Ad Widget

Collapse

log file monitoring - reset trigger value after acknowledge

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • futschler
    Junior Member
    • Aug 2011
    • 3
    #1

    log file monitoring - reset trigger value after acknowledge

    I am trying to set up log file monitoring. Here how I think it should behave:

    - Log file contains a certain key word, let's say "error"; this can be a transient error condition, means the key word might appear only once
    - An associated trigger should go to "PROBLEM"
    - The trigger value should remain "PROBLEM" even if the word "error" does not appear in the log in future samples anymore
    - The trigger value should be reset to "OK" after the event gets approved


    Right now, I can only EITHER have the trigger go to PROBLEM if the log finds the key word, but then automatically go back to OK in the next item scan cycle if the sample does not contain the key word again (bad), OR alternatively (and also bad) get the trigger to remain on PROBLEM if fired once.

    I googled around and found many people asking similar questions - but no answer I could use. I considered to include the macro "{TRIGGER.EVENTS.UNACK}" into the trigger expression (to check whether there are >0 unacknowledged events for the trigger and if yes, keep the value "PROBLEM"). But according to the docu - and also according to the error message I got when I tried - "{TRIGGER.EVENTS.UNACK}" cannot be used in trigger expressions.

    Is there a way to get the intended trigger behavior?
    Tags: trigger reset acknowledge
    • msnelling
      Junior Member
      • Sep 2011
      • 9
      #2
      Did you find a solution to this? I'm having exactly the same problem.

      It seems to me that log monitoring is useless without this functionality.

        Comment

        • 6-MarViN
          Junior Member
          • Sep 2011
          • 13
          #3
          I think I found a way to go around this problem. I wanted to monitor a system logfile to get the name of every user connecting. Unfortunately it didn't work. So what i did was the following;

          1) Create a normal monitoring item (no Zabbix agent active). In the key put this:

          system.run[grep "your pattern" "/path/to/your/log" | tail -n1]

          This will get you the last value in corresponding to your pattenr in the log file.

          2) create a trigger with this expression:

          {Server:YourItemName.change(0)}=1

          3) create an action to process your new values.

          Because the trigger is using .change() function, if your log does not have a new error line by the time Zabbix refreshes his informations, the previous value you got will be the same as the one zabbix will send you when refrshing and therefore the change value will be zero and trigger will go to OK.

          I hope that's what you're looking for.
          Last edited by 6-MarViN; 16-09-2011, 16:05.

            Comment

            • s0me0ne
              Junior Member
              • Sep 2011
              • 1
              #4
              Hi,

              i am new at Zabbix and i had the same problem as you.
              I use this for Windowslogs.

              I think i have find a solution which goes the right way but is not perfect.

              1) You need a new sqluser.
              (for example user: zabbix_ro pw: geheim)

              2) Create a external script (acknow.sh):
              (The script counts all Triggers for the host, which are not acknowleged.
              You have to select "Connect to DNS name" at CONFIGURATION OF HOSTS)

              Code:
              #!/bin/bash

HOST=$1

if [ -z $HOST ]
then
        echo "No HOSTNAME"
        exit 1
fi

# mysql client and credentials and default database
MYSQL="/usr/bin/mysql -h [B]Your_SQL_SERVER_IP[/B] -u zabbix_ro -pgeheim -N zabbix"

# execute the query and print result to stdout
echo "SELECT count(t.triggerid) AS counter
FROM triggers t
JOIN functions f ON (f.triggerid = t.triggerid)
JOIN items i     ON (i.itemid = f.itemid)
JOIN hosts h     ON (h.hostid = i.hostid)
JOIN events e    ON (e.objectid = t.triggerid)
WHERE
h.dns = '${HOST}'
AND e.acknowledged = 0
AND e.value = 1
AND h.status = 0
AND t.value = 1
AND t.status = 0
AND i.status = 0"|$MYSQL
              3) Create a new Item for the host you want to check
              Type: External Check
              Key: acknow.sh

              4) Create a new Trigger
              Expression: {HOST:eventlog[System].logseverity(0)}=4|{TRIGGER.VALUE}=1&{HOST:acknow. sh.last(0)}>0

              I've tested the script 100% so far yet.

              hth

              ps. Thanks to Chris for his Support :-P and lap4 for the inspiration.

                Comment

                • HullZabbix
                  Senior Member
                  • Feb 2011
                  • 104
                  #5
                  I may well be wrong but is this not what

                  Event Generation: "Normal + Multiple PROBLEM events"

                  is for in the trigger setting?

                    Comment

                    • lana_paradinha
                      Junior Member
                      • Sep 2013
                      • 28
                      #6
                      Originally posted by HullZabbix
                      I may well be wrong but is this not what

                      Event Generation: "Normal + Multiple PROBLEM events"

                      is for in the trigger setting?
                      Don't work

                        Comment

                        • lana_paradinha
                          Junior Member
                          • Sep 2013
                          • 28
                          #7
                          any solution?

                            Comment

                            Previous template Next
                            Working...