I'm currently having two problems with log monitoring and haven't been able to find anything useful online.

Problem 1: Log file processing seems slow. It's taking hours to get through logs that are only 50-60 MB in size (upon initial setup) and seems to fall behind or get delayed on fairly active logs (60-80 MB/day). I'm only scanning for 2 words and those lines occur very infrequently.

Problem 2: I seem to be getting duplicate alerts on the same log line. I'll have an alarm fire over an error and an hour later it will realert on the same log line. Nothing else is touching these logs (so they're not shrinking in size and causing zabbix to think it's a new log to be parsed).

Here are the configured item and trigger:

item: logrt["/var/log/tool/tool-.*log","[[:space:]]ERROR[[:space:]]|[[:space:]]CRITICAL[[:space:]]","us-ascii"]

trigger: {template_name:logrt["/var/log/tool/tool-.*log","[[:space:]]ERROR[[:space:]]|[[:space:]]CRITICAL[[:space:]]","us-ascii"].nodata(300)}=0

What this is meant to do is trigger if the strings "ERROR" or "CRITICAL" appear in the logs and then clear after 5 minutes of no further errors. That part seems to be working fine, but the two problems above are causing me some grief. If anyone can help it's much appreciated. Thanks.