log monitoring with zabbix

3

1

I'm trying to monitor a log file and to get alerts based on regular expression.

using zabbix 2.4.5

this is the log item that i created

item

and this is the trigger

trigger

as you can see i created the item as zabbix agent (Active) as required, and it is properly enabled. but i still don't get any alerts for the log messages i'm searching for.

monitor

any ideas?

ufk

Posted 2015-08-16T09:43:25.327

Reputation: 1 055

Answers

2

A better alternative for you will be to use a specialized plugin instead. Zabbix, like many other modern monitoring applications allows users to implement custom plugins. In your case, the custom plugin you need will be a tool that was built specifically to check, monitor and alert on log files.

An example of such a tool is autoresolve.kl.sh

The installation procedure is simple:

  1. Log into the host on which you have log files to monitor
  2. wget (the-url-link-of-zip-file-of-autoresolve.kl.sh)
  3. cd /tmp ; unzip (the-downloaded-zip-file)
  4. ./install.sh /var/tmp/KINGLAZY/SHIELDX-autoresolve.kl.sh /home/jserver -force

Replace '/home/jserver' with your zabbix plugins directory. Also, make sure to run the preceding installation commands as an ordinary user - not root, unless you're testing.

Once the above steps are complete. You can now begin monitoring logs:

./autoresolve.kl.sh localhost /var/tmp/logXray,fixer,0n-1y-2y,0-uname,1-who,2-uptime autonda /var/log/syslog 60m 'app.*error' '.' 1 2 app_err_monitor -ndshow

To keep things simple, the most important parameters you'll need to change are:

  1. /var/log/syslog - This is the log file you're monitoring
  2. app.*error - This is the string you're looking for in the log file
  3. app_err_monitor - This is the name/tag that you're assigning to this particular log check. Later, if you wish, this tag can be used to help you generate graphs on the monitored log.

For a detailed explanation on what each parameter means, you can visit the help page directly.

On the same help page, you'll also find step by step instructions on how to get this tool to work with Zabbix...i.e. what zabbix configuration file you need to update...and what settings you need to have on the zabbix web interface.

SimplifiedWork

Posted 2015-08-16T09:43:25.327

Reputation: 36

4

Make sure that in the agent configuration file on the monitored host:

'Hostname' parameter matches the host name in the frontend Servers in the 'ServerActive' parameter are specified for the processing of active checks. Example:

/etc/zabbix/zabbix_agentd.conf:

Hostname=game.bingodrive.com
ServerActive=10.1.1.1

Then check if zabbix Unix user has the acces to read the file:

# su - zabbix -c "tail $YOUR-FILE"

Note, that the "regexp" trigger function returns true (1) if string was found so if the message on the second screenshot is error there should be =1 , not =0.

Vladimir

Posted 2015-08-16T09:43:25.327

Reputation: 71

thank you for your response, i changed the regex to result to eq 1. i don't have zabbix executable in my monitored host. what do i do ? – ufk – 2015-08-23T06:23:31.130

You will not have "zabbix" executable on your host. "su - zabbix -c …" is just command to help you check if zabbix agent has the permission to read the file. – Vladimir – 2015-08-23T08:09:38.533

ahh oops you are right. anyways i checked and zabbix user have access to that log file. – ufk – 2015-08-25T08:55:20.273

Well, than check if your log monitor item is not in unsupported state. – Vladimir – 2015-08-25T10:19:57.393

su - zabbix -c "tail $YOUR-FILE" does not work for user without shell. You could use runuser -u zabbix tail $YOUR-FILE for this. – user3132194 – 2018-10-10T11:49:46.863

1

For Zabbix monitoring of UNIX logfiles with the log items, it is crucial that the host in question can utilize active checks. This generally means that:

  1. The Agent must be configured with ServerActive= and the hostname of the zabbix server or proxy that you are using with this host.

  2. The Zabbix-server configured hostname matches the FQDN or system hostname of the target (monitored) host.

  3. Or if that is not the case, that the agent be configured with HOSTNAME= and the corresponding Zabbix-server configured hostname.

  4. As pointed out by others, the agent (running as the Zabbix user) must have access to the log file, su zabbix -c "tail -1 logfile" is a good way to test this. If the zabbix account is disabled, use runuser -u zabbix tail -1 logfile. (replace logfile with the file to be monitored).

When you restart the agent, check its logfile for any error messages such as

no active checks on server [127.0.0.1:10051]: host [Zabbix server] not found

This indicates a misconfiguration of the type above.

If on the server you see "NOT SUPPORTED" for this item, it might be a problem with file permissions.

If you still don't see your messages, it's possible that there are too many messages being sent. By default, Zabbix will send only 100 or so per second, and it will only "catch up" every 30 seconds (see your item).

You have configured you trigger to look only at the last item (regexp(...,#1)). I think this is correct, but normally, you just omit the ,#1.

EDIT: Replaced sudo with runuser. See comments

Otheus

Posted 2015-08-16T09:43:25.327

Reputation: 350

1Sudo is in optional package. It is better to use runuser -u zabbix tail $YOUR-FILE. – user3132194 – 2018-10-10T11:51:11.387