Ad Widget

**andris** · 30-08-2016, 10:18

Hi!

Code:

 ... process_logrt() old file list:
 ...    nr:0 filename:'D:\Zabbix\log.log' mtime:1472505260 size:92 processed_size:87 seq:0 incomplete:1 ...
 ... process_logrt() new file list: (mtime:0 lastlogsize:87 start_idx:0)
 ...    nr:0 filename:'D:\Zabbix\log.log' mtime:1472505260 size:92 processed_size:87 seq:0 incomplete:1 ...

From this log file fragment it seems to me that:
- Zabbix agent processed the first 87 bytes of the log file,
- then you appended a "teste" string into log file,
- the log file size increased to 92 bytes,
- BUT there is no newline (neither CR, nor LF, nor CRLF) characters at the end of "teste" string.

So, Zabbix agent sees it as an incomplete string (note "incomplete:1") and waits until the string will be completed with the newline character.
That is by design to avoid analyzing incomplete strings.

**evertonalex** · 30-08-2016, 15:29

Hi, thanks by reply.

I changed my log file to:

Code:

hdjkasdjkas
teste
djkashdjasd
djkashdjkaksda]
djalksdljkashdl
hjdkashjkdas
hjdashkdkas
djaskljdlkasjd

Now, I get a fail in log (need_meta_update: FAIL)

Code:

  2508:20160830:100903.126 End of collect_perfstat()
  8884:20160830:100903.949 In send_buffer() host:'10.26.230.151' port:10051 entries:0/100
  8884:20160830:100903.949 End of send_buffer():SUCCEED
  2508:20160830:100904.127 In collect_perfstat()
  2508:20160830:100904.130 End of collect_perfstat()
  8884:20160830:100904.951 In send_buffer() host:'10.26.230.151' port:10051 entries:0/100
  8884:20160830:100904.951 End of send_buffer():SUCCEED
  8884:20160830:100904.952 In process_active_checks() server:'10.26.230.151' port:10051
  8884:20160830:100904.952 In process_logrt() is_logrt:0 filename:'D:\Zabbix\log.log' lastlogsize:112 mtime:0
  8884:20160830:100904.953 In add_logfile() filename:'D:\Zabbix\log.log' mtime:1472561751 size:112
  8884:20160830:100904.953 add_logfile() logfiles:000000000197B770 logfiles_alloc:64
  8884:20160830:100904.953 End of add_logfile()
  8884:20160830:100904.955 log files reside on 'NTFS' file system
  8884:20160830:100904.955 setup_old2new: is_same_file(D:\Zabbix\log.log, D:\Zabbix\log.log) = 1
  8884:20160830:100904.955 process_logrt() old file list:
  8884:20160830:100904.956    nr:0 filename:'D:\Zabbix\log.log' mtime:1472561751 size:112 processed_size:112 seq:1 incomplete:0 dev:3658511862 ino_hi:0 ino_lo:868350303152376292 md5size:112 md5buf:1a7a54d139b6430bace25afcf4bbbbc4
  8884:20160830:100904.956 process_logrt() new file list: (mtime:0 lastlogsize:112 start_idx:0)
  8884:20160830:100904.957    nr:0 filename:'D:\Zabbix\log.log' mtime:1472561751 size:112 processed_size:112 seq:1 incomplete:0 dev:3658511862 ino_hi:0 ino_lo:868350303152376292 md5size:112 md5buf:1a7a54d139b6430bace25afcf4bbbbc4
  8884:20160830:100904.957 End of process_logrt():SUCCEED
  8884:20160830:100904.957 In need_meta_update() key:log["D:\Zabbix\log.log","teste",,1]
  8884:20160830:100904.958 End of need_meta_update():FAIL
  8884:20160830:100904.958 End of process_active_checks()
  8884:20160830:100904.958 In get_min_nextcheck()
  8884:20160830:100904.958 End of get_min_nextcheck():1472562574
  2508:20160830:100905.132 In collect_perfstat()
  2508:20160830:100905.135 End of collect_perfstat()
  8884:20160830:100905.960 In send_buffer() host:'10.26.230.151' port:10051 entries:0/100
  8884:20160830:100905.961 End of send_buffer():SUCCEED
  2508:20160830:100906.136 In collect_perfstat()

But, in Monitoring->Lastest Data, no data is found: file attachament.

