I have zabbix set with an item to monitor a log file on a zabbix client:
log["/var/log/program_name/client.log","ERROR:","UTF-8",100]
And a trigger to determine when that log file get's more ERRORs:
{Template_Linux:log["/var/log/program_name/client.log","ERROR:","UTF-8",100].change(0)}#0
This trigger gets tripped when the log file gets ERRORs the first time, but then that first trigger just sits around for ever in Monitoring->Triggers. My understanding is that the next time the server checks the value of log["/var/log/program_name/client.log","ERROR:","UTF-8",100] and sees that it hasn't changed that the trigger would go away. Obviously this isn't the case. Could someone explain why this first trigger isn't going away?
Ultimately my goal is to receive an email whenever ERRORs are added to that log file, but I would like to understand how triggers are working first.
Best Answer
The "log" agent item checks the whole log by default, you must tell it to use the "skip" mode to avoid processing of older data. Simply add a ",skip" to the end of your parameters to the log item. Check carefully this page in the documententation.