Ad Widget

Collapse

Can't work out regexp on log.count

Collapse
This topic has been answered.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • doogie
    Junior Member
    • May 2020
    • 15
    #1

    Can't work out regexp on log.count

    Hey there,

    Struggling to work out the regexp escaping for a log.count line - basically it's a simple multiple pattern match in the zabbix_agent2.log for trying to find logs that it can't read (that then need to set an setfacl string).

    My regexp that's working on the log is as follows:

    Code:
    ^(?=.*kamailio\.log)(?=.*Permission denied).*$
    and the 'escaped' version should be:

    Code:
    \^\(\?=\.\*kamailio\\\.log\)\(\?=\.\*Permission\ denied\)\.\*\$
    But when I construct the full string in Zabbix I'm getting `Invalid fourth parameter` .

    Key is as follows:

    Code:
    log.count[/var/log/zabbix/zabbix_agent2.log,"\^\(\?=\.\*kamailio\\\.log\)\(\?=\.\*Permission\ denied\)\.\*\$",,skip,2]
    I've tried it with and without the quotes, is there a trick I'm missing here? I have got lots of single regexp patterns working, but this one requires an match first and then this.

    Zabbix 6.4.x agents here.
    Tags: None
    • Answer selected by doogie at 12-08-2025, 22:15.
      cyber
      Senior Member
      Zabbix Certified SpecialistZabbix Certified Professional
      • Dec 2006
      • 4806
      I think you are escaping too many things there... making anchors literal... like... \^, now it looks for literal ^ instead of beginning of the line... It will work for some of the lines, as it is present there, but I dont think that is what you expect...
      "^.*kamailio\.log.*Permission denied$" should be enough ... (disclaimer:I have no time and place to verify this.. )
        • Selected Answer

        Comment

        • cyber
          Senior Member
          Zabbix Certified SpecialistZabbix Certified Professional
          • Dec 2006
          • 4806
          #2
          I just copy-pasted your item key and it works..:P in v6 and v7... Or I just dont understand, where you have the struggle? Using log.count returns the number, so there is no additional regexes to be used anywhere (in triggers), I think... It will never return any filenames...

            Comment

            • doogie
              Junior Member
              • May 2020
              • 15
              #3
              Originally posted by cyber
              I just copy-pasted your item key and it works..:P in v6 and v7... Or I just dont understand, where you have the struggle? Using log.count returns the number, so there is no additional regexes to be used anywhere (in triggers), I think... It will never return any filenames...
              Yeah I just want the number, I then trigger on the amount of instances within a period. When I paste the above, the agent is returning Invalid fourth parameter (in as the regex itself).

                Comment

                • ISiroshtan
                  Senior Member
                  • Nov 2019
                  • 324
                  #4
                  Related question::
                  log.count[file,<regexp>,<encoding>,<maxproclines>,<mode>,<ma xdelay>,<options>,<persistent dir>]
                  taking your item key:
                  Code:
                  log.count[/var/log/zabbix/zabbix_agent2.log,"\^\(\?=\.\*kamailio\\\.log\)\(\?=\.\*Permission\ denied\)\.\*\$",,skip,2]
                  file = /var/log/zabbix/zabbix_agent2.log
                  regexp = "\^\(\?=\.\*kamailio\\\.log\)\(\ ?=\.\*Permission\ denied\)\.\*\$"
                  encoding =
                  maxproclines = skip
                  mode = 2
                  maxdelay =
                  rest of params =

                  You either made a typo on forum or you missing one extra comma in your item key and as result the values are shifted to wrong options. Could you check?



                  Unrelated to question part:
                  any reason for complicating regexp with positive lookahead and adding ".*$"?
                  Log count by itself will not return you the match, so there is no point in lookahead. If you would just use "^.*kamailio\.log.*Permission denied.*$" you would get exactly same result with log.count but with less special characters needing escaping (unless I miss something here)
                  Similarly, ".*$" checks that rest of the log line has (or does not have) anything and ends in new line. Do you expect any of your log entries not to end in new line? Or what's the point?

                    Comment

                    • doogie
                      Junior Member
                      • May 2020
                      • 15
                      #5
                      Appreciate that - you were right, I'd misplaced a comma and it's now working as expected. Simple things right...

                      I've no idea why I'd added the positive lookahead, so I've corrected that - thanks for the advice.

