Log pandora fms

1.1 Introduction

Up to now, Pandora FMS did not provide a solution to this problem, but with version 5.0, Pandora FMS Enterprise offers a solution to manage hundreds of megabytes of daily data. This solution allows you to reuse the same monitoring agents for specific log data collection, using a syntax very similar to the current one for log monitoring.

Log monitoring in Pandora FMS is approached in two different ways:

1. Based on modules: it represents logs in Pandora as asynchronous monitors, being able to associate alerts to the detected inputs that fulfill a series of preconfigured conditions by the user. The modular representation of the logs allows you to:
   1. Create modules that count the occurrences of a regular expression in a log.
   2. Obtain the lines and context of log messages
2. Based on combined display: it allows the user to view in a single console all the information from logs of multiple origins that you may want to capture, organizing the information sequentially using the timestamp in which the logs were processed.

From version 7.0NG 712, Pandora FMS incorporates LogStash + ElasticSearch to store log information, which implies a significative improvement in performance.

1.2 How it works

The process is simple:

• The logs analyzed by the agents (eventlog or text files) are forwarded to Pandora Server, literally (RAW) within the XML reporting agent:
• Pandora server (DataServer) receives the XML agent, which contains information about both monitoring and logs.
• When DataServer processes XML data, it identifies log information, keeping in the primary database the references about the agent that was reported and the source of the log, automatically sending information to LogStash in order to be stored.
• LogStash stores the information in Elasticsearch.
• Finally, the log information can be checked through viewfinder in Pandora FMS console. The console will perform queries against the configured Elasticsearch server.

1.3 Configuration

1.3.1 Server Configuration

The new storage log system, which is based on ElasticSearch + LogStash requires configuring several components.

1.3.1.1 Server Requirements

Each component (Pandora FMS Server, Elasticsearch, LogStash) can be distributed on separate servers.

If you choose to place Elasticsearch and LogStash on the same server these are recommended:

• At least 4GB of RAM
• At least 2 CPU cores
• At least 20GB of disk space for the system
• At least 50GB of disk space for the mount point/var, mounted as LVM
• Connectivity with the 10516/TCP port from Pandora FMS server to LogStash and 9200/TCP from the Pandora FMS console to Elasticsearch

If you have a machine that hosts a historical database, the same one could be used to install Elasticsearch and LogStash. In that case, the minimum requirements of the machine should be adjusted to the amount of data that will be processed in both cases, the minimum being:

• At least 4GB of RAM
• At least 4 CPU cores
• At least 20GB of disk space for the system
• At least 50GB of disk space for the mount point/var, mounted as LVM

1.3.1.2 Installing and configuring ElasticSearch

Before you begin installing these components, install Java on the machine:

yum install java

Once installed, install Elasticsearch from the downloadable RPM from the Elasticsearch project website: https://www.elastic.co/downloads/elasticsearch

Once the package is downloaded, install it executing:

rpm -i elasticsearch-X.X.X-x86_64.rpm

Configure the service:

Configure network options and ‘’optionally’’ data locations (and logs from Elasticsearch itself) in the configuration file located at /etc/elasticsearch/elasticsearch.yml

# ---------------------------------- Network -----------------------------------
# Set the bind address to a specific IP (IPv4 or IPv6):
network.host: 0.0.0.0
# Set a custom port for HTTP:
http.port: 9200
# ----------------------------------- Paths ------------------------------------
# Path to directory where to store the data (separate multiple locations by a comma):
path.data: /var/lib/elastic
# Path to log files:
path.logs: /var/log/elastic

Enter the server's IP in the network.host parameter.

The options of the resources allocated to ElasticSearch must be adapted, adjusting the parameters available in the configuration file located at /etc/elasticsearch/jvm.options

# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
-Xms512m
-Xmx512m

Start the service:

systemctl start elasticsearch

Note: If the service fails to start, check the logs located at /var/log/elasticsearch/

Note 2: If you try to install it on Centos 6 against our recommendation, there is a problem with the latest versions of ElasticSearch (5. X) since they require an extra kernel-level feature that CentOS 6 does not offer. You can add the following lines to the yml configuration file to disable the use of bootstrap and avoid errors.

bootstrap.system_call_filter: false
transport.host: localhost

1.3.1.3 Installing and configuring LogStash

Install LogStash from the downloadable RPM from the Elasticsearch project website: https://www.elastic.co/downloads/logstash

Once the package is downloaded, install it executing:

rpm -i logstash-X.X.X.rpm

Configure the service

Within logstash configuration, there are three configuration blocks:

• Input: Indicates how you get the information to logstash, format, port, and an identifier that is used to store information internally in elastic.
• Filter: You can add a post-processing here, but in this case it is not necessary, so it will be left empty.
• Output: Here comes the IP configuration and port where Elasticsearch will be listening. This is the place where the information processed by logstash will be saved.

