log[] item analyzes log file line-by-line - either it matches regexp or not. It does not understand multi-line blocks in log files.

Есть вот такое решение, только всё равно не понятно =)


The parsing of multi-line messages could be very useful feature.
The main problem with it is a mechanism allowing to distinguish one message from another. It is necessary an accurate definition of what is a "message".

For example, a competitive product "IBM Tivoli Monitoring" has "Universal Agent" component that could be set up to parse a multi-line messages in log files or script outputs via a RECORDSET directive. It uses the number of possibilities to define a "message":

• just using counter (maximum number of lines per single message);
• describing some delimiter (if it is used between different messages);
• using template describing either the beginning or the end of message;
• using an XML tag.

As Zabbix-agent already uses a regular expressions for log monitoring, it seems for me that the most useful for Zabbix could be the using of regular expression to define the beginning of message. Ideally, with the additional parameter specifying the maximum number of lines per message.

Example
Real log file of some Java Application (Novell Role-Based Provisioning Module running on IBM WebSphere) has the following part:


[7/14/14 13:09:00:611 EEST] 00000096 SystemOut O INFO [RBPM] [com.novell.soa.persist.DatabaseSchemaUpdate:analyz eSchema] Checking schema for table SEC_SYNC_CLEANUP_QUEUE....found [7/14/14 13:09:02:001 EEST] 00000076 NGUtil$Server I ASND0002I: Detected server servantPL3_srv1 started on node vmwastest1Node01 [7/14/14 13:09:02:301 EEST] 00000075 NGUtil$Server I ASND0002I: Detected server cusPL4_srv4 started on node vmwastest4Node01 [7/14/14 13:09:02:302 EEST] 00000075 NGUtil$Server I ASND0002I: Detected server cusPL5_srv2 started on node vmwastest2Node01 [7/14/14 13:09:02:302 EEST] 00000075 NGUtil$Server I ASND0002I: Detected server irPL5_srv4 started on node vmwastest4Node01 [7/14/14 13:09:03:001 EEST] 00000096 SystemOut O ERROR [RBPM] [com.sssw.fw.servlet.EboBootServlet:init] Runtime exception initializing. com.novell.soa.persist.PersistenceException: java.lang.IllegalStateException: Expected to return only foreign keys for base table name: PORTALPORTLETHANDLES and got results for table: null at com.novell.soa.persist.DatabaseSchemaUpdate.unappl iedChangesets(DatabaseSchemaUpdate.java:346) at com.novell.soa.persist.DatabaseSchemaUpdate.valida teDatabaseSchema(DatabaseSchemaUpdate.java:212) at com.sssw.fw.servlet.EboBootServlet.init(EboBootSer vlet.java:98) at com.sssw.portal.servlet.EboPortalBootServlet.init( EboPortalBootServlet.java:59) at javax.servlet.GenericServlet.init(GenericServlet.j ava:161) at com.ibm.ws.webcontainer.servlet.ServletWrapper.ini t(ServletWrapper.java:342) at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl .init(ServletWrapperImpl.java:168) at com.ibm.ws.webcontainer.servlet.ServletWrapper.loa dOnStartupCheck(ServletWrapper.java:1366) at com.ibm.ws.webcontainer.webapp.WebApp.doLoadOnStar tupActions(WebApp.java:614) at com.ibm.ws.webcontainer.webapp.WebApp.commonInitia lizationFinally(WebApp.java:584) at com.ibm.ws.webcontainer.webapp.WebAppImpl.initiali ze(WebAppImpl.java:425) at com.ibm.ws.webcontainer.webapp.WebGroupImpl.addWeb Application(WebGroupImpl.java:88) at com.ibm.ws.webcontainer.VirtualHostImpl.addWebAppl ication(VirtualHostImpl.java:169) at com.ibm.ws.webcontainer.WSWebContainer.addWebApp(W SWebContainer.java:749) at com.ibm.ws.webcontainer.WSWebContainer.addWebAppli cation(WSWebContainer.java:634) at com.ibm.ws.webcontainer.component.WebContainerImpl .install(WebContainerImpl.java:426) at com.ibm.ws.webcontainer.component.WebContainerImpl .start(WebContainerImpl.java:718) at com.ibm.ws.runtime.component.ApplicationMgrImpl.st art(ApplicationMgrImpl.java:1177) at com.ibm.ws.runtime.component.DeployedApplicationIm pl.fireDeployedObjectStart(DeployedApplicationImpl .java:1370) at com.ibm.ws.runtime.component.DeployedModuleImpl.st art(DeployedModuleImpl.java:639) at com.ibm.ws.runtime.component.DeployedApplicationIm pl.start(DeployedApplicationImpl.java:968) at com.ibm.ws.runtime.component.ApplicationMgrImpl.st artApplication(ApplicationMgrImpl.java:776) at com.ibm.ws.runtime.component.ApplicationMgrImpl$5. run(ApplicationMgrImpl.java:2195) at com.ibm.ws.security.auth.ContextManagerImpl.runAs( ContextManagerImpl.java:5474) at com.ibm.ws.security.auth.ContextManagerImpl.runAsS ystem(ContextManagerImpl.java:5600) at com.ibm.ws.security.core.SecurityContext.runAsSyst em(SecurityContext.java:255) at com.ibm.ws.runtime.component.ApplicationMgrImpl.st art(ApplicationMgrImpl.java:2200) at com.ibm.ws.runtime.component.CompositionUnitMgrImp l.start(CompositionUnitMgrImpl.java:446) at com.ibm.ws.runtime.component.CompositionUnitImpl.s tart(CompositionUnitImpl.java:123) at com.ibm.ws.runtime.component.CompositionUnitMgrImp l.start(CompositionUnitMgrImpl.java:389) at com.ibm.ws.runtime.component.CompositionUnitMgrImp l.access$500(CompositionUnitMgrImpl.java:117) at com.ibm.ws.runtime.component.CompositionUnitMgrImp l$CUInitializer.run(CompositionUnitMgrImpl.java:99 5) at com.ibm.wsspi.runtime.component.WsComponentImpl$_A synchInitializer.run(WsComponentImpl.java:502) at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.j ava:1864) Caused by: java.lang.IllegalStateException: Expected to return only foreign keys for base table name: PORTALPORTLETHANDLES and got results for table: null at liquibase.change.core.DropAllForeignKeyConstraints Change.generateChildren(DropAllForeignKeyConstrain tsChange. java:104) at liquibase.change.core.DropAllForeignKeyConstraints Change.generateStatements(DropAllForeignKeyConstra intsChange.java:54) at liquibase.change.AbstractChange.warn(AbstractChang e.java:78) at liquibase.changelog.visitor.ValidatingVisitor.visi t(ValidatingVisitor.java:77) at liquibase.changelog.ChangeLogIterator.run(ChangeLo gIterator.java:58) at liquibase.changelog.DatabaseChangeLog.validate(Dat abaseChangeLog.java:134) at liquibase.Liquibase.listUnrunChangeSets(Liquibase. java:583) at liquibase.Liquibase.reportStatus(Liquibase.java:59 6) at com.novell.soa.persist.DatabaseSchemaUpdate.unappl iedChangesets(DatabaseSchemaUpdate.java:323) ... 33 more [7/14/14 13:09:03:007 EEST] 00000096 SystemOut O INFO [RBPM] [com.sssw.portal.servlet.EboPortalBootServlet:init] Identity Manager Roles Based Provisioning Module Version 4.0.2 [7/14/14 13:09:03:007 EEST] 00000096 SystemOut O INFO [RBPM] [com.sssw.portal.servlet.EboPortalBootServlet:init] Patch E [7/14/14 13:09:03:008 EEST] 00000096 SystemOut O INFO [RBPM] [com.sssw.portal.servlet.EboPortalBootServlet:init] Driver Version 2.2 [7/14/14 13:09:03:008 EEST] 00000096 SystemOut O INFO [RBPM] [com.sssw.portal.servlet.EboPortalBootServlet:init] Build Revision 41620 [7/14/14 13:09:04:048 EEST] 00000096 SystemOut O INFO [RBPM] [com.novell.soa.notification.impl.jms.JMSConnection Mediator:init] Starting JMS notification system [7/14/14 13:09:04:051 EEST] 00000096 SystemOut O WARN [RBPM] [com.novell.soa.notification.impl.NotificationEngin e:<init>] Could not properly initialize JMS persistence for the notification system. Will revert back to non-persistent asynchronous notification system.


