Ad Widget

**christianb** · 14-04-2009, 13:37

I'm searching for a solution of that problem too. Sometimes Zabbix really bombs my mail inbox.

**Calimero** · 14-04-2009, 14:22

Over here we use "count" on our log items:

{host:log[/what/ever].count(600,%something horrible happened%)}>5

==> Over the last 10 minutes, trigger is true if pattern 'something horrible happened' was repeated at least 6 times.

Another option is this:

{host:log[/what/ever,ERROR].count(300)}>10

Only lines containing "ERROR" are sent to zabbix_server.
Then our trigger is true whenever we get more than 10 lines over the last 5 minutes.

You may have to add dummy .now() conditions to force evaluation of the trigger, btw.

**valenbj** · 15-04-2009, 17:53

Thanks for the responses. I'm thinking about moving from big brother (which we have used for years) to zabbix. I'm just making sure Zabbix can do everything big brother currently is doing. The only hang up is the log files. For instance big brother will check a log file every 5 mins and display a web page with every occurrence of the 'error' in one page (and will send you one email with all those errors). That way I don't miss any errors and also don't get a huge amount of emails.

With Zabbix it looks like either I get 1 email for every error (which could be bad). Or one email at the first error and ignore the rest.

**Calimero** · 16-04-2009, 11:04

Originally posted by valenbj

For instance big brother will check a log file every 5 mins and display a web page with every occurrence of the 'error' in one page (and will send you one email with all those errors). That way I don't miss any errors and also don't get a huge amount of emails.

Sending error messages by mail may be a bit tricky. I admit I haven't tried.

But getting a single message for a bunch of errors over a period of time is easily feasible thanks to .count().

**rue** · 16-04-2009, 11:59

Originally posted by valenbj

With Zabbix it looks like either I get 1 email for every error (which could be bad). Or one email at the first error and ignore the rest.

That's correct IMHO, but what's wrong with checking the GUI after you got the first error?

Or you could define one trigger, that gives you an alarm, if the first error occures and another one which gives you another mail when the number of errors in the last 10 minutes exceeds 10... (see above).

cheers

Rü

**christianb** · 16-04-2009, 15:30

Originally posted by rue

Or you could define one trigger, that gives you an alarm, if the first error occures and another one which gives you another mail when the number of errors in the last 10 minutes exceeds 10... (see above).

That's exactly what I'm searching for. But how do I get this working? Can you please give an example? I tried with {TRIGGER.VALUE}=1 to check if the trigger is already active, but it didn't work...

edit:
Got it... "Event generation" was set on "Normal + multiple True Events" so it sent an email on every error message in the log file.

Ad Widget

Notifications for log files

Notifications for log files

Comment

Comment

Comment

Comment

Comment

Comment