Skip to content
Logstash rules for Icinga logs
Branch: master
Clone or download
widhalmt Update README.md
Fix a broken link
Latest commit bf40678 Aug 9, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
dashboards A first try to add useful dashboards May 22, 2019
doc Add filters to parse "object" field. Jul 30, 2019
AUTHORS Add AUTHORS file May 21, 2019
LICENSE Initial commit Mar 20, 2019
README.md Update README.md Aug 9, 2019
contribution.json Updated documentation May 31, 2019
filter-10-header.conf add filter rules for apilistener Mar 26, 2019
filter-50-apilistener.conf Start work on ConfigObjectUtility Jul 30, 2019
filter-50-checkable.conf Fixed typo in checkable.conf May 31, 2019
filter-50-checker.conf Adjusted all configs to match naming scheme May 24, 2019
filter-50-configobject.conf Ecs (#42) Jul 11, 2019
filter-50-configobjectutility.conf Start work on ConfigObjectUtility Jul 30, 2019
filter-50-dbconnection.conf Add rule for dbconnection May 29, 2019
filter-50-dependency.conf fix failed tag in dependency Jul 30, 2019
filter-50-graphitewriter.conf Ecs (#42) Jul 11, 2019
filter-50-httpserverconnection.conf Ecs (#42) Jul 11, 2019
filter-50-idomysqlconnection.conf Add rules for idomysqlconnection logs May 29, 2019
filter-50-jsonrpcconnection.conf Adjusted all configs to match naming scheme May 24, 2019
filter-50-legacytimeperiod.conf Add rules for legacytimeperiod May 31, 2019
filter-50-notification.conf Add filters to parse "object" field. Jul 30, 2019
filter-50-pluginchecktask.conf Ecs (#42) Jul 11, 2019
filter-50-process.conf Ecs (#42) Jul 11, 2019
filter-50-remotecheckqueue.conf Adjusted all configs to match naming scheme May 24, 2019
filter-50-tcpsocket.conf add rules for tcpsocket May 28, 2019
filter-50-timeperiod.conf add rule for timeperiod May 29, 2019
filter-50-tlsstream.conf Adjusted all configs to match naming scheme May 24, 2019
filter-50-workqueue.conf start with "WorkQueue" filter rules Mar 29, 2019
filter-60-useragent.conf Ecs (#42) Jul 11, 2019
filter-70-component.conf change generic component filter to use less ressources due to better … May 10, 2019
filter-80-ecs.conf Ecs (#42) Jul 11, 2019
filter-80-object.conf Add filters to parse "object" field. Jul 30, 2019
filter-90-todo.conf fix several typos in filter-50-apilistener Mar 27, 2019
input.conf initial import of basic files Mar 20, 2019
output.conf initial import of basic files Mar 20, 2019

README.md

logstash-icinga

Logstash rules for Icinga logs

Usage

These filters are intended to be used within their own pipeline in Logstash. They include input and output configuration to a local Redis instance with hard coded names for keys in which you should write and read all your Icinga logs. (More details below)

If you are not familiar with multi-pipeline setups, please refer to the Logstash documentation.

For ease of use this pipeline will read from a Redis instance listening on localhost. It expects the Icinga logs to be found just as they were on disk in the key icinga.

After processing the pipeline places the parsed logs into the same Redis instance but in key forwarder. If you don't like this behaviour feel free to change the files input.conf and output.conf.

If you need a jumpstart, this docs show you a simple configuration for Filebeat and Logstash.

Capabilities

The logs will be parsed and split into fields where we see a possible use. Field names are set according to Elastic Common Schema (ECS) wehere fit and stick to a nomenclature which should not interfere with your other field names. For details see the docs. Short version: All fields which are not covered by ECS are subfields of the icinga field.

In the dashboards directory there are some sample dashboards you can use with this ruleset.

Every rule adds a tag and a field you can use to identify every known logevent. There is a global rule for adding the version of the ruleset, too.

Status / Constributing

Icinga 2 is always changing and so are its logs. So we try to keep the rules as close to the set of possible logentries as possible but we might always be a bit behind the current version.

In fact, the first version is not complete but it should be a good starting point.

If you need more rules, feel free to change the files but please do send us a pull request so we can incorporate them so every use can benefit.

You can’t perform that action at this time.