Attached also, the configuration screen of my item.

I need that when the word "teste" is found, an alert is displayed on zabbix

**andris** · 30-08-2016, 15:46

Code:

  8884:20160830:100904.955 process_logrt() old file list:
  8884:20160830:100904.956    nr:0 filename:'D:\Zabbix\log.log' mtime:1472561751 size:112 processed_size:112 seq:1 incomplete:0 dev:3658511862 ino_hi:0 ino_lo:868350303152376292 md5size:112 md5buf:1a7a54d139b6430bace25afcf4bbbbc4
  8884:20160830:100904.956 process_logrt() new file list: (mtime:0 lastlogsize:112 start_idx:0)
  8884:20160830:100904.957    nr:0 filename:'D:\Zabbix\log.log' mtime:1472561751 size:112 processed_size:112 seq:1 incomplete:0 dev:3658511862 ino_hi:0 ino_lo:868350303152376292 md5size:112 md5buf:1a7a54d139b6430bace25afcf4bbbbc4
  8884:20160830:100904.957 End of process_logrt():SUCCEED
  8884:20160830:100904.957 In need_meta_update() key:log["D:\Zabbix\log.log","teste",,1]
  8884:20160830:100904.958 End of need_meta_update():FAIL

First, "need_meta_update():FAIL" is not bad, it just shows that the agent does not need to send new meta information to server because nothing has changed (e.g. file size).
Second, this log file fragment shows that nothing has changed - size is 112 bytes in both old and new file list, processed_size is also 112 bytes in both lists.
You may want to look at earlier records, just after the moment you wrote "teste" into log - then you can see was it sent to server.

**evertonalex** · 30-08-2016, 18:33

Hi Andris, thanks very much. The log works!!!

Now, I need dont't 'check only one file. My SharePoint log has many files. A new log file is created every 30 minutes, as shown below. how can I check the files with this structure?

Other question: Can I create an item that search more than one word? For example, log ["D:\Zabbix\log.log", "error" or "login failed" or "test1"].

Last Question: Can I create a trigger that is activated when the word "error" appears 3 times in the log file?

Thank you!
Everton

**andris** · 30-08-2016, 18:50

Hi, Evertonalex!

Now, I need dont't 'check only one file. My SharePoint log has many files. A new log file is created every 30 minutes, as shown below. how can I check the files with this structure?

Other question: Can I create an item that search more than one word? For example, log ["D:\Zabbix\log.log", "error" or "login failed" or "test1"].

For log files with changing names or rotation use logrt[] instead of log[].
Try something like this:
logrt["D:\SharePoint\^TST-SPS-04-.*$", "error|login failed|test1"].

(I didn't test it, there may be mistakes, see https://www.zabbix.com/documentation...ypes/log_items)

**evertonalex** · 30-08-2016, 20:35

Andris, Thank you so much!!!

About the question "Can I create a trigger that is activated when the word "error" appears 3 times in the log file?" It's possible?

For Example:

Code:

line 1 - dklasjkldjas
line 2 - djaskdjaskl
line 3 - error
line 4 - dhsajkdas
line 5 - error
line 6 - djkadasdsa
line 7 - error
line 8 - dhajskdaks

Only when the word "error" occours 3 times (line 7), for example, I would like that a notification on Zabbix (or by email). Is it possible?

Thanks
Everton

**andris** · 30-08-2016, 23:27

See https://www.zabbix.com/forum/showthread.php?t=48116, there is something very similar.
logrt[] does not track from which rotated log file the value came - it may happen that the last lines of old file and the first lines of new log file are analyzed in one check.
logrt[] tries hard to ensure correct order of analyzing rotated log files.
Probably it is ok to activate trigger not when the word "error" occurrs 3 times in a log file but when it occurrs 3 times within last 30 minutes.

Ad Widget

Monitoring Log File with Zabbix

Monitoring Log File with Zabbix

Comment

Comment

Comment

Comment

Comment

Comment

Comment