Hello, i am a zabbix beginner.
I am monitoring a log file an set up following Trigger:
Login on {HOSTNAME}: Invalid Username
{Template_Snapgear:Syslog.regexp(Username)}=1
Here is the item
Description: Sylog
Key: Syslog
Type of information: Character
My Firewall Syslog job:
./swatch -c /home/zabbix/etc/swatch.conf --script-dir=/var/log -t /var/log/messages
/etc/swatch.conf
watchfor /192.168.158.252/
exec=/home/zabbix/bin/zabbix_sender -z 10.0.99.14 -s gw001.mzone.local -k Syslog -o "$_"
watchfor /10.0.99.254/
exec=/home/zabbix/bin/zabbix_sender -z 10.0.99.14 -s gw001.mservice.local -k Syslog -o "$_"
watchfor /10.0.11.254/
exec=/home/zabbix/bin/zabbix_sender -z 10.0.99.14 -s gw001.smartform.local -k Syslog -o "$_"
If a bad user login, the firewall (Remote Syslog config for only errors) sent this information to my remote syslog server. On this server runs my swatch job with the swatch.conf config. If the swatch job see any entry in the syslog, the zabbix_sender job is started.
My item syslog get the information, and my trigger is ON.
Here my question:
How can i automatic disable this trigger when in the next 5 minutes no further bad login arrives ?
Is my way wrong with swatch ?
thanks
Markus
I am monitoring a log file an set up following Trigger:
Login on {HOSTNAME}: Invalid Username
{Template_Snapgear:Syslog.regexp(Username)}=1
Here is the item
Description: Sylog
Key: Syslog
Type of information: Character
My Firewall Syslog job:
./swatch -c /home/zabbix/etc/swatch.conf --script-dir=/var/log -t /var/log/messages
/etc/swatch.conf
watchfor /192.168.158.252/
exec=/home/zabbix/bin/zabbix_sender -z 10.0.99.14 -s gw001.mzone.local -k Syslog -o "$_"
watchfor /10.0.99.254/
exec=/home/zabbix/bin/zabbix_sender -z 10.0.99.14 -s gw001.mservice.local -k Syslog -o "$_"
watchfor /10.0.11.254/
exec=/home/zabbix/bin/zabbix_sender -z 10.0.99.14 -s gw001.smartform.local -k Syslog -o "$_"
If a bad user login, the firewall (Remote Syslog config for only errors) sent this information to my remote syslog server. On this server runs my swatch job with the swatch.conf config. If the swatch job see any entry in the syslog, the zabbix_sender job is started.
My item syslog get the information, and my trigger is ON.
Here my question:
How can i automatic disable this trigger when in the next 5 minutes no further bad login arrives ?
Is my way wrong with swatch ?
thanks
Markus