "version" : {
    "number" : "7.6.2",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "ef48eb35cf30adf4db14086e8aabd07ef6fb113f",
    "build_date" : "2020-03-26T06:34:37.794943Z",
    "build_snapshot" : false,
    "lucene_version" : "8.4.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}




1.3.1.3 Installing and configuring LogStash

Template warning.png

From Pandora FMS version 745 onwards, there is no need to install LogStash.

 


Install LogStash 5.6.2 from the downloadable RPM from the Elasticsearch project website: https://artifacts.elastic.co/downloads/logstash/logstash-5.6.2.rpm

Once the package is downloaded, install it executing:

rpm -i logstash-X.X.X.rpm

Configure the service

Within logstash configuration, there are three configuration blocks:

  • Input: Indicates how information reaches logstash, format, port, and the identifier used to store information internally in Elastic.
  • Filter: You can add a post-processing here, but in this case it is not necessary, so it will be left empty.
  • Output: Here comes the IP configuration and port where Elasticsearch will be listening. This is the place where the information processed by Logstash will be saved.


Configuration file:

/etc/logstash/conf.d/logstash.conf


Example of a configuration file:

# This input block will listen on port 10514 for logs to come in.
# host should be an IP on the Logstash server.
# codec => "json" indicates that the lines received are expected to be in JSON format
# type => "rsyslog" is an optional identifier to help identify messaging streams in the pipeline.
input {
 tcp {
    host  => "0.0.0.0"
    port  => 10516
    codec => "json"
    type  => "pandora_remote_log_entry"
 }
}
# This is an empty filter block. You may later add other filters here to further process
# your log lines
filter { }
output {
  elasticsearch { hosts => ["0.0.0.0:9200"] }
}

Enter the server IP in the "host" parameter, instead of “0.0.0.0”.

The situation is very similar in the case of the "logstash-sample.conf" file, where the server IP must be entered in the "localhost" parameter.

Start the service:

systemctl start logstash

Note: If you try to install LogStash in Centos 6 despite our recommendation, you can start it with the following command:

initctl start logstash

1.3.1.4 Configuration parameters in Pandora FMS Server

Template warning.png

From Pandora FMS version 745 there is no need to configure the server configuration file, since all confinguration is set through the console when enabling loc collection.

 


You will need to add the following configuration to Pandora FMS Server configuration file (/etc/pandora/pandora_server.conf) so that Pandora FMS DataServer processes the log information.

Important: Any log that reaches pandora without having this configuration active, will be discarded.

logstash_host eli.artica.lan
logstash_port 10516

1.3.1.5 Pandora FMS SyslogServer

From Pandora FMS version 717, a new component appeared: SyslogServer.

This component allows Pandora FMS to analyze the Syslog of the machine where it is located, analyzing its content and storing the references in the ElasticSearch server.

The main advantage of SyslogServer lies in complementing log unification. Based on the exportation characteristics of SYSLOG from Linux and Unix environments, SyslogServer allows to consult logs regardless of their origin, searching in a single common point (Pandora FMS console log viewer).

Syslog installation is done both in client and server and to execute it, launch the following command:

yum install rsyslog

Bear in mind once Syslog is installed on the computers you wish to work with, you need to access the configuration file to enable TCP and UDP input.

/etc/rsyslog.conf

After adjusting this, stop and restart the rsyslog service.

After the service runs again, check the ports to see whether port 514 can be accessed.

netstat -ltnp

After enabling the service and checking the ports, configure the client so that it sends logs to the server. To that end, go to the rsyslog configuration file once more.

/etc/rsyslog.conf

Locate and enable the line that allows to configure the remote host. Specify what you wish to send, which will look as follows:

*.* @@remote-host:514

Info.png

Log sending generates a container agent with the client name, so it is recommended to create agents with “alias as name” matching the client's hostname avoiding agent duplication.

