Pipe NSCA logs to a separate file

Nagios Service Check Acceptor (NSCA) is a tool that allows you to send passive service and host checks from remote systems into a central Nagios instance. You can find the plugin here and read about passive checks here .

The only issue is, by default (at least for the packages on CentOS 5) it dumps output into /var/log/messages resulting in many, many lines like this:

Aug 05 19:93:55 testing01 nagios: EXTERNAL COMMAND: PROCESS_SERVICE_CHECK_RESULT;dev;apache2;0;OK
Aug 05 19:95:50 testing01 nagios: EXTERNAL COMMAND: PROCESS_SERVICE_CHECK_RESULT;dev;load;0;OK

Every check it receives gets printed out into syslog. This obviously isn’t ideal if you’re trying to review the file and all its full of is check results instead of the data you’re expecting.

There is a fix for this as outlined in this blog post however it involves manually patching NSCA which isn’t exactly ideal.

A simpler fix is to add an rsyslog filter that filters all lines coming in from NSCA. The below 4 lines need to be placed into a file like /etc/rsyslog.d/50-nagios-nsca.conf so they can be picked up by rsyslog. This config redirects the NSCA logs into /var/log/nagios/nsca.log instead of /var/log/messages.

:programname, isequal, "nsca" /var/log/nagios/nsca.log
:programname, isequal, "nsca" ~

The first line dictates that they should be placed into /var/log/nagios/nsca.log and the second line takes them out of the “queue” for processing, thus taking them out of the standard rsyslog path.

Let me know how it goes for you!