I have created a zabbix alert to return log messages whenever there is any ERROR or WARNING in the file :
Item :
Type : Zabbix agent (active)
key : log[/usr/local/panorama/acs/standalone/log/server.log,WARN\s*\[|ERROR\s*\[,,,,\0]
Type of information : Log
Log Time Format : yyyy-MM-ddThh:mm:ss,SSS
And an alert :
Name : Error/Warning log at {HOST.NAME} : {ITEM.VALUE}
Expression : {MyTemplate:log[/usr/local/abc/abc.log,WARN\s*\[|ERROR\s*\[*,,,,\0].strlen()}>0
Multiple Problem Generation : Checked
Example log message :
2015-05-02 19:20:55,919 ERROR [com.xyz.MyClass] some log message here
With this configuration, the alert that is being returned is :
Error/Warning log at CL MyHost : ERROR [
Could you please help me here? I want the other portion of the log message, i.e. the alert should be like this :
Error/Warning log at CL MyHost : [com.xyz.MyClass] some log message here
Here I want to get the log message except the time stamp portion of it.
Also, what is the convention to parse the millisecond portion of the time stamp? I am using "S". Not sure if that is ok.
Any help will be appreciated.
If the most important goal is to have "[com.xyz.MyClass] some log message here" as item value, then the following key seems to work:
log[/tmp/logfile.txt,WARN\s*|ERROR\s*(\[.*),,,,\1]
Unfortunately, by only capturing the specified part of the log message we lose the ability to parse the timestamp, because the timestamp is parsed on the server side, but the \1 is captured on the agent side.
Regarding parsing of milliseconds, it is not supported (see log monitoring documentation).