Nagios Support Forum

I am new to Nagios Log Server, and I have a few questions.

1) Currently, I am running the appliance as I evaluate the product. Upon purchase, I would like to migrate from the appliance to a CentOS7 server. I am looking for backup and migration instructions. Currently, it is very simple. I have the one appliance. I am expecting to be able to migrate to a single instance with the expectation that I will add a second instance later for redundancy.

2) I want to be able to create some pretty specific email templates. Am I correct in assuming that all the logic for the alert is located in the query created for the alert?

Are these the only variables available for use in the templates:
<p>Time: %time%</p>
<p>Alertname: %alertname%</p>
<p>State: %state%</p>
<p>Lookback: %lookback%</p>
<p>Warning: %warning%</p>
<p>Critical: %critical%</p>
<p>Message Body Only</p>
<p>Output: %output%</p>
<p>URL: %url%</p>
<p>UniqueHosts: </p>
<p>%uniquehosts%</p>
<p>Last 10 Alert Logs:</p>
<p>%last10alertlogs%</p>

4) I have added sources. I can find the sources. How do I view/modify configuration of the sources once they have been created?

5) I see posts in here with logic script in the queries. Where do I put that? And where do I find more information on the syntax, variables available, etc.?

Thank you

jgz1993 wrote: 1) Currently, I am running the appliance as I evaluate the product. Upon purchase, I would like to migrate from the appliance to a CentOS7 server. I am looking for backup and migration instructions. Currently, it is very simple. I have the one appliance. I am expecting to be able to migrate to a single instance with the expectation that I will add a second instance later for redundancy.

Should be easy enough. I am running all of my NLS instances on 7.

jgz1993 wrote: I want to be able to create some pretty specific email templates. Am I correct in assuming that all the logic for the alert is located in the query created for the alert?

There's a bit of logic to the alert itself, but as far as the information for the alert, it comes from the Query.

jgz1993 wrote:Are these the only variables available for use in the templates:

Currently, but we intend to add more in the future.

I have added sources. I can find the sources. How do I view/modify configuration of the sources once they have been created

You don't really. NLS is kind of 'passive'. It receives logs and stores them as they are sent. Is there specifically something you're trying to figure out how to do?

I see posts in here with logic script in the queries. Where do I put that? And where do I find more information on the syntax, variables available, etc.?

Perhaps take a look at one of our customer forum posts by @jolson:

jolson wrote:

First, what is the use difference between QUERY and FILTERING?

The distinction seems small at first, but grows as you get more familiar with the product.

The basic difference is that filters are used for filtering out logs you do not want to see, or filtering in logs that you do want to see.

Queries are used for searching through the remaining information.

You can apply several filters (filter by host, username, and ip address range, for example). You can use AND and OR operations between your filters.

Queries can _only_ use the OR operator, because Nagios Log Server expects that anything you query for you _want to see_ - multiple queries means multiple representations of data. For example:

2015-12-23 11_38_08-Dashboard • Nagios Log Server.png

The two queries are displayed side-by-side on that graph, because it is assumed that anything you query is something you'd like to see (on graphs, charts, etc) - be sure to keep this in mind when designing your dashboards.

Filters are a more low-level construct for getting rid of noise.

That about described the difference between them in my mind. Let me know if you have any questions.

Are there any docs with use case examples on creating queries/filters. The simple queries are easy, but it would be great to see what I can do with log server.

While I agree that an extensive guide would be useful that directly relates to NLS, we haven't generated one - mostly because there are several great guides on the internet already. Here are some of my favorites:
https://www.elastic.co/guide/en/kibana/ ... lters.html
https://www.mjt.me.uk/posts/kibana-101/

jgz1993 wrote: Are these the only variables available for use in the templates:
<p>Time: %time%</p>
<p>Alertname: %alertname%</p>
<p>State: %state%</p>
<p>Lookback: %lookback%</p>
<p>Warning: %warning%</p>
<p>Critical: %critical%</p>
<p>Message Body Only</p>
<p>Output: %output%</p>
<p>URL: %url%</p>
<p>UniqueHosts: </p>
<p>%uniquehosts%</p>
<p>Last 10 Alert Logs:</p>
<p>%last10alertlogs%</p>

smith wrote:Currently, but we intend to add more in the future.

Is this still the current list? If not where might one find the updated list? Id like to see more control over the email templates, the queries are so strong, but my email templates are almost too generic.

Looking at the most recent git commit, that list is still current.

Thanks you for that reply that was helpful. However, new issue that I cannot seem to find anything on. Are email templates "limited"? It seems that I can only have so many templates before they stop showing on the screen (cannot seem to scroll down either), but if I delete a template they are there just off the screen. I ask because they are not useable in actual alerts until they are visible on the screen.

I have verified this on 3 different browsers (Safari, Firefox and IE)

I have replicated this and identified the issue. Will update this post with the bug report ID once I know more specifics about the issue.

You should see all of your templates with the following executed from the CLI:
On the back-end, this result is limited to 10 entries (&size=200 is key here). That's why you're not seeing all of them.

I filed a bug report for this issue (ID 9641).

Unfortunately the problem lies in a SourceGuardian encrypted file so I am unable to provide a hot-patch.

Thank you for that. Luckily I am managing with using a general template and using %alertname% specific naming to make the generic template usable as a work around. Will look for that update if one gets made.

I suspect it will. I am also rooting for more macros in the messages field as it'll make the message templates much more powerful.

I'll leave this thread open - feel free to post back if you'd like an update on the bug.