Sending everything is acceptable with smaller files, but what if a file has lots of information and we're only interested in error messages? The Zabbix agent may also locally filter the lines and only send to the server the ones we instruct it to. For example, we could grab only lines that contain the error string in them. Modify the Second logfile item and change its key to the following:

log[/tmp/zabbix_logmon/logfile2,error,,,skip] 

Add an error after the path to the log file. Note that now there are three commas between error and skip; we populated the second item key parameter. Click on Update. The same as before, it may take up to three minutes for this change to propagate to the Zabbix agent, so it's suggested to let some time pass before continuing. After making a cup of tea, execute the following on A test host:

 $ echo "2018-12-1 10:45:05 fifth log entry" >> /tmp/zabbix_logmon/logfile2 

This time, nothing new will appear in the Latest data page; we filtered for the error string, but this line had no such string in it. Let's add another line:

$ echo "2018-12-1 10:54:05 sixth log entry - now with an error" >> /tmp/zabbix_logmon/logfile2  

Checking the history for the logfile2 item, we should only see the latest entry:

How about using some more complicated conditions? Let's say we would like to filter for all error and warning string occurrences, but for warnings only if they're followed by a numeric code that starts with the numbers 60-66. Luckily, the filter parameter is actually a regular expression. Let's modify the second log monitoring item and change its key to the following:

log[/tmp/zabbix_logmon/logfile2,"error|warning 6[0-6]",,,skip] 

We changed the second key parameter to "error|warning 6[0-6]", including the double quotes. This regular expression should match all errors and warnings that start with the numbers 60-66. We had to double quote it, because regular expression contained square brackets, which are also used to enclose key parameters. To test this out, let's insert our log file several test lines in, but just like with the previous test, let's wait three minutes:

$ echo "2018-12-1 11:01:05 seventh log entry - all good" >> /tmp/zabbix_logmon/logfile2
$ echo "2018-12-1 11:02:05 eighth log entry - just an error" >> /tmp/zabbix_logmon/logfile2
$ echo "2018-12-1 11:03:05 ninth log entry - some warning" >> /tmp/zabbix_logmon/logfile2
$ echo "2018-12-1 11:04:05 tenth log entry - warning 13" >> /tmp/zabbix_logmon/logfile2
$ echo "2018-12-1 11:05:05 eleventh log entry - warning 613" >> /tmp/zabbix_logmon/logfile2 

Based on our regular expression, the log monitoring item should do the following:

• Ignore the seventh entry, as it contains no error or warning at all
• Catch the eighth entry, as it contains an error
• Ignore the ninth entry, it has a warning but no number following it
• Ignore the tenth entry, it has a warning, but the number following it doesn't start within the 60-66 range
• Catch the eleventh entry, it has a warning, the number starts with 61, and that is in our required range, 60-66

Eventually, only the eighth and eleventh entries should be collected. Verify that, in the latest data page, only the entries that matched our regular expression were collected:

The regular expression we used wasn't very complicated. What if we would like to exclude multiple strings or do some other, more complicated, filtering? With the PCRE regular expressions, that could be somewhere between very complicated and impossible. There's a feature in Zabbix, called global regular expressions, which allows us to define regular expressions in an easier way. If we had a global regexp named Filter logs, we could reuse it in our item like this:

log[/tmp/zabbix_logmon/logfile2,@Filter logs,,,skip] 

Global regular expressions are covered in more detail in Chapter 11, Automating Configuration.