Log File Monitoring : Nginx Proxy HTTP Status Codes

For more info on my Zabbix Course visit https://sbcode.net/zabbix/

The file I monitor is located at /var/log/nginx/access.log
The default Zabbix user that the Zabbix agent user uses, does not have read access to many log files on the system.
You can usually add the Zabbix user to a group to solve this problem.

The nginx access.log file can be read by the www-data or adm groups on ubuntu 18,
so I add the zabbix user to the www-data group.
To find out which groups a log file can be read by,
for example, I typed,
$ ls -lh /var/log/nginx/
This tells me that the access.log file can be read by www-data and adm groups.
Then I check which groups the user zabbix is part of,
$ groups zabbix
If it’s not part of either group already, I then add it,
$ sudo usermod -a -G www-data zabbix
and check again to confirm.
$ groups zabbix
I can read the most recent log file entries by typing
$ tail -f /var/log/nginx/access.log

I then created an item for the host, with settings

Name: HTTP Status Codes
Type : Zabbix (active)
Key: log[/var/log/nginx/access.log,”^(S+) (S+) (S+) [([w:/]+s[+-]d{4})] “(S+)s?(S+)?s?(S+)?” (d{3}|-) (d+|-)s?”?([^”]*)”?s?”?([^”]*)”?s”,,,,8,]
Type of Information : numeric (unsigned)
Update Interval : 5s

The regex value that I copy into regex101 is
^(S+) (S+) (S+) [([w:/]+s[+-]d{4})] “(S+)s?(S+)?s?(S+)?” (d{3}|-) (d+|-)s?”?([^”]*)”?s?”?([^”]*)”?s

This regex can separate the values for Nginx and Apache access logs.

The regex splits each row of the log into several groups.

The HTTP Status code is in the 8th group.

I also created triggers to notify on

101 Switching Protocols
301 Moved Permanently
302 Redirect
304 not modified
400 Bad Request
401 Unauthorised
403 Forbidden
404 Not found
500 Server Error

For the 404 not found trigger, I also used the ‘count’ option to detect whether a 404 happened 10 or more times in the last 10 minutes.

How and whether you decide to trigger on HTTP status codes is up to you.
The video just provides examples for you to follow.