My use case is that I want to match Java exceptions from application log files - it is important to have whole exception in action e-mail. I can cook up a regexp but log/logrt items don't seem to accept regexps :confused:

Is it possible to use multiline/dotall regexp in log/logrt so that the item value has multiple lines?

oh this is an old thread but I think it's time to reopen it.
The last day I worked on the functionality of log monitoring in Zabbix.
And one case is also to monitor logfiles where the interesting part is more than one line.
For example you have in the log a line with "error" and in the next line there is a description to this error. So it would be useful to get the errorline and the following line too.

here is an example:
foo
foofoofoo
foofoofoofoo
error and much more
here is the description
foofoofoo
foofoofoofoo


regular expression:
/^error.*\n.*$/m

Has anybody an idea to solve this? Or it is a thing for the wish list?

i am looking for the same answer.

are there any suggestions?

http://www.zabbix.com/forum/showthread.php?t=21015



Hi!

looks like i am searching for similar solution

i am trying to monitor DB2 log file
and it also writes error message in several lines

to search for the error message in unix i use "grep -p Error"

v7-p7-prod 11:28:34 zabbix:/home/zabbix$ tail -100000 /home/db2inst1/sqllib/db2dump/db2diag.log | grep -p Error
2011-07-30-04.00.21.954691+180 I149135337A181 LEVEL: Error
PID:63242488 TID:49352 NODE:000 Title: SQLP_ALRCB
Dump File:/home/db2inst1/sqllib/db2dump/63242488.49352.000.dump.bin

2011-07-30-04.00.21.955063+180 I149135519A578 LEVEL: Error
PID : 63242488 TID : 49352 PROC : db2sysc 0
INSTANCE: db2inst1 NODE : 000 DB : RIDDB2
APPHDL : 0-57694 APPID: *LOCAL.db2inst1.110801091918
AUTHID : CDCINST1
EDUID : 49352 EDUNAME: db2agent (RIDDB2) 0
FUNCTION: DB2 UDB, data protection services, sqlp_AsyncLogReadAPI, probe:210
DATA #1 : String, 132 bytes
Error: sqlcode -2657, rc 262144, hflag2LsnReuse 0
action 1, startLSN 000000769C966801, endLSN 00000076D039E44A, logBufferSize 204800

2011-07-30-05.00.34.216699+180 I149146247A181 LEVEL: Error
PID:63242488 TID:44211 NODE:000 Title: SQLP_ALRCB
Dump File:/home/db2inst1/sqllib/db2dump/63242488.44211.000.dump.bin

2011-07-30-05.00.34.216921+180 I149146429A578 LEVEL: Error
PID : 63242488 TID : 44211 PROC : db2sysc 0
INSTANCE: db2inst1 NODE : 000 DB : RIDDB2
APPHDL : 0-760 APPID: *LOCAL.db2inst1.110801113231
AUTHID : CDCINST1
EDUID : 44211 EDUNAME: db2agent (RIDDB2) 0
FUNCTION: DB2 UDB, data protection services, sqlp_AsyncLogReadAPI, probe:210
DATA #1 : String, 132 bytes
Error: sqlcode -2657, rc 262144, hflag2LsnReuse 0
action 1, startLSN 000000769E4060AB, endLSN 00000076D089C5C7, logBufferSize 204800


but if i am not using "-p" switch for grep i get meaningless information:

v7-p7-prod 11:29:56 zabbix:/home/zabbix$ tail -100000 /home/db2inst1/sqllib/db2dump/db2diag.log | grep Error
2011-07-30-04.00.21.954691+180 I149135337A181 LEVEL: Error
2011-07-30-04.00.21.955063+180 I149135519A578 LEVEL: Error

and if i create zabbix (active) item:
log["/home/db2inst1/sqllib/db2dump/db2diag.log","Error","UTF-8",100]

i also get meaningless information that tells me "something is wrong there"
but is not giving me a clue shat exactly is happening.

how can i add "-P" flag for grep in zabbix (active) item ?

This one is still actual. Anyone?

i still do not have a solution

I've just got one for log4j 1.2.16 or higher to include first line from stack trace, which has exception name and message, all other stack trace will be on new lines, but this is enough for me.

I just have changed org.apache.log4j.PatternLayout to org.apache.log4j.EnhancedPatternLayout, which allows me to include stack trace right after the event message %m before new line %n.

Original log4j pattern:

log4j.appender.R.layout=org.apache.log4j.PatternLa yout
log4j.appender.R.layout.ConversionPattern=%5p [%t] %d{ISO8601} %m%n


Zabbix friendly pattern:

log4j.appender.R.layout=org.apache.log4j.EnhancedP atternLayout
log4j.appender.R.layout.ConversionPattern=%5p [%t] %d{ISO8601} %m %throwable%n

Try this out.

Try using this as your multiline match:

.*([[:space:]].*)+

I use this for web page regex's...