Logstash-output-zabbix does not send to zabbix

Paveltest · October 5, 2021, 11:53am

When sending logs to zabbix, it gives an error.
[WARN ] 2021-10-05 [[main]>worker1] zabbix - Field referenced by message is missing
[WARN ] 2021-10-05 [[main]>worker1] zabbix - Zabbix server at monitoring-server.com rejected all items sent. {:zabbix_host=>"Log"}
My config:

input {
file {
        path => "/var/log/logstash/test.log"
        start_position => "beginning"
        add_field => [ "[@metadata][zabbix_key]" , "trap" ]
        add_field => [ "[@metadata][zabbix_host]" , "Log" ]
     }
}
filter {
grok {
match => { "message" => "%{IPORHOST:clientip}%{SPACE}(?:-|(%{WORD}.%{WORD}))%{SPACE}%{USER:id}%{SPACE}\[%{HTTPDATE:timestamp}\]%{SPACE}%{BASE16FLOAT:request_time}%{SPACE}%{BASE16FLOAT:request_time_upstream}%{SPACE}\"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:http_version})?|%{DATA:rawrequest})\"%{SPACE}%{NUMBER:response}%{SPACE}(?:%{NUMBER:bytes}|-)%{SPACE}%{QS:referrer}%{SPACE}%{QS:agent}%{SPACE}%{QS:forwarder}" }
remove_field => "message"
remove_field => "host"
remove_field => "@timestamp"
remove_field => "path"
remove_field => "@version"
}
geoip {
source => "clientip"
target => "geoip"
database => "/etc/logstash/GeoLite2-City.mmdb"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
      mutate { convert => [ "[geoip][coordinates]", "float"] }
}
output {
         stdout { codec => rubydebug }
zabbix {
zabbix_key => "[@metadata][zabbix_key]"
zabbix_host => "[@metadata][zabbix_host]"
zabbix_server_host => "monitoring-server.com"
zabbix_server_port => "10051"
zabbix_value => "message"
  }
}

However, if you comment out

grok {
match

then logs will come to Zabbix but not parsed. It is necessary that the parsed log would come, or only if there is an error status of 500.
What is wrong with me? Thanks!

leandrojmp · October 5, 2021, 12:53pm

I do not use this plugin, but according to the documentation:

This plugin will log a warning if a necessary field is missing. It will not attempt to resend if Zabbix is down, but will log an error message.

Which seems to be what you got:

[WARN ] 2021-10-05 [[main]>worker1] zabbix - Field referenced by message is missing

In your configuration you are setting zabbix_value to message, so the value you want to send needs to be in this field. [documentation].

But before the output block you are removing the message field:

remove_field => "message"

So you are making reference to a field that does not exist anymore, this is what is causing your error, try to keep the message field and see what happens.

Paveltest · October 6, 2021, 5:10am

The message is sent to zabbix only with this configuration. But accordingly, then the message is not parsed.

Paveltest:

input {
file {
        path => "/var/log/logstash/test.log"
        start_position => "beginning"
        add_field => [ "[@metadata][zabbix_key]" , "trap" ]
        add_field => [ "[@metadata][zabbix_host]" , "Log" ]
     }
}
output {
         stdout { codec => rubydebug }
zabbix {
zabbix_key => "[@metadata][zabbix_key]"
zabbix_host => "[@metadata][zabbix_host]"
zabbix_server_host => "monitoring-server.com"
zabbix_server_port => "10051"
zabbix_value => "message"
  }
}

Paveltest · October 6, 2021, 5:12am

Debager shows that the message is now displayed on one line. There are no error messages, but it does not appear in Zabbix.

system · November 3, 2021, 5:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.