great works !

Do you think you'll have a chance to settle for the added severity levels that are in par with syslog severity (and I think RFC) as an Official Zabbix numbering ?

note : it would be great to have in one of your settings file a way to add a dictionnary that could match for a source

a regexp to match
optionaly a replacement part for that regexp if matched
so that only the log entries for the given facility will be passed to zabbix when there is a match.

Doing so could simplify the way to write triggers in Zabbix as we will already have some powerfull filtering on the machine running the proxy (guess it has more power to spare than a charged Zabbix server). As it run as a daemon pre-compiling the regexp will be a performance boost also.

ha-ha.
You're faster than me I finish my similar solution for several months.
Your solution is very, very interesting. Private syslog server - this is very cool. I use Syslog-NG.
Maybe I'll borrow you some ideas
I assure all Zabbix community that this is the first such solution, which is available publicly.

Congratulations.

There are 8 severity levels as defined by RFC.
I have chosen to use a range outside of Zabbix official severity levels since the ones used by Zabbix are Windows specific.
If you apply patches supplied for Zabbix frontend, you will get correct labels and colors for severity levels instead "Unknown".

As for official Zabbix numbering, I have no contact with Zabbix team. If one of them could comment on this it is more than welcome.

You can filter on syslog source by specifying it in item definition:
will match logs coming from mail facility only.

Done !
will match messages from mail facility starting with "postfix" string (Perl regular expressions are used).

This is not possible.
I have defined a syntax as close as possible to eventlog as defined by Zabbix agent.

The whole syntax is:
so you can filter on

• facility
• severity
• regular expression

and limit the maximum numbre of lines per second.

Regards,
Alxen

So let's go.
Firstly thank you for the work done.

Secondly the right standard RFC 3164 and RFC 3124 does not


Why did you decide to use the abbreviated names?
+ 'S_SYSLOG_DEBUG' => 'debug',
+ 'S_SYSLOG_INFO' => 'info',
+ 'S_SYSLOG_NOTICE' => 'notice',
+ 'S_SYSLOG_WARN' => 'warn',
+ 'S_SYSLOG_ERR' => 'err',
+ 'S_SYSLOG_CRIT' => 'crit',
+ 'S_SYSLOG_ALERT' => 'alert',
+ 'S_SYSLOG_EMERG' => 'emerg',

in the interface so accurately use full like this and with a capital letter

+ 'S_SYSLOG_DEBUG' => 'Debug',
+ 'S_SYSLOG_INFO' => 'Info',
+ 'S_SYSLOG_NOTICE' => 'Notice',
+ 'S_SYSLOG_WARN' => 'Warning',
+ 'S_SYSLOG_ERR' => 'Error',
+ 'S_SYSLOG_CRIT' => 'Critical',
+ 'S_SYSLOG_ALERT' => 'Alert',
+ 'S_SYSLOG_EMERG' => 'Emergency',

And in general I would recommend to use full names everywhere instead of truncated, including names of keys. It will be better for users.
Why do you all decided to use truncated names?
http://www.ietf.org/rfc/rfc3164.txt used this way. I recommend not to use http://tools.ietf.org/html/draft-ietf-syslog-tc-mib-08

testlog.sh without input parameters do not stop - need to fix. It is necessary to generate an error.

some example for optimization
You would not want to abandon Cron scripts and implement all inside zbxlog.pl, also does not use text files and keep everything in an array inside zbxlog.pl?

No support for "Wildcard" hosts - the host is not defined in Zabbix, but syslog messages from him come.

I sent you a mail my script. Maybe you'll find something that useful. I know that the script is written not very professionally, i have only half a year of experience programming in Perl. And as a programmer, I never was

It is not easy, but perhaps I confess that I may refuse to continue their development and switch to your decision.

To be continued ...


added:
you solution:
"debug = 10, info = 11, ... , emerg = 17."
is very similar to my last post


I propose in the field of Event ID to write a number combination Facilities and Severities as in my real example https://support.zabbix.com/secure/at...yslog_DEMO.png This is March 2010!

And I think you can paint a different 8 colors (probably need to patch CSS styles), but not group the existing 4 colors. We will ask developers to include it in the source code.

Typo corrected.

I use truncated names because they are also used in syslog configuration files and syslog/rsyslog man pages.
However, I agree that long names would be better in Web interface.
I have integrated your suggestion in en_gb.inc.php.patch.
Severities in keys are checked using pattern matching, 'warn' and 'warning' will both match.
So you can write syslog[,,warn] or syslog[,,warning]
I have completed README file.