Configuration file:

/etc/logstash/conf.d/logstash.conf

Example of a configuration file:

# This input block will listen on port 10514 for logs to come in.
# host should be an IP on the Logstash server.
# codec => "json" indicates that the lines received are expected to be in JSON format
# type => "rsyslog" is an optional identifier to help identify messaging streams in the pipeline.
input {
 tcp {
    host  => "0.0.0.0"
    port  => 10516
    codec => "json"
    type  => "pandora_remote_log_entry"
 }
}
# This is an empty filter block. You may later add other filters here to further process
# your log lines
filter { }
output {
  elasticsearch { hosts => ["0.0.0.0:9200"] }
}

Enter the server IP in the "host" parameter, instead of “0.0.0.0”.

The situation is very similar in the case of the "logstash-sample.conf" file, where the server's IP must be entered in the "localhost" parameter.

Start the service:

systemctl start logstash

Note: If you try to install LogStash in Centos 6 despite our recommendation, you can start it with the following command:

initctl start logstash

1.3.1.4 Configuration parameters in Pandora FMS Server

You will need to add the following configuration to Pandora FMS Server configuration file (/etc/pandora/pandora_server.conf) so that Pandora FMS DataServer processes the log information.

Important: Any log that reaches pandora without having this configuration active, will be discarded.

logstash_host eli.artica.lan
logstash_port 10516

1.3.1.5 Pandora FMS SyslogServer

From the 717 version of Pandora FMS 7.0NG, a new component appeared: SyslogServer.

This component allows Pandora to analyze the Syslog of the machine where it is located, analyzing its content and storing the references in the ElasticSearch server.

The main advantage of SyslogServer lies in complementing log unification. Based on the exportation characteristics of SYSLOG from Linux and Unix environments, SyslogServer allows to consult logs regardless of their origin, searching in a single common point (Pandora FMS console log viewer).

To enable this feature, enable it in the configuration, adding the following content to pandora_server. conf:

# Enable (1) or disable (0) the Pandora FMS Syslog Server (PANDORA FMS ENTERPRISE ONLY).
syslogserver 1
# Full path to syslog's output file (PANDORA FMS ENTERPRISE ONLY).
syslog_file /var/log/messages
# Number of threads for the Syslog Server (PANDORA FMS ENTERPRISE ONLY).
syslog_threads 2
# Maximum number of lines queued by the Syslog Server's producer on each run (PANDORA FMS ENTERPRISE ONLY).
syslog_max 65535

A LogStash/ElasticSearch server must be enabled and configured. Review the preceding points to learn how to configure it.

syslogserver Boolean, enables (1) or disables (0) the local SYSLOG analysis engine.

syslog_file Location of the file where the SYSLOG entries are delivered.

syslog_threads Maximum number of threads to be used in the SyslogServer producer/consumer system.

syslog_max It is the maximum processing window for SyslogServer, it will be the maximum number of SYSLOG entries that will be processed in each iteration.

It is necessary to modify the configuration of your device so that logs are sent to Pandora FMS server.

1.3.1.6 Recommendations

1.3.1.6.1 Log rotation for Elasticsearch and Logstash

Important: It is recommended to create a new entry for daemon rotation logs in en /etc/logrotate.d, to prevent Elasticsearch or LogStash logs from endlessly growing:

cat > /etc/logrotate.d/elastic <<EOF
/var/log/elastic/elaticsearch.log
/var/log/logstash/logstash-plain.log {
       weekly
       missingok
       size 300000
       rotate 3
       maxage 90
       compress
       notifempty
       copytruncate
}
EOF

1.3.1.6.2 Index Purging

You can check at any time the list of indexes and their size by launching a cURL petition against its ElasticSearch server:

curl -q http://elastic:9200/_cat/indices?

Where "elastic" is the server's IP.

To remove any of these indexes, execute the DELETE command:

curl -q -XDELETE http://elastic:9200/logstash-2017.09.06

Where "elastic" is the server's IP, and "logstash-2017.09.06" is the output file of the previous command.

This will free up the space used by the removed index.

1.3.2 Console Settings

To enable the log system display, enable the following configuration:

Then set the log viewer performance in the 'Log Collector' tab:

On this screen configure:

• IP or FQDN address of the server that hosts the Elasticsearch service

• Port through which the service is being given to Elasticsearch

• Number of logs being shown. To speed up the response of the console, record dynamic loading has been added. To use this, the user must scroll to the bottom of the page, forcing the loading of the next set of available records. The size of these groups can be set in this field as the number of records per group.

