Ad Widget

**ingus.vilnis** · 19-02-2015, 13:21

Hello and welcome to Zabbix forums!

Please check that:

you have set the type of item to Zabbix agent (active)
in zabbix_agentd.conf file you have specified the ServerActive parameter to IP of your Zabbix server and Hostname parameter matches host name defined in frontend
Zabbix agent user has read permissions to var/log/home

Hope this helps!

Best Regards,
Ingus

**danieled** · 19-02-2015, 13:48

Hi Ingus,
thanks for the welcome!

Unfortunately I've already checked all the details you mention (also because I've already encountered the permissions issue

).

Here's an extract of what the zabbix agent log says about the home log when it catches a change:

Code:

 15674:20150219:124404.078 sending [{"request":"active checks","host":"Zabbix server"}]
 15674:20150219:124404.078 before read
 15674:20150219:124404.079 got [{"response":"success","data":[{"key":"log[/var/log/home,\"\\\"(\\w{3}\\s\\d+\\s(\\d{2}\\:){2}\\d{2})\\s(.*)\\s(\\d+\\.\\d+\\.\\d\\.\\d+)\\s(\\w{2}\\:\\w{2}\\:\\w{2}\\:\\w{2}\\:\\w{2}\\:\\w{2})\\s(.*)\\\"\"]","key_orig":"log[/var/log/home,{$REGEX_DHCP}]","delay":30,"lastlogsize":29283,"mtime":0}]}]
 15674:20150219:124404.079 In parse_list_of_checks()
 15674:20150219:124404.079 In disable_all_metrics()
 15674:20150219:124404.079 In add_check() key:'log[/var/log/home,"\"(\w{3}\s\d+\s(\d{2}\:){2}\d{2})\s(.*)\s(\d+\.\d+\.\d\.\d+)\s(\w{2}\:\w{2}\:\w{2}\:\w{2}\:\w{2}\:\w{2})\s(.*)\""]' refresh:30 lastlogsize:29283 mtime:0
 15674:20150219:124404.079 End of add_check()
 15674:20150219:124404.079 End of refresh_active_checks():SUCCEED

After this, nothing more

Looks like the regex isn't actually matching the string, does it?

Thanks and regards,
Daniele

**ingus.vilnis** · 19-02-2015, 16:55

Hi Daniele,

Regex itself looks good, I tested in a web tester.

Could be that the problem is where the macro {$REGEX_DHCP} is defined in template. You have the whole regex in double quotes and they are also treated as part of it thus not matching your string.

Try removing two quotes from the macro and see if it helps.

Code:

(\w{3}\s\d+\s(\d{2}\:){2}\d{2})\s(.*)\s(\d+\.\d+\.\d\.\d+)\s(\w{2}\:\w{2}\:\w{2}\:\w{2}\:\w{2}\:\w{2})\s(.*)

Best Regards,
Ingus

**danieled** · 19-02-2015, 17:17

Hi Ingus,
my fault, in my last attempt I've left the double quotes, however no luck even removing them, the agent runs the active check but the data isn't displayed...

Code:

  5077:20150219:160950.258 sending [{"request":"active checks","host":"Zabbix server"}]
  5077:20150219:160950.258 before read
  5077:20150219:160950.258 got [{"response":"success","data":[{"key":"log[/var/log/home,(\\w{3}\\s\\d+\\s(\\d{2}\\:){2}\\d{2})\\s(.*)\\s(\\d+\\.\\d+\\.\\d\\.\\d+)\\s(\\w{2}\\:\\w{2}\\:\\w{2}\\:\\w{2}\\:\\w{2}\\:\\w{2})\\s(.*)]","key_orig":"log[/var/log/home,{$REGEX_DHCP}]","delay":30,"lastlogsize":29283,"mtime":0}]}]
  5077:20150219:160950.258 In parse_list_of_checks()
  5077:20150219:160950.258 In disable_all_metrics()
  5077:20150219:160950.259 In add_check() key:'log[/var/log/home,(\w{3}\s\d+\s(\d{2}\:){2}\d{2})\s(.*)\s(\d+\.\d+\.\d\.\d+)\s(\w{2}\:\w{2}\:\w{2}\:\w{2}\:\w{2}\:\w{2})\s(.*)]' refresh:30 lastlogsize:29283 mtime:0
  5077:20150219:160950.259 End of add_check()
  5077:20150219:160950.259 End of refresh_active_checks():SUCCEED

