Ad Widget

Collapse

Linux Log Monitoring + action issue :

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Bertrand39100
    Junior Member
    • Feb 2010
    • 27
    #1

    Linux Log Monitoring + action issue :

    All,

    I managed to have linux log monitoring working successfully.

    the problem I have is i don't managed to have a mail for each pattern text that zabbix_agentd has successfully found :

    Log Monitoring parameter :

    Item : log["/test21_logmon/tcsd.conf","Option","UTF-8",100] // Item parameter : Interval : 60 / History : 7 / Trends : 0
    Trigger : {adm1.xxx.xxx:log["/test21_logmon/tcsd.conf","Option","UTF-8",100].str(Option)}=1
    Trigger : "Normal" not "Normal + multiple TRUE events"
    Action : Host = "adm1.xxx.xxx" and Trigger severity = "Warning" | Trigger severity = "Average" | Trigger severity = "High"

    Enable Escalations : selected
    Period (seconds) : 120
    Recovery message : no recovery

    Action operations :
    Steps : 1 - 0 Send message to group "xxx"
    Period (sec) : default
    Delay : Immediately

    Subject : {HOSTNAME} = {STATUS} : {TRIGGER.NAME} = [{ITEM.LASTVALUE}]
    Message : XXX

    Conditions : No conditions defined.


    Zabbix GUI result :

    [2011.Jan.12 10:19:27] - - Not classified - # Option: all_platform_classes
    [2011.Jan.12 10:19:27] - - Not classified - # Option: host_platform_class
    [2011.Jan.12 10:19:27] - - Not classified - # Option: enforce_exclusive_transport
    [2011.Jan.12 10:19:27] - - Not classified - # Option: remote_ops
    [2011.Jan.12 10:19:27] - - Not classified - # Option: endorsement_cred
    [2011.Jan.12 10:19:27] - - Not classified - # Option: conformance_cred
    [2011.Jan.12 10:19:27] - - Not classified - # Option: platform_cred
    [2011.Jan.12 10:19:27] - - Not classified - # Option: kernel_pcrs
    [2011.Jan.12 10:19:27] - - Not classified - # Option: firmware_pcrs
    [2011.Jan.12 10:19:27] - - Not classified - # Option: kernel_log_file
    [2011.Jan.12 10:19:27] - - Not classified - # Option: firmware_log_file
    [2011.Jan.12 10:19:27] - - Not classified - # Option: system_ps_file
    [2011.Jan.12 10:19:27] - - Not classified - # Option: num_threads
    [2011.Jan.12 10:19:26] - - Not classified - # Option: port

    Mail sent :

    Only two or one mails have been sent

    All tests I do, I have always only one mail (only first pattern found) or two mails (first and lastest pattern found)

    I want to have a mail per each pattern found in the upper example 14 mails.

    When I use in the trigger properties "Normal + multiple TRUE Events"
    I receive 14 mails but 14 same mails the last pattern found ;
    not 14 differents mails with a mail per pattern found in log file.

    Do my problem comes from a mistake in the "Actions"
    Do I need to use escalations ?

    Any idea is welcome

    Thanks for your help.

    Bertrand.
    Tags: None
    • dima_dm
      Senior Member
      • Dec 2009
      • 2697
      #2
      In Macro {ITEM.LASTVALUE} there will be only last value
      Your can use zabbix_agent and UserParameter
      Example
      /etc/zabbix/zabbix_agentd.conf

      Timeout=30
      UserParameter=sendmail.stat,/etc/zabbix/zabbix_sendmail_stat.pl

      The script will collect data from log files and will give out it in stdout as a single line.
      The script should store a position in logfile in tmp file (What data are already processed).
      Or your can use more complex scheme
      Example
      We’ll be back soon!
      http://www.zabbix.com/forum/showthread.php?t=15691
      Last edited by dima_dm; 13-01-2011, 11:49.

        Comment

        • Bertrand39100
          Junior Member
          • Feb 2010
          • 27
          #3
          Hello all,

          First, Thanks for your answer.

          I think there is a missunderstanding for my problem.

          To sumarize the problem : Log file monitoring is working correctly ;
          all pattern text are successfully found and available on zabbix server GUI.
          In the upper example I would be notified by mail each time the string "Option" is inside the log file.
          zabbix agentd successfully retreived 14 patterns text but I don't manage to be notified by mail

          I should have received 14 mails ; one mail per pattern text found in the log file
          First mail
          First Mail Object : "adm1.xxx.xxx = PROBLEM : LOG File Monitoring : TCSD = OPTION = [# Option: port]
          Second Mail Object : "adm1.xxx.xxx = PROBLEM : LOG File Monitoring : TCSD = OPTION = [# Option: num_threads]
          Third Mail Object : "adm1.xxx.xxx = PROBLEM : LOG File Monitoring : TCSD = OPTION = [# Option: system_ps_file]
          ...
          Last Mail Object : "adm1.xxx.xxx = PROBLEM : LOG File Monitoring : TCSD = OPTION = [# Option: all_platform_classes]

          All tests I do I never received more that 2 mails.
          I received only one mail or two mails the first and the last pattern text found.

          2 / Mail Object : "adm1.xxx.xxx = PROBLEM : LOG File Monitoring : TCSD = OPTION = [# Option: all_platform_classes]
          1 / Mail Object : "adm1.xxx.xxx = PROBLEM : LOG File Monitoring : TCSD = OPTION = [# Option: port]

          For my opinion my problem is in the action parameters I'm not sure
          because when I check "500 lastest values" all pattern texts are successfully triggered and found by agentd,
          14 lines with the string "Option" are found in the GUI but I only received one or two mails from the 14 lines found.

          Many Thanks.

            Comment

            • dima_dm
              Senior Member
              • Dec 2009
              • 2697
              #4
              I all understand correctly.
              But in zabbix_agent active Update interval is used (see MaxLinesPerSecond in http://www.zabbix.com/documentation/.../zabbix_agentd, Trigger status update interval).
              You receive only last message (in e-mail) in received portion of data in this update interval,
              If time between events is less than interval of updating.
              Last edited by dima_dm; 13-01-2011, 20:49.

                Comment

                • Colttt
                  Senior Member
                  Zabbix Certified Specialist
                  • Mar 2009
                  • 878
                  #5
                  quick and dirty:
                  for every event/pattern another email-action
                  Debian-User

                  Sorry for my bad english

                    Comment

                    • dima_dm
                      Senior Member
                      • Dec 2009
                      • 2697
                      #6
                      Originally posted by Shad0w
                      quick and dirty:
                      for every event/pattern another email-action
                      No. For every pattern new trigger must be created. But the decision will demand much more system resources, than decision in post #2.
                      I don't use function log and logrt on Linux Servers at all, UserParameter (or zabbix_sender) and script is use much better for large logfile, plural search of the samples and complex search, statistics.
                      To generate e-mail on each record in a logfile is a very bad practice. Such events need to be aggregated.
                      Last edited by dima_dm; 18-01-2011, 10:44.

                        Comment

                        Previous template Next
                        Working...