 


For more information about rsyslog configuration, visit their official website: https://www.rsyslog.com/

To enable this feature, enable it in the configuration, adding the following content to pandora_server. configuration:


# Enable (1) or disable (0) the Pandora FMS Syslog Server (PANDORA FMS ENTERPRISE ONLY).
syslogserver 1
# Full path to syslog's output file (PANDORA FMS ENTERPRISE ONLY).
syslog_file /var/log/messages
# Number of threads for the Syslog Server (PANDORA FMS ENTERPRISE ONLY).
syslog_threads 2
# Maximum number of lines queued by the Syslog Server's producer on each run (PANDORA FMS ENTERPRISE ONLY).
syslog_max 65535


A LogStash/ElasticSearch server must be enabled and configured. Review the preceding points to learn how to configure it.

syslogserver Boolean, enables (1) or disables (0) the local SYSLOG analysis engine.

syslog_file Location of the file where the SYSLOG entries are delivered.

syslog_threads Maximum number of threads to be used in the SyslogServer producer/consumer system.

syslog_max It is the maximum processing window for SyslogServer, it will be the maximum number of SYSLOG entries that will be processed in each iteration.

Template warning.png

It is necessary to modify the configuration of your device so that logs are sent to Pandora FMS server.

 


1.3.1.6 Recommendations

1.3.1.6.1 Log rotation for Elasticsearch and Logstash

Important: It is recommended to create a new entry for daemon rotation logs in /etc/logrotate.d, to prevent Elasticsearch or LogStash logs from endlessly growing:

cat > /etc/logrotate.d/elastic <<EOF
/var/log/elastic/elaticsearch.log
/var/log/logstash/logstash-plain.log {
       weekly
       missingok
       size 300000
       rotate 3
       maxage 90
       compress
       notifempty
       copytruncate
}
EOF
1.3.1.6.2 Index Purging

You may check at any time the list of indexes and their size by launching a cURL petition against its ElasticSearch server:

curl -q http://elastic:9200/_cat/indices?

Where "elastic" is the server's IP.

To remove any of these indexes, execute the DELETE command:

curl -q -XDELETE http://elastic:9200/logstash-2017.09.06

Where "elastic" is the server's IP, and "{index-name}" is the output file of the previous command.

This will free up the space used by the removed index.

1.3.2 Console Settings

To enable the log system display, enable the following configuration:


Logs1.JPG


Then set the log viewer performance in the 'Log Collector' tab:


Logs2.JPG


On this screen configure:

  • IP or FQDN address of the server that hosts the Elasticsearch service
  • Port through which the service is being given to Elasticsearch
  • Number of logs being shown. To speed up the response of the console, record dynamic loading has been added. To use this, the user must scroll to the bottom of the page, forcing the loading of the next set of available records. The size of these groups can be set in this field as the number of records per group.
  • Days to purge: To prevent the size of the system, you can define a maximum number of days in which the log information will be stored, from that date they will be automatically deleted in Pandora FMS cleaning process.

1.4 Migration to LogStash + Elasticsearch system

After setting the new log storage system, migrate all data previously stored in Pandora FMS to the new system, in a distributed way among the directories.


To migrate it to the new system, run the following script that can be found in /usr/share/pandora_server/util/


# Migrate Log Data < 7.0NG 712 to >= 7.0NG 712
/usr/share/pandora_server/util/pandora_migrate_logs.pl /etc/pandora/pandora_server.conf

1.5 Display and Search

In a log collecting tool, two things are the main concerns: looking for information, filtering by date, data sources and/or keywords, and seeing that information drawn in occurrences by time unit. In this example, all log messages from all sources in the last hour are looked for:


LogsVistaNew.png View of occurrences over time




There is a series of filters that can be used to display information:

  • Filter by search type: it searches by exact match all words or any word.
  • Filter by message content: it searches the desired text in the content of the message.
  • Filter by log source (source id).
  • Agent Filter: it narrows down the search results to those generated by the selected agent.
  • Filter by group: it limits the selection of agents in the agent filter.
  • Filter by date.


