Catch a string in log

Hello,

I’m looking for a way tail a log file (Linux + Win) and catch a string pattern or a regex,
then send a notification on it.
I have found some data about input.tail plugin but I’m still not sure how to make it work.

Thank you
Nati

Hello @natim,
Here are some resources/steps that might be helpful to you:

  1. Get started with Telegraf | Telegraf 1.21 Documentation
  2. telegraf -sample-config -input-filter file -output-filter influxdb > file.conf
  3. Change the data format in the file.conf
## Data format to consume. 
data_format = "<your format>"  

You can select from the following formats:

4. Finish altering your conifg as needed.
5. Debugging: Use the --test flag gather metrics once and print them. Like telegraf --config $pwd/file.conf --test. Also include in the agent part of your config debug=true.

Thank you @Anaisdg!

Where can I configure a specific string I want to catch in the log.

Let’s say I want to alert every time there is a row with a string like: “ERROR: ” in /var/log/messages.

Can I do it in influxDB? Telegraf? Do I need to go through a script to grep this string?

Thank you!

Nati

Hello @natim,
I believe you can do this with multiline:

[inputs.tail.multiline]
pattern = “^%{ERROR}”

multiline parser/codec

multiline | Logstash Reference [2.4] | Elastic

#[inputs.tail.multiline]
## The pattern should be a regexp which matches what you believe to be an indicator that the field is part of an event consisting of multiple lines of log data.
#pattern = “^\s”
## The field’s value must be previous or next and indicates the relation to the
## multi-line event.
#match_which_line = “previous”
## The invert_match can be true or false (defaults to false).
## If true, a message not matching the pattern will constitute a match of the multiline filter and the what will be applied. (vice-versa is also true)
#invert_match = false
#After the specified timeout, this plugin sends the multiline event even if no new pattern is found to start a new event. The default is 5s.
#timeout = 5s

I’m also assuming you’ll probably want to use grok to parse the logs?