This part has an error message that begins with "[7/14/14 13:09:03:001 EEST]" timestamp, has the "ERROR" string in the same line, and lasts up to "... 33 more" string in the last line (46 lines total). It is useless to monitor this file on the line-by-line basis: the first line (containing the keyword "ERROR") is useless without the next several lines (the top of Java stack trace). At the same time, it is not necessary to analyze all 46 lines - the really useful information usually is in the first several lines.

So, in this example it could be useful to have something like following:

Item
log[/opt/IBM/WebSphere.../SystemOut.log," ERROR ",UTF-8,,skip,,"^\[1?\d/[1-3]?\d/\d{2} \d{2}:\d{2}:\d{2}:\d{3} .*\] \x{8} ",11]


An additional 7-th parameter is a Regular Expression defining that the result could be a multi-line message starting with a line matching this RE. In this example the RE describes a WebSphere's timestamp in square brackets and a ThreadId as a 8 Hex-digits.The 8-th parameter defines the maximum of lines to transfer to Zabbix server as the item value. The message could be shorter, but if the message is longer - then a Zabbix agent processes only this specified maximum.

In result, the value of item in this example will be the just 11 lines of error message: initial line from WebSphere (containing "ERROR [...] Runtime exception initializing.") and the first 10 lines of the Java exception stack trace:


[7/14/14 13:09:03:001 EEST] 00000096 SystemOut O ERROR [RBPM] [com.sssw.fw.servlet.EboBootServlet:init] Runtime exception initializing. com.novell.soa.persist.PersistenceException: java.lang.IllegalStateException: Expected to return only foreign keys for base table name: PORTALPORTLETHANDLES and got results for table: null at com.novell.soa.persist.DatabaseSchemaUpdate.unappl iedChangesets(DatabaseSchemaUpdate.java:346) at com.novell.soa.persist.DatabaseSchemaUpdate.valida teDatabaseSchema(DatabaseSchemaUpdate.java:212) at com.sssw.fw.servlet.EboBootServlet.init(EboBootSer vlet.java:98) at com.sssw.portal.servlet.EboPortalBootServlet.init( EboPortalBootServlet.java:59) at javax.servlet.GenericServlet.init(GenericServlet.j ava:161) at com.ibm.ws.webcontainer.servlet.ServletWrapper.ini t(ServletWrapper.java:342) at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl .init(ServletWrapperImpl.java:168) at com.ibm.ws.webcontainer.servlet.ServletWrapper.loa dOnStartupCheck(ServletWrapper.java:1366) at com.ibm.ws.webcontainer.webapp.WebApp.doLoadOnStar tupActions(WebApp.java:614)

Это не решение, а моё предложение в рамках ZBXNEXT-1428.
Просто пример подхода к этой проблеме, как можно было бы сделать, чтобы было удобно (с точки зрения сисадмина).
К сожалению, это всё ещё не реализовано; текущие версии агента Zabbix умеют мониторить логи только построчно.

Зайдя на support.zabbix.com, можно зарегистрироваться (это бесплатно и много времени не займёт, но требует минимального знания английского). Тогда станет возможным добавлять либо свои собственные запросы (проект ZBXNEXT) и баг-репорты (проект ZBX), либо комментарии к уже существующим. А самое важное - можно добавлять свой голос к уже оформленным enhancement request-ам (в правом верхнем углу - "Votes"), демонстируя их важность для вас и повышая их приоритет.
Если зайти по ссылке из моего предыдущего сообщения, то видно, что данный enhancement request был оформлен ещё в 2012 году, через два года появился мой комментарий, но до сих пор проголосовавших всего 6 человек. Т.е. выглядит так, что почти никому это не нужно, поэтому и в приоритетах у разработчиков где-то в самом хвосте :-(

шестой человек - это я =)