Ad Widget

Collapse

monitoring /var/log/messages, time settings

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • mitch2k
    Junior Member
    • Mar 2018
    • 14
    #1

    monitoring /var/log/messages, time settings

    Hi,

    I want to monitor var/log/messages, so I added a key log["/var/log/messages"]. However I'm struggling to get the correct timestamps. The contents of the logs are like this:

    Code:
    Nov  4 07:58:22 bezaweb03 systemd: Removed slice User Slice of root.
Nov  4 07:58:22 bezaweb03 systemd: Stopping User Slice of root.
Nov  4 07:58:25 bezaweb03 pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Nov  4 07:58:25 bezaweb03 pure-ftpd: ([email protected]) [INFO] Logout.
Nov  4 07:58:55 bezaweb03 pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Nov  4 07:58:55 bezaweb03 pure-ftpd: ([email protected]) [INFO] Logout.
    I believe I can't parse 'Nov 4', so I am only trying to parse only the time with this : ppppppph:m:sp

    However it's not displaying with the correct timestamp:
    2018-11-05 14:29:10 Nov 4 17:50:01 bezaweb03 systemd: Started Session c27280 of user root.

    Any suggestions to properly parse those logs?

    Thanks
    Tags: None
    • ingus.vilnis
      Senior Member
      Zabbix Certified Trainer
      Zabbix Certified SpecialistZabbix Certified Professional
      • Mar 2014
      • 908
      #2
      If you have the update interval for the item set to 1s and have both Zabbix server and that one you monitor in the same time zone then you will anyways see the real time the event happened. Normally there is no need to parse the log time unless it really is supposed to differ from Zabbix server's time.

      Oh, and if you read the log from beginning (not using the "skip" parameter in item to not read the lines older than the point of creation of the item) then obviously for the older entries there will be a mismatch. But not after the whole log has been sent to Zabbix, then the timestamps should match.

      But agreed that these "human readable" time formats in logs are horrible from Zabbix point of view for exactly this very reason. And even if it would be able to parse the date and month, what should be Zabbix decision on the year? The current year I would suppose but there could be so many edge cases where the year is different etc.

        Comment

        Previous template Next
        Working...