Ad Widget

**tchjts1** · 26-09-2014, 17:40

7th position of your item key should be "skip". That will skip old data.
For example, this is my item key for eventlog monitoring:

Code:

eventlog[System,,,,,,skip]

**imigs** · 26-09-2014, 17:48

Thank you! I previously saw [mode] options but didn't find description about it. I will try this setting on Monday but probably this will work, once again, thank you for the help.

**imigs** · 29-09-2014, 09:34

Today I tried your solution, I recreated the item and it looks like this:

Code:

eventlog[Security,,"Warning|Error",,,,skip]

When I restart the agent, I get no data, but Zabbix agent shows everything as SUCCEED:

Code:

 13884:20140929:094806.790 In refresh_active_checks() host:'X.X.X.X' port:10051
 13884:20140929:094806.793 sending [{"request":"active checks","host":"XXXXXXXX"}]
 13884:20140929:094806.795 before read
 13884:20140929:094806.797 got [{"response":"success","data":[{"key":"eventlog[Security,,\"Warning|Error\",,,,skip]","delay":30,"lastlogsize":0,"mtime":0}]}]
 13884:20140929:094806.799 In parse_list_of_checks()
 13884:20140929:094806.801 In disable_all_metrics()
 13884:20140929:094806.804 In add_check() key:'eventlog[Security,,"Warning|Error",,,,skip]' refresh:30 lastlogsize:0 mtime:0
 13884:20140929:094806.806 End of add_check()
 13884:20140929:094806.809 End of refresh_active_checks():SUCCEED
 13884:20140929:094806.810 In process_active_checks() server:'X.X.X.X' port:10051)
 13884:20140929:094806.813 In initialize_eventlog6() source:'Security' previous lastlogsize:0
 13884:20140929:094806.814 In zbx_open_eventlog6()
 13884:20140929:094806.817 End of zbx_open_eventlog6():SUCCEED FirstID:1774 LastID:26407 numIDs:24633
 13884:20140929:094806.819 In zbx_get_handle_eventlog6(), previous lastlogsize:0
 13884:20140929:094806.821 End of zbx_get_handle_eventlog6():SUCCEED
 13884:20140929:094806.823 End of initialize_eventlog6():SUCCEED
 13884:20140929:094806.825 In process_eventlog6() source: 'Security' previous lastlogsize: 0, FirstID: 1774, LastID: 26407
 13884:20140929:094806.827 skipping existing data: lastlogsize:26406
 13884:20140929:094806.829 End of process_eventlog6():SUCCEED
 13884:20140929:094806.831 In finalize_eventlog6()
 13884:20140929:094806.833 End of finalize_eventlog6():SUCCEED
 13884:20140929:094806.835 End of process_active_checks()

When I use item without skip:

Code:

eventlog[Security,,"Warning|Error"]

the data shows correctly but of course then I'm getting my problem which I posted in my first post.

What am I doing wrong?

**ingus.vilnis** · 30-09-2014, 09:24

Hi,

Well maybe you get no data just because there are no warning or error entries in the log file after enabling the item (with skip) and restarting the agent?

Try creating one error event in windows log and see if that works.

Best Regards,
Ingus

**imigs** · 01-10-2014, 14:01

But why then warning messages are created when on items I'm using mode- all or just not specifying the mode type?

I tried creating event but it doesn't do any good- just blank(-) and no errors are shown.

Update:
I created two items, one with a mode-skip and another with a mode-all and as I understand, mode- all, gives all the data which are located on a log file and reloads all the data when agent/host has been restarted. Mode-skip, loads only today's events and nothing more or less and also it doesn't reload all the log file data after agent/host restart. Am I correct? If I am, then please tell me how to get all the old data and also "skip" feature in one item, that is, I want to get item which logs all the data located on log file and do not reload all the data after each agent/host restart?

**imigs** · 09-10-2014, 09:32

No one has any ideas?

**ingus.vilnis** · 09-10-2014, 10:08

Hi,

I will try to explain the feature of "skip".
Assume that your eventlog has entries from long time ago.
When you create a new eventlog item in Zabbix, "skip" sets a "pointer" in the log where it has been created. If I'm not mistaken, Zabbix stores a checksum of the file. When new entries are added to log, Zabbix remembers the last registered position and notifies you about the news even if the PC was shot down. (Skip has nothing to do with today's events.)

Now what you should do - disable all the duplicating Zabbix items and leave the one with "skip". And wait for events to appear.

I really still think that you don't get any results there just because the log has no new events since you created the item in Zabbix.

Best Regards,
Ingus

**imigs** · 17-10-2014, 09:21

Hm, it looks like it is working. Thank you.

Just one more thing, is it normal, that when I try to log every entry from /var/log/messages then if on host I try to restart Zabbix agent, it shows only entries with Zabbix agent being started and not logging the moment when Zabbix agents was stopped. Is it correct behavior?

Log file shows this:
hostX systemd[1]: Stopping LSB: ZABBIX agentd...
hostX zabbix-agentd[4106]: Shutting down zabbix agentd ..done
hostX systemd[1]: Starting LSB: ZABBIX agentd...
hostX zabbix-agentd[4116]: Starting zabbix agentd ..done
hostX systemd[1]: Started LSB: ZABBIX agentd.

Zabbix log file fetches only this:

hostX zabbix-agentd[4116]: Starting zabbix agentd ..done
hostX systemd[1]: Started LSB: ZABBIX agentd.

**ingus.vilnis** · 17-10-2014, 09:31

Hi,

I am glad you got the log monitoring sorted out now!

Regarding agent log - yes, that is how agent works now. The shutdown is not logged.

Best Regards,
Ingus

Ad Widget

Zabbix agent after restart is posting the same data in LOG item

Zabbix agent after restart is posting the same data in LOG item

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment