Requirements: monitoring/data/app/app/logs/det.log log files, the occurrence of the keyword bdrc_warning Alarm, level is warning; the keyword: bdrc_eroror alarm, level information. Log Monitoring principle
1. The Zabbix server and the Zabbix agent track the size and last modification time of the log files, and are recorded in the byte counter and the latest time counter, respectively.
2, the agent will start reading the log from the place where the log was last read.
3, byte counter and the latest time counter data will be recorded in the Zabbix database, and sent to the agent, which will ensure that the agent from the last place to start reading logs.
4. When the log file size is less than the number in the byte counter, the byte counter becomes 0 and the file is read from the beginning.
5. All files that conform to the configuration will be monitored.
6. Multiple files in a directory are read in alphabetical order if the modification time is the same.
7, to each update interval time, the agent will check the directory files.
8, Zabbix Agent send log volume per second, there is a maximum number of log lines, to prevent network and CPU load is too high, this number in the Zabbix_agentd.conf maxlinepersecond. the item explanation for the log file
Log[file,<regexp>,<encoding>,<maxlines>,<mode>,<output>,<maxdelay>]
FILE-The full path of the log files.
RegExp-Regular expression that filters logs.
Encoding-character encoding, the default is English single byte SBCs (Single-byte Character Set).
Maxlines-agent the maximum number of rows of data sent to the server (or proxy) per second, which overrides the ' Maxlinespersecond ' parameter in the zabbix_agentd.conf configuration file.
Mode-optional parameter: All (default), skip (skip old data).
Output-Custom formatted output, the default output regexp matches the entire row of data. The escape character ' \ s ' represents RegExp.
Maxdelay-the ' maxdelay ' parameter in logs items allows ignoring some older lines from log files in order to get the most re cent lines analyzed within the ' maxdelay ' seconds. (This sentence I translation is not allowed, so the English ~)
Note: I recommend that you use the second parameter, and if you use only the first parameter, it will cause the contents of the log file to be lost to the Zabbix_server record. When the second parameter is added, the filtered log content is passed to Zabbix server, which greatly reduces the space occupied by the log content. configuration adjustment for monitoring end zabbix_agentd.conf
Zabbix Client Configuration Active mode is particularly important. Making changes in/etc/zabbix/zabbix-agentd.conf
Logfile=/tmp/zabbix_agentd.log
startagents=0 #客户端agent模式, set to 0 to turn off passive mode
server=**.**.**.** If set to pure passive mode, you should comment out this instruction
serveractive=**.**.**.** #主动模式的server IP address
hostname=test_host # Important: The client's hostname, generally use the native IP
refreshactivechecks=120 #被监控端到服务器获取监控项的周期, the default 120s can be
buffersize=200 # The size of the monitoring information stored on the monitored side
timeout=10 #超时时间
Create a monitoring item
On the Zabbix Background Management page, select the host to add monitoring items to.
Where: Type select Zabbix Client (Active)
Key value: Log[/eric/error_log-20170724.log, "abc|yyy",,, Skip,,]
The meaning of the key value is shown in the previous item explanation.
Log Time format: Yyyy-mm-dd hh:mm:ss, for "year-month-day: hour-minute-second".
Type: Zabbix active.
Zabbix agent detection is divided into active (agent active) and passive (agent) two forms, active and passive statements are relative to the agent to discuss. A brief explanation of the difference between active and passive is as follows:
Active: The agent requests the server to get a list of active monitoring items and proactively submits the data that needs to be detected in the monitoring item to Server/proxy
Passive: The server requests data from the agent for the monitored items, and the agent returns the data. Create a trigger
Another trigger configuration, do not repeat add Oh ~ View Data
Manually add the two keywords to the log, and then in the detection-the latest data, you can see the interception of these two keywords log records. This two keyword description appears to intercept to.
On the home page-the dashboard will see the relevant alerts (waring or information). Note:
When reading the log, it is sometimes shown cannot open '/data/app/app/logs/det.log ': [Permission] denied.
The reason is: the Zabbix user cannot read the log file. You need to include read permissions in the log file's permissions. +r 0823-day update
Today, the development of small brother reaction, the log has a keyword error, but we are not monitored.
Reflection: Yesterday is also possible, today why not wide.
1. The path is not correct, the machine looks at the path, the discovery has not changed.
2. The path is correct, the permissions are not right. ll a look at the log permissions, found in other groups that R is missing, is unable to read, no wonder the monitoring is not.
But why is R gone? The reason is that a new log file is created every day, overwriting the file, and then the permissions are invalid.
Workaround:
Add the Zabbix user to the app user group (the group that is the owner of the file)
Usermod-a-G app Zabbix
see if the success
ID Zabbix
View log Permissions
ll/data/app/ App/logs/xx.log