Skip to content

Log File Monitoring - Apache/Nginx HTTP Status Codes

Video Lecture

Log File Monitoring - Nginx Proxy HTTP Status Codes Log File Monitoring - Nginx Proxy HTTP Status Codes

Description

Monitoring Log Files - HTTP Status Codes of an Apache or Nginx web server.

So that we have something to look at, we can use the Apache or Nginx web server that our Zabbix PHP frontend uses. Later, you can adapt this lesson to monitor your own production web servers.

Since I installed my Zabbix server using the Apache web server option, then the log file that I want to monitor is located at,

/var/log/apache2/access.log

If I installed my Zabbix server using the Nginx option, then I would monitor the file at,

/var/log/nginx/access.log

The zabbix user that the Zabbix agent uses, does not have read access to most log files on the system.

You can usually add the zabbix user to the adm group to solve this problem.

The Apache and Nginx access.log files can both be read by the adm group on Ubuntu. So, I can also add the zabbix user to the adm group.

To find out which group can read a log file, go into the folder where it is saved, and type,

#
ls -lh

Example, CD into the /var/log/apache2/ or /var/log/nginx/ folders,

#
#
#
cd /var/log/apache2/
# or
cd /var/log/nginx/

And type,

#
ls -lh

I can see that the adm group can read the log files.

To see what groups that the zabbix user is part of, we can run,

#
groups zabbix

If it's not part of the adm group already, then we can add it.

#
usermod -a -G adm zabbix

and check again to confirm.

#
groups zabbix

After changing the zabbix user permissions, you should restart the Zabbix agent and check its status.

#
#
service zabbix-agent restart
service zabbix-agent status

To read the most recent log file entries, type,

#
#
#
tail -f /var/log/apache2/access.log
# or
tail -f /var/log/nginx/access.log

You can also check this command works when using the zabbix user,

#
#
#
sudo -H -u zabbix bash -c 'tail -f /var/log/apache2/access.log'
# or
sudo -H -u zabbix bash -c 'tail -f /var/log/nginx/access.log'

If you get the error, cannot open 'access.log' for reading: Permission denied, then you should ensure that the zabbix user is part of the adm group.

After confirming that everything is OK so far, we can add an item to the host, with the settings,

Property Value
Name HTTP Status Codes
Type Zabbix (active)
Key log[/var/log/apache2/access.log,"^(\S+) (\S+) (\S+) \[([\w:\/]+\s[+\-]\d{4})\] \"(\S+)\s?(\S+)?\s?(\S+)?\" (\d{3}|-) (\d+|-)\s?\"?([^\"]*)\"?\s?\"?([^\"]*)\"",,,skip,\8,,,]
Type of Information numeric (unsigned)
Update Interval 1m

The regex value that I copied into https://regex101.com was,

^(\S+) (\S+) (\S+) \[([\w:\/]+\s[+\-]\d{4})\] \"(\S+)\s?(\S+)?\s?(\S+)?\" (\d{3}|-) (\d+|-)\s?\"?([^\"]*)\"?\s?\"?([^\"]*)\"

This regex can separate the values for both Nginx and Apache access logs.

The regex splits each row of the log into several groups.

The HTTP Status code is in the 8th group.

I can also create triggers to notify on

  • 101 Switching Protocols
  • 301 Moved Permanently
  • 302 Redirect
  • 304 not modified
  • 400 Bad Request
  • 401 Unauthorized
  • 403 Forbidden
  • 404 Not found
  • 405 Method Not Allowed
  • 500 Server Error

In this video I also demonstrate creating a trigger to detect 10 or more HTTP 404 errors in the last 10 minutes.

Zabbix Agent Items

List of HTTP status codes

Comments