Zabbix can be used for centralized monitoring and analysis of log files with/without log rotation support.
Notifications can be used to warn users when a log file contains certain strings or string patterns.
To monitor a log file you must have:
Make sure that in the agent configuration file:
Configure a log monitoring item:
Specifically for log monitoring items you enter:
|Type||Select Zabbix agent (active) here.|
|Key||Use one of the following item keys: log or logrt
These two item keys allow to monitor logs and filter log entries by the content regexp, if present.
See supported Zabbix agent item key section for details on using these item keys and their parameters.
|Type of information||Select
|Update interval (in sec)||The parameter defines how often Zabbix agent will check for any changes in the log file. Setting it to 1 second will make sure that you get new records as soon as possible.|
|Log time format||In this field you may optionally specify the pattern for parsing the log line timestamp.
If left blank the timestamp will not be parsed.
* y: Year (0001-9999)
* M: Month (01-12)
* d: Day (01-31)
* h: Hour (00-23)
* m: Minute (00-59)
* s: Second (00-59)
For example, consider the following line from the Zabbix agent log file:
“ 23480:20100328:154718.045 Zabbix agent started. Zabbix 1.8.2 (revision 11211).”
It begins with six character positions for PID, followed by date, time, and the rest of the line.
Log time format for this line would be “pppppp:yyyyMMdd:hhmmss”.
Note that “p” and “:” chars are just placeholders and can be anything but “yMdhms”.
logrtitem and Zabbix agent is following the most recent of them and this most recent log file is deleted, a warning message
“there are no files matching ”<regexp mask>“ in ”<directory>“is logged. Zabbix agent ignores log files with modification time less than the most recent modification time seen by the agent for the
logrtitem being checked.
logrtitems, if there are several matching files with the same last modification time in the directory:
logrtitem has Update interval of 1 second, by default the agent will analyse no more than 400 log file records and will send no more than 100 matching records to Zabbix server in one check. By increasing MaxLinesPerSecond in the agent configuration file or setting maxlines parameter in the item key, the limit can be increased up to 4000 analysed log file records and 1000 matching records sent to Zabbix server in one check. If the Update interval is set to 2 seconds the limits for one check would be set 2 times higher than with Update interval of 1 second.
logrtare supported in filename only, directory regular expression matching is not supported.
logrtitem becomes NOTSUPPORTED if a directory where the log files are expected to be found does not exist.
logrtitem does not make it NOTSUPPORTED (before Zabbix 2.2.3 it caused NOTSUPPORTED).
logrtitem are logged as warnings into Zabbix agent log file but do not make the item NOTSUPPORTED (before Zabbix 2.2.3 it caused NOTSUPPORTED).
logrtitem became NOTSUPPORTED. Zabbix can monitor its agent log file except when at DebugLevel=4.
Sometimes we may want to extract only the interesting value from a target file instead of returning the whole line when a regular expression match is found.
Previously, if a regular expression match was found by Zabbix, the whole line containing the match was returned. Since Zabbix 2.2.0, log items have been extended to be able to extract desired values from these lines. This has been accomplished by adding the additional output parameter to
output allows to indicate the subgroup of the match that we may be interested in.
So, for example
log[/path/to/the/file,"large result buffer allocation.*Entries: ([0-9]+)",,,,\1]
should allow returning the entry count as found in the content of:
Fr Feb 07 2014 11:07:36.6690 */ Thread Id 1400 (GLEWF) large result buffer allocation - /Length: 437136/Entries: 5948/Client Ver: >=10/RPC ID: 41726453/User: AUser/Form: CFG:ServiceLevelAgreement
The reason why Zabbix will return only the number is because
output here is defined by \1 referring to the first and only subgroup of interest: ([0-9]+)
And, with the ability to extract and return a number, the value can be used to define triggers.