• Days to purge: To prevent the size of the system, you can define a maximum number of days in which the log information will be stored, from that date they will be automatically deleted in Pandora FMS cleaning process.

1.4 Migration to LogStash + Elasticsearch system

After setting the new log storage system, migrate all data previously stored in Pandora FMS to the new system, in a distributed way among the directories.

To migrate it to the new system, run the following script that can found in /usr/share/pandora_server/util/

# Migrate Log Data < 7.0NG 712 to >= 7.0NG 712
/usr/share/pandora_server/util/pandora_migrate_logs.pl /etc/pandora/pandora_server.conf

1.5 Display and Search

In a log collection tool, two things are the main concerns: looking for information, filtering by date, data sources and/or keywords, and seeing that information drawn in occurrences by time unit. In this example, all log messages from all sources in the last hour are looked for:

View of occurrences over time

There is a series of filters that can be used to display information:

• Filter by search type: it searches by exact match, all words or any word.
• Filter by message content: it searches the desired text in the content of the message.
• Filter by log source (source id)
• Agent Filter: it narrows down the search results to those generated by the selected agent.
• Filter per group: it limits the selection of agents in the agent filter
• Filter by date

The most important and useful field will be the search string (search on the screenshot). This can be a simple text string, as in the previous case or a wildcard, in the following example, an IP address:

192.168*

Note: Searches should be done using complete words or beginning sub-strings of the search words. For example

192.168.80.14
192.168*
Warning in somelongtext
Warning in some*

One of the three types of search must be selected:

• Exact match: Literal string search.

• All words: Search of all the indicated words, regardless of the order, taking into account that each word is separated by spaces.

• Any word: Search of any indicated word, regardless of the order, taking into account that each word is separated by spaces.

If the option to see the context of the filtered content is checked, the result will be an overview of the situation:

1.5.1 Display and advanced search

Log data display advanced options are available from Pandora FSM 7.0NG OUM727.

With this feature, log entries can be turned into a graphic, sorting out the information according to data capture templates.

These data capture templates are basically regular expressions and identifiers, that allow analyzing data sources and showing them as a graphic.

To access advanced options, press Advanced options. A form, where the result view type can be chosen, will appear:

- Show log entries (plain text). - Show log graphic.

Under the show log graphic option, the capture template can be selected.

The Apache log model template by default offers the possibility of parsing Apache logs in standard format (access_log), enabling retrieving time response comparative graphics, sorting by visited site and response code:

By pressing the edit button, the selected capture template is edited. With the create button, a new capture template is added.

In the form, the following can be chosen:

Title

capture template name.

A data capture regular expression

each field to be retrieved is identified with a subexpression between brackets (expression to be captured).

Field

the order in which they have been captured through the regular expression. The results will be sorted by key field concatenation, those whose name is not written between underscores:

key, _value_

key,key2,_value_

key1,_value_,key2

Comments: If the value field is not specified, it will be the number of regular expression matches automatically.

Comments 2: If a value column is specified, you may choose either representing the accumulated value (performance by default) or checking the checkbox to represent the average.

Example

If log entries must be retrieved with the following format:

Sep 19 12:05:01 nova systemd: Starting Session 6132 of user root.
Sep 19 12:05:01 nova systemd: Starting Session 6131 of user root.

To count the number of loins by user, use:

Regular expression

Starting Session \d+ of user (.*?)\.

Fields:

username

This capture template will return the number of logins by user during the selected time range.

1.6 Configuring agents

The log collection is done by agents, both Windows and Unix agents (Linux, MacOsX, Solaris, HP-UX, AIX, BSD, etc). In the case of Windows agents, you can also obtain information from the Windows Event Viewer, using the same filters as in the monitoring module event viewer.

Here are two examples to capture log information on windows and Unix:

1.6.1 Windows

module_begin
module_name Eventlog_System
module_type log
module_logevent
module_source System
module_end 

module_begin
module_name PandoraAgent_log
module_type log
module_regexp C:\archivos de programa\pandora_agent\pandora_agent.log
module_description This module will return all lines from the specified logfile
module_pattern .*
module_end

In both cases, the only difference from monitoring module to the definition of a log source is:

module_type log 

This new syntax only understands the agent version 5.0, so update the agents if you want to use this new enterprise feature.

1.6.2 Unix Systems

In Unix, a new plugin that comes with agent version 5.0 is used. Its syntax is simple:

module_plugin grep_log_module /var/log/messages Syslog \.\*

Similar to the parsing logs plugin (grep_log), grep_log_module plugin sends the processed log information to the log collector named "Syslog" as the source of the log. Use the \.\* regular expression (In this case "all") as the pattern when choosing which lines will be sent and which ones will not.

Go back to Pandora FMS documentation index