This is a quick and dirty test program that needs some documentation.
It does not need a parameter but generates all combinations of (facility, severity) sources in string and numeric formats.
It takes some time to run.

Thank you, for this optimization, I will include it in next release (after some testing).

I have kept it separated from zbxlog.pl because I don't have a "good" solution yet.
Should I use direct DB access, Zabbix API or extend Zabbix agent protocol ?
Current solution (DB access) is mysql specific and should be made DB independant.
I am not very familiar with Zabbix API and I don't know if I could efficiently retrieve all syslog items this way.
Extending Zabbix protocol would be the best way but, not beeing a Zabbix core developer, I am reluctant to touch zabbix_server code.
Or maybe there is a better solution I have not imagined yet...
This first release is a "proof of concept" that needs some improvements.

The concept of "wildcard" or "catchall" host would be interesting in Zabbix not only for syslog messages but also for SNMP traps or Zabbix traps.
I'll look at your script and I will try to find a way to add "wildcard" to zbxlog.

Glad to see that zbxlog can be useful !

Thank you for your comments.
Alixen

Hi,

I agree that it would be better to differentiate all 8 levels. But, at first glance, it would need patches not only in CSS but also in PHP code.
My first goal was to make it useful enough without patching too much code.

Regards,
Alixen

I understand the need to closely match the documentation for documented
eventlog agent key

but my suggestion was that you take profit of the fact that if you run the regexp then you have a matched context right at end.

So rewriting it to look more closely to the eventlog you can have a syntax similar to that :

where

• name is one of your zabbix key item of type 'log'
• severity could be either a string or a regexp group match ($<n>)
• facility could be either the default facility, a string, a $<n>
• eventid could be a string or a $<n> group match

and the big thing will be that the <regexp> could be expressed as a
/RE/SUBSTITUTION/ Perl expression

Let apply to an example (Asterisk based)

a syslog line like :

could get inside a Zabbix Server as a log entry like this :
Key : Asterisk (supposing such a zabbix item of type Log exists)
Value : REGISTER(0123456789@domain) Failed 3 times
Severity : NOTICE
Source : chan_sip.c
EventID : 6728

with a line like :
where <regexp> would be :
such a regexp could be referenced by a name from a configuration file
with a simple interpolation scheme.

What do you think about this ?

I see only one advantage in shorter names - shorter triggers expression. Again, that i would recommend to start using the full names everywhere (including in source code of Zbxlog).


I think that few people use Zabbix API so it's even worse than direct queries to the DB.
Do not even aware et a possibility to get something you need by using the API, and if in the future you want to do something better or differently, but the API will not have these functions - then there will be a dead end.
Those who need - can change the code of several queries according to their type of database.
Extend Zabbix agent protocol - precisely for these purposes I think this is unrealistic (meaning the inclusion of this in the original source).


It is possible that I still finished their development. It will certainly be much easier, but perhaps it will be an advantage
I think the more worthy of such decisions - the better. The more I started to do this for a long time, but in connection with participation in other areas to improve Zabbix, I can not finish until the end.
Not the last moment will be testing the performance and workload of the physical server with intensive flow of events.




I think that we will prove to Zabbix core developers that these changes need to be included in the source code, including pick up eight individual colors (add 4 more colors to the 4 existing). So prepare patches for this I think is right. I do not see any need to patch the source of zabbix_server, need patching frontend only.


I do not agree with you, at first I also thought about the fact that Alixen has not chosen the most accurate line adopted by the logic and syntax, but then I still agreed with him. That's the best. First parameter Facility (stored in zabbix as "source") - is very good solution IMHO.
Most did not understand what "group match ($ <n>)" as well as the "eventid"
You forgot to suggest that would <mode>

You're probably not very closely work with Sylog, you probably are not familiar with its structure of communications under the RFC. Of the syslog UDP-packet impossible to know what Asterisk is, or what else, there is only facilities according to RFC.

Hi zalex_ua and whisky,

I have just released v0.2 of zbxlog (http://www.alixen.org/attachments/do...bxlog-r0.2.tgz)

It contains only a few enhancements as suggested by zalex_ua (use full names for severity levels in Web interface and optimize request to zabbix server).

