Monitoring rotated files

Monitoring a single file wasn't terribly hard, but there's a lot of software that uses multiple log files. For example, the Apache HTTP server is often configured to log to a new file every day, with the date included in the filename. Zabbix supports monitoring such a log rotation scheme with a separate item key, logrt. To try it out, follow these steps:

  1. Navigate to Configuration | Hosts, click on Items next to A test host, then click on Create item. Fill in the following:
    • Name: Rotated logfiles
    • Type: Zabbix agent (active)
    • Key: logrt["/tmp/zabbix_logmon/access_[0-9]{4}-[0-9]{2}-[0-9]{2}.log"]
    • Type of information: Log
    • Update interval: 2s
  1. When done, click on the Add button at the bottom.

But the key and its first parameter changed a bit from what we used before. The key is now logrt, and the first parameter is a regular expression, describing the files that should be matched. Note that the regular expression here is supported for the file part only; the path part must describe a specific directory. We also double quoted it because of the square brackets that were used in the regexp. The regexp should match filenames that start with access_, followed by four digits, a dash, two digits, a dash, two more digits, and ending with .log. For example, a filename such as access_2018-12-31.log would be matched. One thing we did slightly differently was the update interval was set to two seconds instead of one. The reason is that the logrt key is periodically re-reading directory contents, and this could be a bit more resource intensive than just checking a single file. That's also the reason why it's a separate item key, otherwise we could have used the regular expression for the file in the log item.

The Zabbix agent doesn't re-read directory contents every two seconds if a monitored file still has lines to parse; it only looks at the directory again when the already known files have been fully parsed.

With the item in place, let's proceed by creating and populating some files that should be matched by our regular expression. On A test host, execute the following:

$ echo "2018-12-1 03:00:00 rotated first" > /tmp/zabbix_logmon/access_2018-12-30.log

Checking the latest data page, the rotated log file item should get this value. Let's say that's it for this day and we'll now log something the next day:

$ echo "2018-12-1 03:00:00 rotated second" > /tmp/zabbix_logmon/access_2015-12-31.log

Checking the history for our item, it should've successfully picked up the new file:

As more files with a different date appear, Zabbix will finish the current file and then start on the next one.

The Zabbix agent doesn't send more than what is specified in the option maxlines of a log file per second. The limit prevents overloading of network and CPU resources, and overrides the default value provided by the MaxLinesPerSecond parameter in the agent configuration file.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.173.112