How to Monitor Ubuntu 20.04 Logs with Nagios Log Server 2024R2

Monitoring logs from Ubuntu 20.04 using Nagios Log Server 2024R2 is essential for tracking system events, errors, and service activity. This guide walks you through setting up Ubuntu as a log source and verifying log flow in the Nagios XI dashboard.

Step 1: Add a New Log Source in Nagios Log Server

1. Log in to Nagios Log Server.
2. Click + Add Log Source or navigate to the Add a Log Source section.
3. Select Linux from the available source types.

Step 2: Run the Auto-Configuration Script on Ubuntu

1. On the Linux Source Setup page, copy the provided curl command.
2. SSH into your Ubuntu 20 machine as a root user.
3. Paste and execute the script:

curl -sS -O http://<NagiosLogServerIP>/nagioslogserver/scripts/setup-linux.sh sudo bash setup-linux.sh -s <NagiosLogServerIP> -p 5544

curl -sS -O http://<NagiosLogServerIP>/nagioslogserver/scripts/setup-linux.sh sudo bash setup-linux.sh -s <NagiosLogServerIP> -p 5544

This sets up rsyslog to forward logs to your Nagios Log Server.

Step 3: Verify Incoming Logs

• Use the Verify Incoming Logs field by entering the Ubuntu machine’s IP.
• Or navigate to Dashboards > Nagios Log Server Search and run:

host.ip:<Ubuntu-IP>

host.ip:<Ubuntu-IP>

• Test log submission with:

logger "This is a test log entry"

logger "This is a test log entry"

• Check if the test log appears in Nagios Log Server.

Step 4: Manually Configure rsyslog (Advanced Users)

If you prefer a manual setup:

1. Verify your rsyslog working directory:

ls -d /var/lib/rsyslog || ls -d /var/spool/rsyslog

ls -d /var/lib/rsyslog || ls -d /var/spool/rsyslog

2. Edit the config file:

sudo nano /etc/rsyslog.d/99-nagioslogserver.conf

sudo nano /etc/rsyslog.d/99-nagioslogserver.conf

Add the following line:

*.* @<NagiosLogServerIP>:5544;RSYSLOG_SyslogProtocol23Format

*.* @<NagiosLogServerIP>:5544;RSYSLOG_SyslogProtocol23Format

3. Restart rsyslog:

sudo systemctl restart rsyslog.service

sudo systemctl restart rsyslog.service

4. Confirm logs are reaching the server:

tail -f /var/log/syslog | grep rsyslog

tail -f /var/log/syslog | grep rsyslog

Step 5: Integrate Log Server with Nagios XI (Optional Alerting)

• Configure Nagios XI to receive alerts for specific log patterns from Nagios Log Server.
• Set up alert queries within Nagios Log Server to trigger notifications in XI.
• Use Event Handlers or the Nagios XI API for automated responses based on log events.

Troubleshooting Tips

• Ensure the Ubuntu system allows outbound traffic to Nagios Log Server on port 5544.
• Check /var/log/syslog for local log activity.
• Review /var/log/rsyslog.log for configuration errors.
• Run the following to confirm rsyslog is active:

sudo systemctl status rsyslog

sudo systemctl status rsyslog

• Use tcpdump to check if logs are sent to Nagios Log Server:

sudo tcpdump -i any port 5544

sudo tcpdump -i any port 5544

Final Notes

• Logs are forwarded over port 5544 by default.
• Use secure log transmission if required by enabling TLS in rsyslog.
• Regularly review log retention and indexing settings in Nagios Log Server.

References

• Nagios Forum
• Nagios XI Documentation