Shulou(Shulou.com)06/02 Report--

Filter the nginx-error log through logstash, filter the serious error in the log, and give an alarm.

As many posts on the network either wrote how to filter errors, or only translated the instructions for the use of the logstash-zabbix-output plug-in, and did not have a complete configuration, the whole project was finished and sorted out for everyone to read.

[software version]

Zabbix version: 2.4.8

Logstash version: 2.4.0

JDK version: 1.8.0mm 101

[zabbix configuration]

First, configure the item of zabbix so that it can successfully receive the information sent by logstash.

Create Template: "Configuration"-> "Templates"-> "Create template"

Here my name for Template is "Log file check".

Then create Application: "Create applicaton"

Application's name is also "Log file check"

Finally, create item: "Create item":

Pay attention to four areas:

Type must select "Zabbix trapper", otherwise it cannot receive the message sent by logstash.

Key must be written correctly, preferably without spaces, and need to be configured in logstash

Type of information chose "Text" because the value I passed was an error log, so select text

Allowed hosts: the host that allows transmission must be set to the host where the logstash is located.

[Logstash configuration]

Note: the download and installation of logstash are not introduced.

Installation directory: / opt/logstash/

Since the log volume did not reach the upper W level, some optimizations were made for logstash, which degraded some of the performance:

# vim / opt/logstash/bin/logstash LS_HEAP_SIZE=500m LS_JAVA_OPTS= "- server-Xmx200m"

[install logstash-output-zabbix plug-in]

/ opt/logstash/bin/logstash-plugin install logstash-output-zabbix

Logstash profile:

Input {file {type = > "error-log" # specifies the type, which is used to determine the operation path = > "/ tmp/test.log" # file path start_position = > "beginning" # file start location codec = > multiline {# filter using multi-line matching pattern = > "^\ d {4}" # the first line begins with four digits Negate = > true # all those that do not start with 4 numbers All belong to the previous line (the following what configuration) what = > "previous"}} filter {grok {match = > {message:\ s +\ n.*Code: (?\ d +). * Message: (?. +)\ n.*File: (?. +)\ n.*Line: (?\ s +\ d +). * "# for matching rules Or do you want to write} add_tag = > ["zabbix-sender"] # for your own scene? add a tag add_field = > [# set the mapping "zabbix_host", "web01", # hostname "zabbix_key", "logstash" # when adding item to the host name of the agent host Set key name]} if "_ grokparsefailure" in [tags] {# remove the error tag if filtering error No other processing mutate {remove_tag = > "_ grokparsefailure"}} output {# output configuration stdout {# you can turn on terminal output codec = > rubydebug # codec = > json # you can choose whether the output in json format or the output in rubydebug format} zabbix {# sent to zabbix configuration Zabbix_host = > "zabbix_host" # zabbix_host refers to the host mapped above You cannot use ip zabbix_key = > "zabbix_key" # zabbix_key to refer to the key mapped above, which means a key sent to a host. The value is zabbix_value zabbix_server_host = > "192.168.1.229" # zabbix server zabbix_server_port = > "10051" # zabbix server port defaults to 10051 zabbix_value = > "Message" # key value to be sent}}

If you need to test, you can test it with zabbix_sender in zabbix agent:

/ opt/zabbix/sender-z zabbix-server-p port-s agentservername-k keyname-o keyvalue

After all the configuration is complete, you can enter some test data in the monitoring log file and check on zabbix web to see if the data appears normally:

[configure alarm]

"configuration"-> "Templates"-> "Triggers"-> "Create Trigger":

Name:log error check

Expression: determine whether the length of the value obtained is 0. If it is not 0, trigger is problem, and send an alarm.

For other alarm-related configurations, please use your own degree.

Reference:

Http://blog.sina.com.cn/s/blog_7ba28b620102xw2w.html

Https://www.elastic.co/guide/en/logstash/current/plugins-outputs-zabbix.html

Https://www.zabbix.org/wiki/Docs/protocols/zabbix_sender/2.0

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.