If I understand correctly, this would work.
Item:
log[/var/log/syslog,error]

Item will read only lines with text "error in them", you could try:
log[/var/log/syslog,"(CRON) error (create tmpfile)"]
but not sure if it would work, I know that this will work for you:

just build your regexp there.

If you build your regexp, then your item will look like:
log[/var/log/syslog,@NAME_OF_REGEXP]

Replace NAME_OF_REGEXP

Trigger:
{HOST_NAME:log[/var/log/syslog,error].nodata(30)}=0

Replace HOST_NAME

Would change status to PROBLEM if there has been text matching regexp within last 30 seconds.
If this is not what you are after, then let us know.

We use this trigger to fire up in case of problem:

if u want to start the trigger after 2 or more same event change #1 to #2 or others ...

I have another related problem: when trigger is stared how to come back? I want that if the item match the string "error" and my trigger fire up, after one hour (for example) trigger must be back to normal status

Works!!

Hi Roby

With the Item with log[file,"some to search"] didn't works, but with the @regexp works fine...

Now the item only reg when the patern match. Fantastic!!!

But with the trigger we have some problems:

{myhost:log[/var/log/syslog_test,@tmpfile].nodata(30)}=0

The item launch well...but serverity warning turn to green very early... It send the email, but when I go to zabbix console, the trigger severity is in green state. (not Acknowledged).

How I can create the trigger that it wait to turn green until we Acknowledged the warning??

Thanks a lot!!!

hi! you could also leave your trigger like it was before and use trigger provided by yayo.
If you use the one I provided, then you should change the number 30 to suite your needs, if you set it to 600, like:
{myhost:log[/var/log/syslog_test,@tmpfile].nodata(600)}=0
Then the problem in Zabbix monitoring overview will stay for 10 minutes (10 * 60 seconds = 600 seconds).
You should be aware of disadvantage of this - although new lines with keyword "error" will be read into latest data, the trigger will not change its state, because trigger will be set to change back to normal only after there has been no data for 600 seconds. So if you have 2 problem lines in syslog, then only first one will be sent via email (when trigger changes status).
I dont think you can change status of trigger (to normal) by Acknowledge.
You dont have much options for this using Zabbix, you can read this:


It explains the problem. You can use time period (like 600 seconds) to get trigger back to green, or it will always stay in alert mode because - how would Zabbix know the problem has gone away if only thing it has is one line in syslog file? There are dirty workarounds, but not trivial.