I´m a newbie in Zabbix and I wanna to create a item which search a " problem " word in some log file. This item should search the file every 5 seconds and if there are some " problem " words, it´s trigger a problem.
I create a key with condition:
log[/var/log/test/test.log,problem]
After that, create a trigger:
{Log reader:log[/var/log/test/test.log,problem].strlen()}>0
I Create a fake .log file and fill it with some fake data:
asdasda
asdadad
problem
asadada
Everything works great, trigger works and show me a problem where last data was " problem ". After this a open the fake log again a write:
asdasda
asdadad
problem
asadada
problem 1
Save it, and zabbix shows me a 2 problems, both of these have last data " problem 1 ". When I write problem 3 to log, same again, 3 new reports all with " problem 3 " data.
This item should actaully read only latest data. I´m not 100 % sure if this is a real problem because every time when I edit .log file I re - save it so logically, item finds a 3 words, so it creates 3 reports. How will be this works if .log will be real and be filled with real data ? Does item read only news or it will works the same as I re - save whole file ?
Thanks a lot for your time :)
There's a dedicated page for log file monitoring in the documentation which is very useful, the "Important Notes" section covers most of the gotchas.
Your trigger is working as expected, for every "problem" added in your log you get an alarm, and your alarm stays forever.
You should define a time window for your trigger (i.e.: trigger in I've got at least one "problem" in 5 minutes) or a recovery expression to clear the trigger after a certain condition is met (i.e.: 5 minutes passed without "problem" or a "OK" string in your log).
According to the trigger functions documentation - strlen section, this should fire up one alert which stays up for 1 or more "problem" strings and clears out after 5 minutes:
{Log reader:log[/var/log/test/test.log,problem].strlen(,5m)}>0