to answer my own question after looking at the source :

For log item some other properties values need to be added to the json 'data' hash.

'timestamp' to hold the local machine timestamp (in epoch format)
'source ' to hold the source value
'eventid' to hold the eventid
'severity' to hold the severity

notes :
• there is a 'mtime' time stamp but sound to be linked to the throttling of log events
•not clear what value is to be accepted for the severity the field always show 'Unknown'

the value for the severity field is an int with the following mapping :

EVENTLOG_SUCCESS,EVENTLOG_INFORMATION_TYPE: severity = 1;
EVENTLOG_WARNING_TYPE: severity = 2;
EVENTLOG_ERROR_TYPE: severity = 4;
EVENTLOG_AUDIT_FAILURE: severity = 7;
EVENTLOG_AUDIT_SUCCESS: severity = 8;

zabbix_sender does not support key/value for:
'timestamp'
'source '
'eventid'
'severity'

And very interesting what you do that? I use these fields in my scripts with direct TCP connection without using zabbix_sender. Some details here https://support.zabbix.com/browse/ZBXNEXT-470

I don't use zabbix_sender, I'm mimicking it and I talk directly from Apache-Camel to Zabbix using the same protocol as zabbix_sender is using.

Using this approach I could implement direct log entries from my java server on the same par as I usually do logging. So I guess it would be trivial to trigger some alarm from zabbix to escalate.

I second you in the severity classification as in RFC3164

0 Emergency: system is unusable
1 Alert: action must be taken immediately
2 Critical: critical conditions
3 Error: error conditions
4 Warning: warning conditions
5 Notice: normal but significant condition
6 Informational: informational messages
7 Debug: debug-level messages

as it is more in par with usage of filtering message verbosity while dealing with real alerts so production/debug is easy with simple configuration change from unmodified running code.

Also I don't see the two audit severity but I guess they concern the auto-discovery things that I haven't looked at.

Hi whisky,

I am working on a syslog proxy that will forward syslog events to Zabbix using zabbix agent JSON format.

Data format is described here : http://www.zabbix.com/documentation/...collected_data

I have found that although it looks like JSON, there are some tricks. Specially, leading spaces are not spaces, they must be tabs.

In case you are interested, I have attached Perl code that formats and sends syslog data to Zabbix.
(This code is working, it is part of a program that has been collecting syslog messages from several systems during the last two weeks)

Hope this helps,
Alixen

I used ngrep and the source code of the proxy to decipher it along with the documentation, in order to get understanding of other fields pertaining to the "log type" events.

Your proxy is interesting, I would like to have a similar one in ruby as I have a bunch of regexp to wach for and the match are organized like a FSM automata to trigger a valid log entry into Zabbix.

Having such a proxy would minimize the CPU needs as it would run as a daemon and have all the regexp and launching stiff factorized on the client side wich have more power than having Zabbix doing the elementary RE match itself over and over.



Thanks I will look at it

I use direct Json java objects to json encoding so I think there is no white space nor tab at all in the JSON I send to zabbix and it work well like this.

I just wondering what are the thoughts usages of the various fields (e.g the EventID) in real case scenarii and zabbix trigger usage for them. Do you have use cases for them in your Zabbix server usage of them ?

Hi,

AFAIK, EventID is specific to Windows logs.
I haven't found any equivalent for syslog messages.

Just in case, we have just released the full syslog proxy for Zabbix : http://www.zabbix.com/forum/showthread.php?t=19180

Regards,
Alixen