One of the many other things Zabbix can do is monitor log files. In this recipe, we will show you how to test your log files with Zabbix for certain patterns.
For this recipe, we need a Zabbix server without agent installed on the server and configured. We also need Zabbix super administrator access.
Let's say we want to monitor the /var/log/messages
file on our OS.
# ll /var/log/messages -rw-------. 1 root root 324715 Jan 20 18:54 /var/log/messages
root
has read and write access to this file.adm
; then later we can give this group access to our log file:# usermod -a -G adm zabbix
# chmod g+r /var/log/messages
adm
:# chgrp adm /var/log/messages
/var/log/messages
file:# ll /var/log/messages -rw-r-----. 1 root adm 327617 Jan 20 19:11 /var/log/messages
Errors in /var/log/messages
.Zabbix agent (active)
as Type.log[/var/log/messages,error]
.Log
.1
.# logger error
{<template or server>:log[/var/log/messages,error].logsource(error)}=0
so that you get notifications when we get errors in the /var/log/messages
file.SELinux could be messing with you; so make sure to temporarily disable SELinux to make sure that this is not the problem. In case it is, a rule should be created for this.
The problem with logfile monitoring is that entries in log files do not have a status. If an entry in the log file indicates an error, there is usually no entry indicating that the error has been corrected. So in this case, the trigger will always retain the status error. We have to force Zabbix to update the status and this can be done with the nodata() function. In this case, we have to rewrite our previous trigger like this:
{<template or host>:log[/var/log/messages,error].nodata(300)}=0
In this case, we get an alarm when there is an error in the log file and Zabbix will reset it's status after 120 seconds:
In case you want to work with logrotate
option, it is very much possible with Zabbix, except that we would have to use logrt
option instead of log
option.
Zabbix can look in files for certain keywords; for this, Zabbix needs to have read permissions on those files. In this example, we added Zabbix to the adm
group. Then we added our log
file to this group and gave the group read permissions. Now by creating the proper item, Zabbix was able to look into the file for out
keyword error. With the command logger, we were able to send the command error to our log
file and Zabbix picked it up.
Later we saw how it was possible to create the correct trigger for this, and what the possible problem could be with the entry not having a status. To solve this problem, we made use of the nodata
function. This function makes it possible for Zabbix to monitor our log
file and reset it's status back to normal if no new errors were received for 300 seconds. Of course, in this case you need to be sure that Zabbix is configured to send email, SMS, and so on, else there is a chance that you will not get any notification about the error.
https://www.zabbix.com/documentation/2.4/manual/config/items/itemtypes/log_items.