Logstash with zabbix output ISSUE

theuntergeek · June 9, 2015, 6:49pm

Check your zabbix logs and the item type. It might be sending but not adding the value because of a mismatch, but the logs should indicate what's going on (or at least, hopefully, an error message).

shivam_singh · August 17, 2015, 2:02pm

I am Also getting an error while sending the output to zabbix.

My config file...
input {
lumberjack {
port => 5000
type => "logs"
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}

filter {
grok {
match => [ "message", "%{SYSLOGBASE} %{DATA:data}" ]
add_tag => [ "zabbix-sender" ]
add_field => [
"zabbix_host", "%{source_host}",
"zabbix_item", "item.key",
"send_field", "data"
]
}
}

output{
elasticsearch{
host => localhost
}
}

output {
zabbix {
zabbix_host => "log_getter"
zabbix_key =>"hello"
zabbix_server_host => "10.0.30.215"
}
}

ERROR:
Field referenced by log_getter is missing {:level=>:warn}

theuntergeek · August 17, 2015, 2:29pm

The zabbix_host directive is supposed to point to a field name, rather than be a plain string host name.

Please see this passage from the documentation:

zabbix_host

This is a required setting.
Value type is string
There is no default value for this setting.
The field name which holds the Zabbix host name. This can be a sub-field of the @metadata field.

I see from your grok statement that you're adding a zabbix_host field from the source_host field. This is adding a redundant field. You could just replace "log_getter" with "source_host" to use the value of source_host. This value must be a valid host in your Zabbix server, though, whether a short hostname or a fully-qualified domain name.

shivam_singh · August 17, 2015, 2:36pm

i have a host named ELK in zabbix server with a "log_getter" item and "hello" as key(Zabbix trapper).

shivam_singh · August 17, 2015, 2:40pm

Have checked with commenting the GROK filter part, still it is giving the same error.

theuntergeek · August 17, 2015, 3:20pm

the host is named ELK? All caps?

If so, then in your grok statement, you'd set:

add_field => {
 "zhost" => "ELK"
 "zkey" => "hello"
}

and in your output you'd set:

zabbix {
  zabbix_host => "zhost"
  zabbix_key =>"zkey"
  zabbix_server_host => "10.0.30.215"
}

In the output block, zabbix_host and zabbix_key must reference fields, not strings. This configuration will send strings to the "hello" key on host "ELK".

shivam_singh · August 17, 2015, 3:27pm

Thanks...it seems to work. How do I know on the zabbix server end that I am getting the messages. And Based on it how do I do alerting

theuntergeek · August 17, 2015, 3:50pm

Those are questions better sent to the forums on zabbix.com