From 263b18a545885d0a42b444da84e742e2ca534892 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 10 May 2019 13:38:53 +0200 Subject: [PATCH] start rules for notification logs helps with #15 --- filter-50-notification.conf | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 filter-50-notification.conf diff --git a/filter-50-notification.conf b/filter-50-notification.conf new file mode 100644 index 0000000..c9e709d --- /dev/null +++ b/filter-50-notification.conf @@ -0,0 +1,26 @@ +filter { + if [icinga][facility] == "Notification" { + if [message] =~ /^Sending / { + grok { + match => ["message","Sending '%{WORD:[icinga][notificationtype]}' notification '%{DATA:[icinga][notification]}' for user '%{DATA:[icinga][username]}'"] + id => "icinga_sendingnotification" + add_tag => "icinga_sendingnotification" + tag_on_failure => ["_grokparsefailure","icinga_sendingnotification_failed"] + add_field => { + "[icinga][eventtype]" => "sendingnotification" + } + } + } else if [message] =~ /^Completed sending / { + grok { + match => ["message","Completed sending '%{WORD:[icinga][notificationtype]}' notification '%{DATA:[icinga][notification]}' for checkable '%{DATA:[icinga][object]}' and user '%{DATA:[icinga][username]}'."] + id => "icinga_completedsendingnotification" + add_tag => "icinga_completedsendingnotification" + tag_on_failure => ["_grokparsefailure","icinga_completedsendingnotification_failed"] + add_field => { + "[icinga][eventtype]" => "completedsendingnotification" + } + } + } + } +} +