Ad Widget

Collapse

Create a trigger for Windows event logs

Collapse
This topic has been answered.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Nir Pery
    Junior Member
    • Sep 2022
    • 12
    #1

    Create a trigger for Windows event logs

    Hi,
    I have a powershell script running every Sunday morning and writes to event log if it was completed successfully.
    I created an item on zabbix:
    eventlog[Security,,,,4870,,skip]
    Now, I need to create a trigger that will fire if the event(4870) didn't show in the event log.
    I have been tried this:
    eventlog[Security,,,,4870,,skip].logeventid(7d)=0 but it's not working well.

    Any suggestions?

    Thanks.
    Last edited by Nir Pery; 20-03-2023, 11:37.
    Tags: None
    • Answer selected by Nir Pery at 21-03-2023, 09:01.
      cyber
      Senior Member
      Zabbix Certified SpecialistZabbix Certified Professional
      • Dec 2006
      • 4807
      I was trying to provoke you to analyze loudly, what exactly did you write into your trigger expression..
      logeventid (<pattern>)
      Checking if event ID of the last log entry matches a regular expression. pattern (optional) - regular expression describing the required pattern, Perl Compatible Regular Expression (PCRE) style. Supported value types: log

      Returns:
      0 - does not match
      1 - matches

      This function is supported since Zabbix 1.8.5.

      So... check if your logeventid of last entry matches pattern... I am pretty sure it does not match "7d", as it is actually 4870... And definitely does not look for a value since last 7 days... as it is not designed to do so...

      If you are sure that this appears just once a week.. you can try "eventlog[Security,,,,4870,,skip].nodata(7d)=1" This may in some cases produce false alarms, if your script in some reason delays a bit etc.. You can add a bit to it by measuring in hours, 169h for example (7d+1h), or minutes, 1447m+x minutes for "jittter"
        • Selected Answer

        Comment

        • cyber
          Senior Member
          Zabbix Certified SpecialistZabbix Certified Professional
          • Dec 2006
          • 4807
          #2
          Can you please describe, what you want to achieve with that expression?

          (It would be nice to mention your zabbix version also, trigger syntax has changed in 5.4...)

          I suppose, instead of logeventid() you may want to use nodata() to check if check has returned anything...

            Comment

            • Nir Pery
              Junior Member
              • Sep 2022
              • 12
              #3
              Originally posted by cyber
              Can you please describe, what you want to achieve with that expression?

              (It would be nice to mention your zabbix version also, trigger syntax has changed in 5.4...)

              I suppose, instead of logeventid() you may want to use nodata() to check if check has returned anything...
              Hi,
              Zabbix server version 5.0.1.
              The event tells me that a process is completed. I want to fire a trigger if the event won't write in the event log cause it will tell me there was a problem with the script\process.​

                Comment

                • cyber
                  Senior Member
                  Zabbix Certified SpecialistZabbix Certified Professional
                  • Dec 2006
                  • 4807
                  #4
                  I was trying to provoke you to analyze loudly, what exactly did you write into your trigger expression..
                  logeventid (<pattern>)
                  Checking if event ID of the last log entry matches a regular expression. pattern (optional) - regular expression describing the required pattern, Perl Compatible Regular Expression (PCRE) style. Supported value types: log

                  Returns:
                  0 - does not match
                  1 - matches

                  This function is supported since Zabbix 1.8.5.

                  So... check if your logeventid of last entry matches pattern... I am pretty sure it does not match "7d", as it is actually 4870... And definitely does not look for a value since last 7 days... as it is not designed to do so...

                  If you are sure that this appears just once a week.. you can try "eventlog[Security,,,,4870,,skip].nodata(7d)=1" This may in some cases produce false alarms, if your script in some reason delays a bit etc.. You can add a bit to it by measuring in hours, 169h for example (7d+1h), or minutes, 1447m+x minutes for "jittter"
                    • Selected Answer

                    Comment

                    • Nir Pery
                      Junior Member
                      • Sep 2022
                      • 12
                      #5
                      Originally posted by cyber
                      I was trying to provoke you to analyze loudly, what exactly did you write into your trigger expression..
                      logeventid (<pattern>)
                      Checking if event ID of the last log entry matches a regular expression. pattern (optional) - regular expression describing the required pattern, Perl Compatible Regular Expression (PCRE) style. Supported value types: log

                      Returns:
                      0 - does not match
                      1 - matches

                      This function is supported since Zabbix 1.8.5.

                      So... check if your logeventid of last entry matches pattern... I am pretty sure it does not match "7d", as it is actually 4870... And definitely does not look for a value since last 7 days... as it is not designed to do so...

                      If you are sure that this appears just once a week.. you can try "eventlog[Security,,,,4870,,skip].nodata(7d)=1" This may in some cases produce false alarms, if your script in some reason delays a bit etc.. You can add a bit to it by measuring in hours, 169h for example (7d+1h), or minutes, 1447m+x minutes for "jittter"
                      Hi,
                      Thanks for the answer.
                      I used what you said- nodata(7d)=1.
                      Yes, the script is running in task scheduler once a week, every Sunday morning.
                      What is the best practice for the item interval in this case?

                        Comment

                        • cyber
                          Senior Member
                          Zabbix Certified SpecialistZabbix Certified Professional
                          • Dec 2006
                          • 4807
                          #6
                          As I said.. if you define it as "7d" then it will trigger at exactly 7d.. If your script runs with some minutes precision, then try to use minutes... like .. 1450 gives you +3 minutes as possible delay..

                            Comment

                            • Nir Pery
                              Junior Member
                              • Sep 2022
                              • 12
                              #7
                              Originally posted by cyber
                              As I said.. if you define it as "7d" then it will trigger at exactly 7d.. If your script runs with some minutes precision, then try to use minutes... like .. 1450 gives you +3 minutes as possible delay..
                              Thanks! You helped me

                                Comment

                                Previous template Next
                                Working...