Library

Docs
Beta

Products

Adding Additional Instances To ClusterAlerting On Log EventsAnalyzing LogsAuthenticating and Importing Users with AD and LDAPChanging Data Store PathConfiguring FiltersConfiguring InputsConfiguring Multi Tenancy in Nagios Log ServerConfiguring NXLog To Send Additional Log FilesCreating a Log Server DashboardForwarding Logs from Nagios Log Server to Another DestinationHow To Configure NXLog To Send Multi line Logs To Nagios Log Server.How To Configure Windows To Send Logs To Nagios Log ServerHow To Create A Nagios Log Server Instance In The Amazon EC2 CloudHow To Export Or Schedule Reports In Nagios Log ServerHow To integrate Nagios Log Server with XIHow to Backup and Restore the Nagios Log ServerHow to use a Proxy Server with Nagios Log ServerIntegrating Nagios Log Server with Nagios XILog Server Dashboard OverviewManaging ClustersManaging IndicesManaging Snapshots and MaintenanceMonitoring A New Log SourceMonitoring Apache Logs with Nagios Log ServerMonitoring Linux System Logs using Nagios Log ServerMonitoring Squid Proxy Server With Nagios Log ServerNagios Log Server Adding Additional Instances To ClusterNagios Log Server Administrator GuideNagios Log Server Alerting On Log EventsNagios Log Server Analyzing LogsNagios Log Server Architecture and Overview NWC15Nagios Log Server Changing Data Store PathNagios Log Server Cluster Timezone SettingsNagios Log Server Configuration OverviewNagios Log Server Configuring Input FiltersNagios Log Server Configuring InputsNagios Log Server Configuring NXLog To Send Additional Log FilesNagios Log Server Configuring NXLog To Send Multi Line Log FilesNagios Log Server Conversion for VirtualBoxNagios Log Server Custom Alert Message Email TemplateNagios Log Server Data Backup and ArchivingNagios Log Server ELK documentationNagios Log Server ESXi Syslog ConfigNagios Log Server Exporting Log DataNagios Log Server Full Architecture OverviewNagios Log Server How To Configure SSLNagios Log Server How To Create A Nagios Log Server Instance In The Amazon EC2 Cloud EnvironmentNagios Log Server How To Install Using VMwareNagios Log Server How To Select A DownloadNagios Log Server Important Files And DirectoriesNagios Log Server Introduction WebinarNagios Log Server Jobs Subsystem ArchitectureNagios Log Server License EntitlementsNagios Log Server Listening On Privileged PortsNagios Log Server Log Monitoring and Log Management with Nagios NWC14Nagios Log Server Logging InNagios Log Server Managing ClustersNagios Log Server Managing IndicesNagios Log Server Managing InstancesNagios Log Server Managing Snapshots and MaintenanceNagios Log Server Managing UsersNagios Log Server Monitor Your Log Server InstancesNagios Log Server Monitoring A New Log SourceNagios Log Server Offline UpgradeNagios Log Server Overview And TerminologyNagios Log Server Performance And Storage WalkthroughNagios Log Server Poller Subsystem ArchitectureNagios Log Server Real Life Experience of Nagios Log Server NWC15Nagios Log Server Removing An Instance From A ClusterNagios Log Server Sending Multiline Log Files Using SyslogNagios Log Server Sending NXLogs With SSLNagios Log Server Sending Nagios Core Logs To Nagios Log ServerNagios Log Server Sending syslog with SSL/TLSNagios Log Server Single Instance DeploymentNagios Log Server Updating Logstash PatternsNagios Log Server Upgrade InstructionsNagios Log Server Using An Output To Create Nagios XI Passive ObjectsNagios Log Server Using GeoIP DataNagios Log Server Using The Custom Includes PageRemoving An Instance From A ClusterSend Alerts Based on the Log Server Audit LogSending ESXi Logs To Nagios Log ServerSending Mac OS X Logs To Nagios Log ServerSending NXLogs With SSL/TLSSending Nagios Core Logs To Nagios Log ServerSending syslog With SSL/TLSUpgrade Nagios Log ServerUsing An Output To Create Nagios XI Passive ObjectsWaiting for Database StartupNagios Log Server Monitoring Using NCPA + Nagios XI

Nagios Log Server - Sending Multiline Log Files Using Syslog

Overview

This KB article explains how to configure syslog to send multi-line logs to Nagios Log Server (NLS).

What is a multi-line log? This is when the data that encompasses the entire event is spread across multiple lines in the log file. For example:

2017.02.13 14:42:07:198 EST | Audit | write2216 | express_admin | System | UserDeleteRequest

    <?xml version="1.0" encoding="UTF-8"?>
<BroadsoftDocument protocol="OCI" xmlns="C">
  <userId xmlns="">express_admin</userId>
  <command xsi:type="UserDeleteRequest" xmlns="" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <userId>2136658700</userId>
  </command>
</BroadsoftDocument>

Normally when you configure syslog to send a custom log file to NLS it is sent on a line-by-line basis. This can make it complicated to review the logs on NLS as it will be displayed as multiple events.

In the example above, you can see the first line starts with the date time format yyyy.mm.dd hh:mm:ss:ms. Every entry recorded in this log file will always have this first line formatted this way.  Syslog can be configured to identify this string and then send the entire data to NLS as a multi-line log.

NLS will also have an extra configuration input added to handle the incoming multi-line data.

This KB article will walk you through the steps to implement this.

Scenario Details

To properly demonstrate how this works, the following KB article will use the log file /var/log/AuditLog.log to send to NLS.