Before discussing the other suggestions you have made, I need to clarify the goals of this project:

• Raise the level of support of syslog messages by Zabbix to the same level as Windows events (with eventlog).
• Make it as easy to use as possible : once zbxlog is setup and running, all configuration is done through Zabbix Web interface.
• Since this project is not an official Zabbix project, limit patches to Zabbix code in order to avoid problems in future releases of Zabbix.

zalex_ua, a "wildcard" host is an interesting suggestion, it may be a way to not miss important messages from a misconfigured host. However, zbxlog currently does not modify the data it receives; it just sends it (or not) to Zabbix. If these data are sent to a wildcard host, zbxlog needs to at least append host name or IP to message detail in order to identify its origin.
I currently use a simple template with one item (syslog[]) that I have linked to all hosts via mass update as a "catchall" item.
I'm still thinking on a way to define a wildcard host that will be easy to setup (no extra configuration in zbxlog, only in Zabbix Web interface).
Maybe I can add a new item (we may call it sysloglost ) that will receive all messages that don't match any other item. You'll then get your wildcard host by adding that item to some host.

whisky, your idea of using patterns to rewrite syslog message is very interesting but goes far beyond what a syslog item is. A 'syslog' item provides a very simple mapping between syslog message original content and Zabbix log item.
syslog message as defined by RFC has four elements:

• timestamp
• facility
• severity
• detail

zbxlog just maps them to zabbix log fields. I think it should keep this simple mapping.
As for wildcard host, I think that adding a new item type will make it easier to understand that they have different goals:

• syslog[] => simple mapping, no rewrite
• newitem[] => complex mapping, content rewriting

However, I would like to avoid the use of an auxiliary configuration file. The more we can do through Web GUI, the better.

Thank you for your comments,
Alixen

Hi zalex_ua,

I was answering to your previous post while you posted this one.

Currently (in release 0.2), full names can be used as item parameter.
I have also replaced short names in Web GUI with full names.
I don't think I need to do more changes in the code.

I agree with you, I think that my next step will be to move database access to Perl code and get rid of crontab and shell scripts. We will even win some DBMS independence with Perl DBI.

In case of heavy load due to syslog processing, Zbxlog can be installed on a dedicated server.
My test environment is a VM with Zabbix server, DB and Zbxlog collecting syslog messages from 6 hosts. Load average is 0.0

I agree with you, I don't think that zabbix_server needs to be patched only CSS and PHP.

As I answered in my previous post, message handling as suggested by whisky is interesting but should be dealt by a different kind of item.

Regards,
Alixen

After that, I'll try in a real work of your decision.

0.0 is nice number , but need to make special testing (manually generated bulk of syslog message, for example 100-500 per second)


I want to try to select additional colors and make patches for CSS. You have not yet done?



When we work it out all the details, I hope developers will agree to include patches in the original code. This does not prevent anything, only extends some of the capabilities of the Web interface.
By the way, speaking to the developers, would like to hear at least what it your opinion. The most important thing - you're willing to add severity levels in the new range, ie add 10-17? It is now the most important for proper development of ideas and to avoid remaking the future.
Give the answer please.

This is absolutely the right decision. In my script for snmp-traps i do some like this:
I think is no need to resolve and include Hostname.


hmm... Very good and fresh idea. But item Key maybe somthing like: syslog_homeless, syslog_outcast ? "lost" is not the most precise definition IMHO.

I agree with you.


Alixen, and lastly, do you plan to fill EventID as I suggested above?
This can be very useful for simple construction of triggers, as it includes both value of the parameter Severity and Facility in one numeric.
Of course after the closing here of the simple my future request https://support.zabbix.com/browse/ZBXNEXT-448

heh... more quoted topics than this for the entire forum, I have not seen

Hi,

I agree with you, as soon as the core of the code is stabilized, I'll start load testing.

No, I'am currently working on integrating DB access in Perl.

I would be really happy if all these patches code be integrated in original code and 10-17 range reserved for syslog severity levels.

Next release will integrate DB access in Perl only.
I don't plan to add new item types in the short term but I keep this idea in the roadmap.

Yes !
It will be a simple modification.

Regards,
Alixen

This last sentence make me thinks that we are perhaps not talking on the same place of zblog in an architecture, for me it is on a client machine that this process is taking place, so the added configuration burden (and I admit mismatch could happen here -- your goal is of higher quality here).

That’s also why its important to choose a different item for filtering/transforming those events and keep the zabbix server configuration untouched (but for the added severity level to be conformant to industry standards).

The transformation is important because you can then do some site configuration mapping different because those site settings are different but the need for log and trigger could be the same on the Zabbix server.