No announcement yet.

Log Monitor mail flood prevention

  • Filter
  • Time
  • Show
Clear All
new posts

    Log Monitor mail flood prevention

    Recently I've created a log file monitor. and an action to inform by mail on patterns found in log files.
    when monitoring /var/log/syslog, in case of a RAM issue the log is filled with thousands of errors and all are being caught and an email is being sent for each alert (which caused my email to receive 100,000 emails from zabbix log file monitor.

    How can I avoid this from happening in the future?

    - Moshe

    You can take a look into <maxdelay> parameter for log[], log.count[], logrt[], logrt.count[] items - see

    <maxdelay> parameter was designed to deal with fast growing log files by skipping records in case of huge number of messages in short time.

    Also consider using log.count[] or logrt.count[] - they do not send every matching record to server but only number of matching records.


      Log mode 'Skip'

      In Zabbix 3.0 at least, there is a field "mode" that if you specifies 'skip' will cause the monitor to send items from the current end of file moving forward .

      From the 3.0 documentation regarding the log and logrt items:

      mode - possible values: all (default), skip - skip processing of older data (affects only newly created items)."
      You may also look at the max lines but Skip is what specifically you are asking about for newly created items.