Skip to content

Home

Jump to bottom
Denis Immoos edited this page May 20, 2016 · 9 revisions

check_graylog_hits

Requirements:

CPAN:

  • Sys::Syslog
  • DateTime
  • LWP::UserAgent
  • HTTP::Request
  • JSON

Usage:

# ./check_graylog_hits.pl -H hostname --minutes 30 --warning 20 --critical 40 --json-file templates/sshd_anomalies.json

You can place other .json files inside the templates/ directory.

-H / --hostname

The hostname the script will lookup messages for. This is not necessarily the graylog server.

The graylog server is configured with the $Options{'graylog_ip'} inside the check_graylog_hits.pl script.

--minutes

This parameter defines how many minutes from now the script will go back in time to look for saved messages in graylog.

--warning / --critical

It will print out a warning or a critical if the defined numbers of hits are reached.

--json-file

The JSON-File is fetched from graylog.

Graylog

In this example it will look for the following:

sshd AND ( message:failed OR message:disconnecting )

Configuration in icinga2

icinga2/conf.d/commands/check_graylog_hits.conf

icinga2/conf.d/commands/check_graylog_hits.conf

icinga2/conf.d/services/graylog_sshd_anomalies.conf

icinga2/conf.d/services/graylog_sshd_anomalies.conf

Clone this wiki locally