Logstash-output-zabbix does not send to zabbix

Paveltest · October 5, 2021, 11:53am

When sending logs to zabbix, it gives an error.
[WARN ] 2021-10-05 [[main]>worker1] zabbix - Field referenced by message is missing
[WARN ] 2021-10-05 [[main]>worker1] zabbix - Zabbix server at monitoring-server.com rejected all items sent. {:zabbix_host=>"Log"}
My config:

input {
file {
        path => "/var/log/logstash/test.log"
        start_position => "beginning"
        add_field => [ "[@metadata][zabbix_key]" , "trap" ]
        add_field => [ "[@metadata][zabbix_host]" , "Log" ]
     }
}
filter {
grok {
match => { "message" => "%{IPORHOST:clientip}%{SPACE}(?:-|(%{WORD}.%{WORD}))%{SPACE}%{USER:id}%{SPACE}\[%{HTTPDATE:timestamp}\]%{SPACE}%{BASE16FLOAT:request_time}%{SPACE}%{BASE16FLOAT:request_time_upstream}%{SPACE}\"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:http_version})?|%{DATA:rawrequest})\"%{SPACE}%{NUMBER:response}%{SPACE}(?:%{NUMBER:bytes}|-)%{SPACE}%{QS:referrer}%{SPACE}%{QS:agent}%{SPACE}%{QS:forwarder}" }
remove_field => "message"
remove_field => "host"
remove_field => "@timestamp"
remove_field => "path"
remove_field => "@version"
}
geoip {
source => "clientip"
target => "geoip"
database => "/etc/logstash/GeoLite2-City.mmdb"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
      mutate { convert => [ "[geoip][coordinates]", "float"] }
}
output {
         stdout { codec => rubydebug }
zabbix {
zabbix_key => "[@metadata][zabbix_key]"
zabbix_host => "[@metadata][zabbix_host]"
zabbix_server_host => "monitoring-server.com"
zabbix_server_port => "10051"
zabbix_value => "message"
  }
}

However, if you comment out

grok {
match

then logs will come to Zabbix but not parsed. It is necessary that the parsed log would come, or only if there is an error status of 500.
What is wrong with me? Thanks!

leandrojmp · October 5, 2021, 12:53pm

I do not use this plugin, but according to the documentation:

This plugin will log a warning if a necessary field is missing. It will not attempt to resend if Zabbix is down, but will log an error message.

Which seems to be what you got:

[WARN ] 2021-10-05 [[main]>worker1] zabbix - Field referenced by message is missing

In your configuration you are setting zabbix_value to message, so the value you want to send needs to be in this field. [documentation].

But before the output block you are removing the message field:

remove_field => "message"

So you are making reference to a field that does not exist anymore, this is what is causing your error, try to keep the message field and see what happens.

Paveltest · October 6, 2021, 5:10am

The message is sent to zabbix only with this configuration. But accordingly, then the message is not parsed.

Paveltest:

input {
file {
        path => "/var/log/logstash/test.log"
        start_position => "beginning"
        add_field => [ "[@metadata][zabbix_key]" , "trap" ]
        add_field => [ "[@metadata][zabbix_host]" , "Log" ]
     }
}
output {
         stdout { codec => rubydebug }
zabbix {
zabbix_key => "[@metadata][zabbix_key]"
zabbix_host => "[@metadata][zabbix_host]"
zabbix_server_host => "monitoring-server.com"
zabbix_server_port => "10051"
zabbix_value => "message"
  }
}

Paveltest · October 6, 2021, 5:12am

Debager shows that the message is now displayed on one line. There are no error messages, but it does not appear in Zabbix.

system · November 3, 2021, 5:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Zabbix + Logstash = Field referenced by ... is missing Logstash	1	319	August 4, 2022
Logstash 2.0 and Zabbix plugin Logstash	2	1263	July 6, 2017
Zabbix plugin error about missing field Logstash	1	505	February 28, 2019
Problem pushing log from logstash to zabbix Logstash	2	936	July 6, 2017
Logstash-output-zabbix (3.0.5) Zabbix Version 4 ready? Logstash	2	408	January 10, 2019

Logstash-output-zabbix does not send to zabbix

Related topics