                        Comment

                        • doogie
                          Junior Member
                          • May 2020
                          • 15
                          #6

                          Sigh - I guess I just fundamentally understand why Zabbix isn't matching count on this. I can run this through every regex processor and it matches, but the moment I put it in zabbix... nadda.

                          Help appreciated again. I have this log info, but this:

                          Code:
                          log.count[/var/log/zabbix/zabbix_agent2.log,"/\^\.\*kamailio\.log\.\*Permission\ denied\.\*\$",,,skip,2]
                          Doesn't increment on this log:

                          Code:
                          2025/08/12 01:04:44.002067 check 'log.count[/var/log/kamailio/kamailio.log,"^.*(408 Request Timeout).*",,,skip,]' is not supported: Cannot obtain information for file "/var/log/kamailio/kamailio.log": [13] Permission denied
2025/08/12 01:04:44.002131 check 'log.count[/var/log/kamailio/kamailio.log,"^.*(antiflood_rate_limit).*",,,skip,]' is not supported: Cannot obtain information for file "/var/log/kamailio/kamailio.log": [13] Permission denied
2025/08/12 01:04:44.002204 check 'log.count[/var/log/kamailio/kamailio.log,"^.*(could not allocate|out of mem).*",,,skip,]' is not supported: Cannot obtain information for file "/var/log/kamailio/kamailio.log": [13] Permission denied
2025/08/12 01:04:47.001509 check 'log.count[/var/log/kamailio/kamailio.log,"^.*(408 Request Timeout).*",,,skip,]' is not supported: Cannot obtain information for file "/var/log/kamailio/kamailio.log": [13] Permission denied
2025/08/12 01:04:47.001666 check 'log.count[/var/log/kamailio/kamailio.log,"^.*(antiflood_rate_limit).*",,,skip,]' is not supported: Cannot obtain information for file "/var/log/kamailio/kamailio.log": [13] Permission denied
2025/08/12 01:04:47.001783 check 'log.count[/var/log/kamailio/kamailio.log,received trusted reload,,,skip,]' is not supported: Cannot obtain information for file "/var/log/kamailio/kamailio.log": [13] Permission denied
2025/08/12 01:04:47.001850 check 'log.count[/var/log/kamailio/kamailio.log,"^.*(dropping request authorization failure|dropping insane message).*",,,skip,]' is not supported: Cannot obtain information for file "/var/log/kamailio/kamailio.log": [13] Permission denied
2025/08/12 01:04:47.001891 check 'log.count[/var/log/kamailio/kamailio.log,"^.*(could not allocate|out of mem).*",,,skip,]' is not supported: Cannot obtain information for file "/var/log/kamailio/kamailio.log": [13] Permission denied
2025/08/12 01:04:47.001926 check 'log.count[/var/log/kamailio/kamailio.log,sending on closing connection,,,skip,]' is not supported: Cannot obtain information for file "/var/log/kamailio/kamailio.log": [13] Permission denied
2025/08/12 01:04:47.001937 check 'log.count[/var/log/kamailio/kamailio.log,"^.*(internal reply 408 Request Timeout).*",,,skip,]' is not supported: Cannot obtain information for file "/var/log/kamailio/kamailio.log": [13] Permission denied zz0.6a23rhkdanezz

                            Comment

                            • cyber
                              Senior Member
                              Zabbix Certified SpecialistZabbix Certified Professional
                              • Dec 2006
                              • 4806
                              #7
                              I think you are escaping too many things there... making anchors literal... like... \^, now it looks for literal ^ instead of beginning of the line... It will work for some of the lines, as it is present there, but I dont think that is what you expect...
                              "^.*kamailio\.log.*Permission denied$" should be enough ... (disclaimer:I have no time and place to verify this.. )
                                • Selected Answer

                                Comment

                                • doogie
                                  Junior Member
                                  • May 2020
                                  • 15
                                  #8
                                  Originally posted by cyber
                                  I think you are escaping too many things there... making anchors literal... like... \^, now it looks for literal ^ instead of beginning of the line... It will work for some of the lines, as it is present there, but I dont think that is what you expect...
                                  "^.*kamailio\.log.*Permission denied$" should be enough ... (disclaimer:I have no time and place to verify this.. )
                                  Thanks - that was the one. I don't know why I struggled so much with this one, but appreciated to one and all.

                                    Comment

                                    Previous template Next
                                    Working...