This is the documentation page for an unsupported version of Zabbix.
Is this not what you were looking for? Switch to the current version or choose one from the drop-down menu.
Table of Contents

2 How it works

Monitoring of log files requires Zabbix Agent running on a host. An item used for monitoring of a log file must have type Zabbix Agent (Active), its value type must be Log and key set to log[file,<pattern>,<encoding>,<max lines>] or logrt[path to log file with filename format,<pattern>,<encoding>,<max lines>].

For example:


The last one will collect data from files such "filelog_abc_1" or "filelog__001".

Important notes:

  • The server and agent keep a trace of the monitored log's size and last modification time (for logrt) in two counters.
  • The agent starts reading the log file from the point it stopped the previous time.
  • The number of bytes already analyzed (the size counter) and the last modification time (the time counter) are stored in the Zabbix database and are sent to the agent, to make sure it starts reading the log file from this point.
  • Whenever the log file becomes smaller than the log size counter known by the agent, the counter is reset to zero and the agent starts reading the log file from the beginning taking the time counter into account.
  • All files matching the filename format in the provided directory are analyzed every cycle the agent tries to get the next line from the log (for logrt).
  • If there are several matching files with the same last modification time in the directory, then the agent will read lexicographically the smallest one.
  • Zabbix Agent processes new records of a log file once per Update interval seconds.
  • Zabbix Agent does not send more than maxlines of a log file per second. The limit prevents overloading of network and CPU resources and overrides the default value provided for MaxLinesPerSecond parameter in the configuration file of the agent.
  • Special note for "\" path separators: if file_format is "file\.log", then there should not be directory "file", since it is not possible to unambiguously define whether "." is escaped or is the first symbol of the file name.