To simulate a multiple line log entry being added to the log, a second file will be created called /var/log/test.log with the following contents:

2017.02.13 14:42:07:198 EST | Audit | write2216 | express_admin | System | UserDeleteRequest

    <?xml version="1.0" encoding="UTF-8"?>
<BroadsoftDocument protocol="OCI" xmlns="C">
  <userId xmlns="">express_admin</userId>
  <command xsi:type="UserDeleteRequest" xmlns="" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <userId>2136658700</userId>
  </command>
</BroadsoftDocument>

The following command in a terminal session will append the data to the /var/log/AuditLog.log:

more /var/log/test.log >> /var/log/AuditLog.log

Using those steps you will be able to successfully follow this KB article and confirm the functionality works. Every time the command is executed above, a multi-line entry is added to the /var/log/AuditLog.log log file. Even though technically the date is incorrect this will not matter, it's simply an example.

Configure Nagios Log Server

The first step is to configure the NLS input to identify multi-line logs.

Log into your NLS web interface and navigate to Administration > Global Configuration.

Under Inputs use the + Add input input drop down list and click Custom. This will add a new block underneath.

Give it a name such as Syslog Multiline.

In the text area add the following:

tcp {
    codec => multiline {
        pattern => '^[0-9]{4}.[0-9]{2}.[0-9]{2}'
        negate => true
        what => previous
    }
    port => 6677
    type => 'syslog_multiline'
}

Click the Save button.

Then click the Verfiy button above to ensure this is a valid configuration.

Once the verification process is OK, in the left pane under Configuration Editor click Apply Configuration.

Click the Apply button.

Click Yes, Apply Now

Once this process has finished you can continue onto the next section. You'll return back to NLS once syslog has been configured.

The input that was just added is listening on port 6677, this will be used in the steps below when configuring syslog.

What was does all of that mean?

The line codec => multiline { tells Logstash to use the multiline codec filter.

The pattern tells Logstash that the following sting format is first line of a log entry:

pattern => '^[0-9]{4}.[0-9]{2}.[0-9]{2}'

  • This is a regular expression (regex)

  • The ^ means that the line begins with this pattern

  • [0-9]{4} indicates that there are four digits in the range 0 to 9 (the year)

  • The . period matches a single character, without caring what that character is. This represents the character that separates the year and the month, it's just co-incidental that this character is actually a . period.

  • [0-9]{2} indicates that there are two digits in the range 0 to 9 (the month)

  • The . period matches a single character.

  • [0-9]{2} indicates that there are two digits in the range 0 to 9 (the day)

Basically it's saying this is the format of the string which needs to be matched:

dddd.dd.dd

Remember the example we have:

2017.02.13 14:42:07:198 EST | Audit | write2216 | express_admin | System | UserDeleteRequest

The negate line:

negate => true

true means that a received message not matching the pattern will constitute a match of the multiline filter and the what will be applied.

The what line:

what => previous

previous says that any line not starting with the pattern should be merged with the previous line.

The type line:

type => 'syslog_multiline'

Is how this received entry is indexed as, it will help with searches later.

 

Configure syslog

Establish a terminal session to the Linux server that has the log file in question.

Syslog is going to be configured to watch the /var/log/AuditLog.log log file and send it to NLS. This example will use the NLS with the address 10.25.5.99 and it is listening on port 5566.

In your terminal session execute these commands:

cd /tmp
curl -s -O http://10.25.5.99/nagioslogserver/scripts/setup-linux.sh
sudo bash setup-linux.sh -s 10.25.5.99 -p 6677 -f "/var/log/AuditLog.log" -t syslog_multiline

This will create a syslog configuration file called /etc/rsyslog.d/90-nagioslogserver_var_log_AuditLog.log.conf.

A change needs to be made to this configuration file, edit the file in the vi editor using the following command:

vi /etc/rsyslog.d/90-nagioslogserver_var_log_AuditLog.log.conf

When using the vi editor, to make changes press i on the keyboard first to enter insert mode. Press Esc to exit insert mode.

Make the changes highlighted in bold:

$ModLoad imfile
$InputFilePollInterval 10
$PrivDropToGroup adm
$WorkDirectory /var/lib/rsyslog

# Input for syslog_multiline
$InputFileName /var/log/AuditLog.log
$InputFileTag syslog_multiline:
$InputFileStateFile nls-state-var_log_AuditLog.log # Must be unique for each file being polled
# Uncomment the folowing line to override the default severity for messages
# from this file.
#$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor
$template clean,"%rawmsg%"

# Forward to Nagios Log Server and then discard, otherwise these messages
# will end up in the syslog file (/var/log/messages) unless there are other
# overriding rules.
if $programname == 'syslog_multiline' then @@10.25.5.99:6677;clean
if $programname == 'syslog_multiline' then ~

You can see that the line $template clean,"%rawmsg%" was added and ;clean was added to the end of the second last line.

This will change the rsyslog configuration to apply the clean filter, which is just sending the raw message using rsyslog's %rawmsg% macro.

When you have finished, save the changes in vi by typing:

:wq

and press Enter.

Finally you need to restart the rsyslog service with the following command:

service rsyslog restart

Test

Now you can test that it is working by executing the following command on your Linux machine:

more /var/log/test.log >> /var/log/AuditLog.log

Now open the NLS web interface and navigate to Dashboards.

You should now see an entry like the following:

 

Summary

This KB article showed you how to use syslog to send multi-line log files to Nagios Log Server. Armed with this information you should be able to apply this to your situation.

Final Thoughts

For any support related questions please visit the Nagios Support Forums at:

http://support.nagios.com/forum/

Nagios Enterprises, LLC

© All rights reserved. 2026