Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1


Remember Me

Directory Tree

Current Version
Last Release Date
Compatible With
  • Nagios 2.x
  • Nagios 3.x
  • Nagios 4.x
  • Nagios XI
  • Nagios Fusion
check_log3.plPlugin code (Perl)
check_customlog.plWrapper script for easier configuration
parameters.txtWrapper script configuration examples
nagios-plugins-check_log3-3.16.1-1.el7.noarch.rpmRPM package for RedHat Linux
nagios-plugins-check_log3-3.16.1-1.suse.noarch.rpmRPM package for SuSE Linux
Network Monitoring Software - Download Nagios XI
Log Management Software - Nagios Log Server - Download
Netflow Analysis Software - Nagios Network Analyzer - Download - a regular expression based log file parser plugin for Nagios and Nagios-like monitoring systems.
Tested on Linux, Windows, AIX and Solaris. No dependencies on third-party Perl modules.

This plugin will scan arbitrary text files looking for regular expression matches.
This is version 3.16.1

Usage: [ -v | --version ]
Usage: [ -h | --help ]
Usage: --manual
Usage: --list-encodings
Usage: -l log_file|log_directory (-p pattern [-p pattern ...])|-P patternfile)
[-i] [-n negpattern|-f negpatternfile ] [-s seek_file|seek_base_dir] [--show-filename]
([-m glob-pattern] [-t most_recent|first_match|last_match] [--timestamp=time-spec] [-S string])
[-d] [-D] [-a] [-C {-|+}n] [-q] [--ultraq] [-Q] ([-e '{ eval block }'|-E script_file]|--secure)
[--ok]|([-w warn_count] [-c crit_count] [--negate])
[--input-enc=encoding] [--output-enc=encoding] [--crlf]
[--missing=STATE [--missing-msg=message]]
[-R|--restartcommand] [-M|--returnmessage]

This plugin scans arbitrary text files for regular expression matches.

Log file control:

-l, --logfile=
The log file to be scanned, or the fixed path component if -m is in use.
If this is a directory, -t and -m '*' is assumed.
-s, --seekfile=
The temporary file to store the seek position of the last scan. If not
specified, it will be automatically generated in /tmp, based on the
log file's base name. If this is a directory, the seek file will be auto-
generated there instead of in /tmp.
If you specify the system's null device (/dev/null), the entire log file
will be read every time.
-m, --log-pattern=
A glob(7) expression, used together with the -l option for selecting log
files whose name is variable, such as time stamped or rotated logs.
If you use this option, the -s option will be ignored unless it points to
either a directory or to the null device (/dev/null).
For selecting time stamped logs, you can use the following date(1)-like
expressions, which by default refer to the current date and time:
%Y = year
%y = last 2 digits of year
%m = month (01-12)
%d = day of month (01-31)
%H = hour (00-23)
%M = minute (00-59)
%S = second (00-60)
%w = week day (0-6), 0 is Sunday
%j = day of year (000-365)
Use the --timestamp option to refer to timestamps in the past.
Note that the plugin only ever selects one log file to read.
See also the -S option.
-S, --seekfile-id=
For checks using -m, add this string to the generated seek file name to
make different service checks using the same log patterns unique.
-t, --log-select=most_recent|first_match|last_match
How to further select amongst multiple files when using -m:
- most_recent: select the most recently modified file
- first_match: select the first match (sorting alphabetically)
- last_match: select the last match (this is the default)
--timestamp='(X months|weeks|days|hours|minutes|seconds)... [ago]'
Use this option to make the time stamp macros in the -m expression refer
to a time in the past, e.g. '1 day, 6 hours ago'. The shortcuts 'now' and
'yesterday' are also recognised. The default is 'now'.
If this expression is purely numerical it will be interpreted as seconds
since 1970-01-01 00:00:00 UTC.

Search pattern control:

-p, --pattern=
The regular expression to scan for in the log file. If specified more
than once, the patterns will be combined into an expression of the form
'pattern1|pattern2|pattern3|...' (but also see the -A option).
-P, --patternfile=
File containing regular expressions, one per line, which will be combined
into an expression of the form 'line1|line2|line3|...' (but also see -A).
-A, --and
Use AND instead of OR to combine multiple patterns specified via the -p or
-P options. A line must match all patterns to be counted as a match.
This is equivalent to '(?=.*pattern1)(?=.*pattern2)(?=.*pattern3)...'.
-n, --negpattern=
The regular expression to skip in the log file. Can be specified multiple
times, in which case they will be combined as 'pat1|pat2|pat3|...'.
-f, --negpatternfile=
Specifies a file with regular expressions which will all be skipped.
-i, --case-insensitive
Do a case insensitive scan. Note, this is bad for performance.

Character set control:

--encoding=, --input-enc=
Force a particular encoding on the log file and pattern files (but not
custom eval scripts), such as utf-16, iso-8859-15, cp1252, koi8-r, etc.
For example, to read Windows Unicode files you probably need "utf16le".
Run the script with --list-encodings to see which encodings are supported.
Warning: if you use this option and the patterns specified on the command
line (with -p and -n) are not themselves in this encoding, you *must* use
pattern files! Also note that using this option is bad for performance.
Force a particular character encoding of the plugin output, as above.
The plugin's default output encoding is UTF-8.
Show which character set encodings this plugin supports, and exits.
Translate CRLF line endings to Unix newlines; use this if you are reading
logs generate on DOS/Windows PCs on a Unix machine and are getting '^M'
characters in the output. This option is also bad for performance.

Alerting control:

-w, --warning=
Return WARNING if at least this many matches found. The default is 1.
-c, --critical=
Return CRITICAL if at least this many matches found. The default is 0,
i.e. don't return critical alerts unless specified explicitly.
-d, --nodiff, --nodiff-warn
Return an alert if the log file was not written to since the last scan.
By default this will result in a WARNING if not at least one line was
written. If no search pattern was specified, the -w and -c options can
be used to control the number of expected lines.
-D, --nodiff-crit
Return CRITICAL if the log was not written to since the last scan. If no
search pattern was specified this is equivalent to '-d -c 1'.
--missing=STATE [ --missing-msg="message" ]
Return STATE instead of CRITICAL when no log file could be found, and
optionally output a custom message (by default "No log file found").
Note, if --missing is not specified, --missing-msg is ignored, and a
standard error message is returned.
Equivalent to --missing=OK (for backwards compatibility).
Always return an OK status to Nagios, unless there was an I/O error.
Inverts the meaning of the -w and -c options, i.e. returns an alert if not
at least this many matches are found. (Note: this option is not useful in
combination with --ok.)

Output control:

-N, --report-max=
Stop after matching a maximum of times. The log may not be read
all the way to the end of the file when using this option.
Output a maximum of lines and skip the rest (move the seek pointer
to the end of the file). Takes precedence over --report-max.
-1, --stop-first-match
Stop at the first line matched, instead of the last one. It will make the
plugin report every single match (and implies an alerting threshold of 1).
Equivalent to --report-max=1.
Stop at the first line matched, but also skip the remainder of the file.
Use this option only when you are expecting many identical (or very similar)
matches but only want to see the first one, and to ignore all subsequent
matches until the next service check. Equivalent to --report-only=1.
-a, --output-all
Output all matching lines instead of just the last one. Note that the
plugin output may be truncated if it exceeds 4KB (1KB when using NRPE).
Other agent software may impose other limits. Note that you will lose
performance data if output is truncated.
If used together with --report-max or --report-only, will affect output
but not stopping/EOF seeking behaviour.
-C, --context=[-|+]
Output lines of context before or after matched line; use -N for
N lines before the match, +N for N lines after the match (if possible) or
an unqualified number to get N lines before and after the match.
-R, --restartcommand=
If the the log was not written to since the last scan and the -D option was
used, prefix the status output with this string. This is meant to be the
name of a control script or systemd service that can be used by an event
handler to restart the application the log file belongs to.
-M, --returnmessage=
If the the log was not written to since the last scan and the -D option was
used, append this message to the end of the service check output. This can
be used to provide instructions to operators or links to documentation.
Make sure to use quotes to avoid problems.
-e, --parse=
-E, --parsefile=
Custom Perl code block to parse each matched line with, or an external
script. If specified directly with -e the code should probably be in
curly brackets and quoted. It will be executed as a Perl 'eval' block.
If the return code of the custom code is non-zero the line is counted
against the threshold, otherwise it isn't and it will be as if the line
did not match the pattern after all (though it is counted as perfdata).
The current matching line will be passed to the eval code in $_.
Set $parse_out to generate custom output instead of the matching line.
Set $perfdata to generate custom performance data instead of the number of
matching lines. Note: if you set $parse_out, no context will be output,
but you can parse it, and indeed you must use -C if you want to parse a
line other than the current matching one. In that case you should parse
@line_buffer instead of $_.
-q, --quiet
Suppress output of matched line(s) if state is OK.
Suppress all output if state is OK, this option is suitable for cronjobs.
-Q, --no-header
Suppress leading state and statistics info from output.
Suppress the standard performance data output from the plugin. Use this
if your are using custom parsing code and generate your own perfdata.
Print the name of the actual input file in the plugin output. Useful in
combination with dynamic filenames.

Other options:

Disable all custom eval code features. Overrides the -e and -E options.
Override the plugin time-out timer (by default 15 seconds). The plugin
will return UNKNOWN if the plugin runs for more than this many seconds.
Equivalent to --timeout=0.

Support information:

-h, --help
This help screen.
The full manual.
-v, --version
Print plugin version number and exit.

Send email to if you have questions regarding use of this
software, or to submit patches or suggest improvements. Please include version
information with all correspondence (the output of the --version option).

This Nagios plugin comes with ABSOLUTELY NO WARRANTY. You may redistribute
copies of the plugins under the terms of the GNU General Public License.
For more information about these matters, see the file named COPYING.