Hello everyone,
I am facing an issue with log monitoring using logrt[] in Zabbix 7.0.9. My goal is to monitor only the most recent log entries from a specific log file and trigger an alert when a certain keyword (e.g., "ERROR") appears in the last few lines.
Currently, I am using the following item key:
logrt[/var/log/path/path.log,,,20]
And my trigger is:
find(/My Template - Scripts/logrt[/var/log/path/path.log,,,20],5m,"like","ERROR")>0
However, it seems that Zabbix is still scanning the entire log file, instead of just the last few lines. This can lead to old log messages triggering the alert, which is not what I want.
What I Need:
Is there a proper way to configure logrt[] to achieve this behavior?
I appreciate any suggestions or best practices for optimizing log monitoring in Zabbix.
Thank you in advance!
I am facing an issue with log monitoring using logrt[] in Zabbix 7.0.9. My goal is to monitor only the most recent log entries from a specific log file and trigger an alert when a certain keyword (e.g., "ERROR") appears in the last few lines.
Currently, I am using the following item key:
logrt[/var/log/path/path.log,,,20]
And my trigger is:
find(/My Template - Scripts/logrt[/var/log/path/path.log,,,20],5m,"like","ERROR")>0
However, it seems that Zabbix is still scanning the entire log file, instead of just the last few lines. This can lead to old log messages triggering the alert, which is not what I want.
What I Need:
- I want to monitor only the most recent log entries (e.g., last 20 or 50 lines).
- The trigger should alert only if "ERROR" appears in the last few minutes.
- The log file can be large, so I need an efficient way to process only recent data.
Is there a proper way to configure logrt[] to achieve this behavior?
I appreciate any suggestions or best practices for optimizing log monitoring in Zabbix.
Thank you in advance!