Ad Widget

Collapse

Trigger for log entries: avoid repeated alerts when log entry is the same

Collapse
This topic has been answered.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Moebius
    Member
    • Dec 2022
    • 43
    #1

    Trigger for log entries: avoid repeated alerts when log entry is the same

    Hello everybody. I'm on Zabbix 6.4.8 and am trying to solve a problem with a trigger related to log monitoring.

    I am monitoring a log that reports only the error state of remote computers that are not directly accessible from Zabbix. The remote computers are tested every 5 minutes and the error state of them (if any) is written to the log.

    The log entries are like this:

    2023-11-10 10:15:01 PC27 is offline
    2023-11-10 10:15:02 PC06 is offline
    2023-11-10 10:15:04 PC54 is offline
    2023-11-10 10:20:01 PC47 is offline
    2023-11-10 10:20:03 PC19 is offline
    2023-11-10 10:20:04 PC27 is offline​

    So I set up an item to monitor the log, and a trigger to alert the operators that PCx needs immediate action.

    ​​

    It works pretty well except for one thing: if the same host stays offline for more than 5 minutes (like PC27 in the example), it creates another entry in the log and this fires the trigger again, generating a second, third, etc. alert.
    I would like that only one occurrence of a given PC be reported and caused the trigger to fire, until the problem for that PC is manually closed.

    Is there any way to achieve this?
    Tags: None
    • Answer selected by Moebius at 10-11-2023, 20:39.
      Hamardaban
      Senior Member
      Zabbix Certified SpecialistZabbix Certified Professional
      • May 2019
      • 2713
      Look in the direction of "correlation": https://www.zabbix.com/documentation...nt_correlation
        • Selected Answer

        Comment

        • Hamardaban
          Senior Member
          Zabbix Certified SpecialistZabbix Certified Professional
          • May 2019
          • 2713
          #2
          Look in the direction of "correlation": https://www.zabbix.com/documentation...nt_correlation
            • Selected Answer

            Comment

            • Moebius
              Member
              • Dec 2022
              • 43
              #3
              From what I understand, correlation is about closing open problems that would require manual closing instead (like a problem fired by an entry in the log) when another event happens.

              What I want to avoid is to have a duplicate open problem when the same log entry appears again before the problem is closed. Not really sure how correlation could apply to my case.

              Edit: I had only looked at the trigger correlation. I see that there's more under "global correlation": https://www.zabbix.com/documentation...elation/global with also the possibility of closing NEW events.

              Will have to look deeper into this. Thank you!
              Last edited by Moebius; 11-11-2023, 01:18.

                Comment

                • Moebius
                  Member
                  • Dec 2022
                  • 43
                  #4
                  Hamardaban thank you! You did point me in the right direction. Using global event correlation I can close new events before they get notified. Zabbix rocks!

                    Comment

                    Previous template Next
                    Working...