However, I've tried to replace the full regex with the simple word DHCPACK, and in this case it worked...
I'm starting to think that the item does not really accept a POSIX regex but a simple "filter", attaching wildcards before and after it.
This would be unfortunate as what I'd like to do is to manipulate the output as soon as the data is actually gathered (last option of the log item, not included yet in the item definition)

Do you think it's the case to raise a JIRA ticket on the support site?

Thanks and regards,
Daniele

**ingus.vilnis** · 19-02-2015, 17:37

Hi Daniele,

Please try this as a macro (including quotes). It has the same functionality with capturing groups.

Code:

"([a-zA-Z0-9_]{3} [0-9]+ ([0-9]{2}\:){2}[0-9]{2}) (.*) ([0-9]+\.[0-9]+\.[0-9]\.[0-9]+) ([a-zA-Z0-9_]{2}\:[a-zA-Z0-9_]{2}\:[a-zA-Z0-9_]{2}\:[a-zA-Z0-9_]{2}\:[a-zA-Z0-9_]{2}\:[a-zA-Z0-9_]{2}) (.*)"

I also overlooked your regexp at the beginning. You are using PCRE instead POSIX. Zabbix currently support only POSIX.

Best Regards,
Ingus

**danieled** · 19-02-2015, 17:43

BTW, I've also tried using a global regular expression (defined via Administration -> General -> Regular Expression), calling it R_DHCP and invoking it as:

Code:

log[/var/log/home,@R_DHCP]

as described here:

11. Regular expressions

https://www.zabbix.com/documentation/2.4/manual/regular_expressions

But even in this case, no luck!

Code:

  5077:20150219:163950.092 sending [{"request":"active checks","host":"Zabbix server"}]
  5077:20150219:163950.092 before read
  5073:20150219:163950.093 collector [processing data]
  5073:20150219:163950.093 In update_cpustats()
  5073:20150219:163950.093 End of update_cpustats()
  5073:20150219:163950.093 collector [idle 1 sec]
  5077:20150219:163950.103 got [{"response":"success","data":[{"key":"log[/var/log/home,@R_DHCP]","delay":30,"lastlogsize":29283,"mtime":0}],"regexp":[{"name":"R_DHCP","expression":"(\\w{3}\\s\\d+\\s(\\d{2}\\:){2}\\d{2})\\s(.*)\\s(\\d+\\.\\d+\\.\\d\\.\\d+)\\s(\\w{2}\\:\\w{2}\\:\\w{2}\\:\\w{2}\\:\\w{2}\\:\\w{2})\\s(.*)","expression_type":3,"exp_delimiter":",","case_sensitive":1}]}]
  5077:20150219:163950.103 In parse_list_of_checks()
  5077:20150219:163950.103 In disable_all_metrics()
  5077:20150219:163950.103 In add_check() key:'log[/var/log/home,@R_DHCP]' refresh:30 lastlogsize:29283 mtime:0
  5077:20150219:163950.103 End of add_check()
  5077:20150219:163950.103 End of refresh_active_checks():SUCCEED

**danieled** · 19-02-2015, 17:48

It worked!
(Even if I didn't follow completely your instructions, I'm using it as global regex instead that macro, and to get it work it had to be saved without quotes, as you'd imagine)

I didn't know my standard wasn't fine, I've trusted regexr.com to build it and what's strange is that, in the global regex definition, the test was passed!

I'll try to work on the output management now.

Many thanks,
Daniele

**ingus.vilnis** · 19-02-2015, 17:55

So glad you got that solved!

Well global regexp did not play a role here because you can define your macros and regular expressions on all three levels - global, template and host.

regexr.com does the same as the tool I used - it automatically recognizes both notations and displays as correct even in the mix.

Anyhow, it works and it the main thing!

Best Regards,
Ingus

Ad Widget

Log items and parameter "regex"

Log items and parameter "regex"

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment