Monitoring rsyslog instances with Zabbix.
Zabbix server 3.0.8 with LLD output as follows:
~# /etc/zabbix/scripts/rsyslog-discovery.sh fwd
{ "data" : [
{ "{#SVC}" : "rsyslog-lin", "{#INST}" : "lin", "{#STATSFILE}" : "/chroot/loglin/var/log/lin/rsyslog-lin.stats", "{#FWDNAME}" : "SIEMEP1", "{#FWDPROTO}" : "tcp", "{#FWDHOST}" : "10.1.x.y", "{#FWDPORT}" : "6514" },
{ "{#SVC}" : "rsyslog-net", "{#INST}" : "net", "{#STATSFILE}" : "/chroot/lognet/var/log/net/rsyslog-net.stats", "{#FWDNAME}" : "STRMEP1", "{#FWDPROTO}" : "tcp", "{#FWDHOST}" : "10.1.c.d", "{#FWDPORT}" : "6514" },
{ "{#SVC}" : "rsyslog-net", "{#INST}" : "net", "{#STATSFILE}" : "/chroot/lognet/var/log/net/rsyslog-net.stats", "{#FWDNAME}" : "LOGSTASH2", "{#FWDPROTO}" : "tcp", "{#FWDHOST}" : "10.1.a.b", "{#FWDPORT}" : "1514" },
{ "{#SVC}" : "rsyslog-net", "{#INST}" : "net", "{#STATSFILE}" : "/chroot/lognet/var/log/net/rsyslog-net.stats", "{#FWDNAME}" : "SIEMEP1", "{#FWDPROTO}" : "tcp", "{#FWDHOST}" : "10.1.x.y", "{#FWDPORT}" : "6514" }
] }
The trigger defined in template with
NAME: {#SVC} queue for {#FWDNAME} peak increase on {HOSTNAME}
EXP: {rsyslog_instances_t:rsyslog.diffqueue[{#INST},{#FWDNAME}].sum(5m)}>1000 and {rsyslog_instances_t:rsyslog.diffqueue[{#INST},{#FWDNAME}].count(5m,0,"gt")}>0 and ({rsyslog_instances_t:rsyslog.diffqueue[{#INST},{#FWDNAME}].last()}>({rsyslog_instances_t:rsyslog.diffqueue[{#INST},{#FWDNAME}].sum(5m)}/{rsyslog_instances_t:rsyslog.diffqueue[{#INST},{#FWDNAME}].count(5m,0,"gt")}) and {rsyslog_instances_t:net.tcp.port[{#FWDHOST},{#FWDPORT}].count(5m,0,"le")}=0)
generated trigger after discovery:
NAME: rsyslog-net queue for SIEMEP1 peak increase on {HOSTNAME}
EXP: {server.domain.com:rsyslog.diffqueue[lin,SIEMEP1].sum(5m)}>1000 and {server.domain.com:rsyslog.diffqueue[lin,SIEMEP1].count(5m,0,"gt")}>0 and ({server.domain.com:rsyslog.diffqueue[lin,SIEMEP1].last()}>({server.domain.com:rsyslog.diffqueue[lin,SIEMEP1].sum(5m)}/{server.domain.com:rsyslog.diffqueue[lin,SIEMEP1].count(5m,0,"gt")}) and {server.domain.com:net.tcp.port[10.1.x.y,6514].count(5m,0,"le")}=0)
Seems to be caused by item defined with:
NAME: rsyslog:fwd:{#FWDHOST}:{#FWDPORT}:available
KEY: net.tcp.port[{#FWDHOST},{#FWDPORT}]
means this item is "shared" by two LDD objects.
Discovery reports error:
Cannot create item: item with the same key "net.tcp.port[10.1.x.y,6514]" already exists.
The "rsyslog-lin" triggers with use of net.tcp.port key are not created at all. And the "rsyslog-net" colliding trigger is messed, others are ok.
How to solve/workaround this issue?
Zabbix server 3.0.8 with LLD output as follows:
~# /etc/zabbix/scripts/rsyslog-discovery.sh fwd
{ "data" : [
{ "{#SVC}" : "rsyslog-lin", "{#INST}" : "lin", "{#STATSFILE}" : "/chroot/loglin/var/log/lin/rsyslog-lin.stats", "{#FWDNAME}" : "SIEMEP1", "{#FWDPROTO}" : "tcp", "{#FWDHOST}" : "10.1.x.y", "{#FWDPORT}" : "6514" },
{ "{#SVC}" : "rsyslog-net", "{#INST}" : "net", "{#STATSFILE}" : "/chroot/lognet/var/log/net/rsyslog-net.stats", "{#FWDNAME}" : "STRMEP1", "{#FWDPROTO}" : "tcp", "{#FWDHOST}" : "10.1.c.d", "{#FWDPORT}" : "6514" },
{ "{#SVC}" : "rsyslog-net", "{#INST}" : "net", "{#STATSFILE}" : "/chroot/lognet/var/log/net/rsyslog-net.stats", "{#FWDNAME}" : "LOGSTASH2", "{#FWDPROTO}" : "tcp", "{#FWDHOST}" : "10.1.a.b", "{#FWDPORT}" : "1514" },
{ "{#SVC}" : "rsyslog-net", "{#INST}" : "net", "{#STATSFILE}" : "/chroot/lognet/var/log/net/rsyslog-net.stats", "{#FWDNAME}" : "SIEMEP1", "{#FWDPROTO}" : "tcp", "{#FWDHOST}" : "10.1.x.y", "{#FWDPORT}" : "6514" }
] }
The trigger defined in template with
NAME: {#SVC} queue for {#FWDNAME} peak increase on {HOSTNAME}
EXP: {rsyslog_instances_t:rsyslog.diffqueue[{#INST},{#FWDNAME}].sum(5m)}>1000 and {rsyslog_instances_t:rsyslog.diffqueue[{#INST},{#FWDNAME}].count(5m,0,"gt")}>0 and ({rsyslog_instances_t:rsyslog.diffqueue[{#INST},{#FWDNAME}].last()}>({rsyslog_instances_t:rsyslog.diffqueue[{#INST},{#FWDNAME}].sum(5m)}/{rsyslog_instances_t:rsyslog.diffqueue[{#INST},{#FWDNAME}].count(5m,0,"gt")}) and {rsyslog_instances_t:net.tcp.port[{#FWDHOST},{#FWDPORT}].count(5m,0,"le")}=0)
generated trigger after discovery:
NAME: rsyslog-net queue for SIEMEP1 peak increase on {HOSTNAME}
EXP: {server.domain.com:rsyslog.diffqueue[lin,SIEMEP1].sum(5m)}>1000 and {server.domain.com:rsyslog.diffqueue[lin,SIEMEP1].count(5m,0,"gt")}>0 and ({server.domain.com:rsyslog.diffqueue[lin,SIEMEP1].last()}>({server.domain.com:rsyslog.diffqueue[lin,SIEMEP1].sum(5m)}/{server.domain.com:rsyslog.diffqueue[lin,SIEMEP1].count(5m,0,"gt")}) and {server.domain.com:net.tcp.port[10.1.x.y,6514].count(5m,0,"le")}=0)
Seems to be caused by item defined with:
NAME: rsyslog:fwd:{#FWDHOST}:{#FWDPORT}:available
KEY: net.tcp.port[{#FWDHOST},{#FWDPORT}]
means this item is "shared" by two LDD objects.
Discovery reports error:
Cannot create item: item with the same key "net.tcp.port[10.1.x.y,6514]" already exists.
The "rsyslog-lin" triggers with use of net.tcp.port key are not created at all. And the "rsyslog-net" colliding trigger is messed, others are ok.
How to solve/workaround this issue?
Comment