The most important and useful field will be the search string (search on the screenshot). This can be a simple text string, as in the previous case or a wildcard expression, as for example an IP address:

192.168*

Note: Searches should be done using complete words or beginning sub-strings of the search words. For example:

192.168.80.14
192.168*
Warning in somelongtext
Warning in some*

One of the three types of search must be selected:

  • Exact match: Literal string search.

LogsVistaNew2.png


  • All words: Search of all the indicated words, regardless of the order, taking into account that each word is separated by spaces.

LogsVistaNew4.png


  • Any word: Search of any indicated word, regardless of the order, taking into account that each word is separated by spaces.

LogsVistaNew5.png


If the option to see the context of the filtered content is checked, the result will be an overview of the situation with information about other log lines related to your search:


LogsVistaNew3.png


1.5.1 Display and advanced search

Log data display advanced options are available from Pandora FSM 7.0NG OUM727.

With this feature, log entries can be turned into a graphic, sorting out the information according to data capture templates.

These data capture templates are basically regular expressions and identifiers, that allow analyzing data sources and showing them as a graphic.


To access advanced options, press Advanced options. A form, where the result view type can be chosen, will appear:

- Show log entries (plain text). - Show log graphic.

Graph log.png

Under the show log graphic option, the capture template can be selected.

The Apache log model template by default offers the possibility of parsing Apache logs in standard format (access_log), enabling retrieving time response comparative graphics, sorting by visited site and response code:

Graph log2.png

By pressing the edit button, the selected capture template is edited. With the create button, a new capture template is added.


Graph log3.png


In the form, the following can be chosen:

Title
capture template name.
A data capture regular expression
each field to be retrieved is identified with a subexpression between brackets (expression to be captured).
Field
the order in which they have been captured through the regular expression. The results will be sorted by key field concatenation, those whose name is not written between underscores:
key, _value_


key,key2,_value_


key1,_value_,key2


Comments: If the value field is not specified, it will be the number of regular expression matches automatically.

Comments 2: If a value column is specified, you may choose either representing the accumulated value (performance by default) or checking the checkbox to represent the average.

Example

If log entries must be retrieved with the following format:

Sep 19 12:05:01 nova systemd: Starting Session 6132 of user root.
Sep 19 12:05:01 nova systemd: Starting Session 6131 of user root.


To count the number of loins by user, use:


Regular expression

Starting Session \d+ of user (.*?)\.


Fields:

username


This capture template will return the number of logins by user during the selected time range.


Graph log4.png

1.6 Agent configuration

Log collection is done by both Windows and Unix agents (Linux, MacOsX, Solaris, HP-UX, AIX, BSD, etc). In the case of Windows agents, you can also obtain information from the Windows Event Viewer, using the same filters as in the monitoring module event viewer.

Here are two examples to capture log information on windows and Unix:

1.6.1 Windows

module_begin
module_name Eventlog_System
module_type log
module_logevent
module_source System
module_end 
module_begin
module_name PandoraAgent_log
module_type log
module_regexp C:\archivos de programa\pandora_agent\pandora_agent.log
module_description This module will return all lines from the specified logfile
module_pattern .*
module_end

In both cases, the only difference from monitoring module to the definition of a log source is:

module_type log 

This new syntax only understands the agent version 5.0, so update the agents if you want to use this new enterprise feature.


Template warning.png

To define log modules in Windows it will be necessary to do it in the agent configuration file. If these modules are created directly in the console, the modules will be not initialized.

 


1.6.2 Unix Systems

In Unix, a new plugin that comes with agent version 5.0 is used. Its syntax is simple:

module_plugin grep_log_module /var/log/messages Syslog \.\*

Similar to the parsing logs plugin (grep_log), grep_log_module plugin sends the processed log information to the log collector named "Syslog" as the source of the log. Use the \.\* regular expression (In this case "all") as the pattern when choosing which lines will be sent and which ones will not.


Go back to Pandora FMS documentation index