Ad Widget

**ingus.vilnis** · 25-06-2014, 09:21

Hello and welcome!

For a start you simply have to set up an eventlog item for each Windows event log (Application, Security, System) as described here: https://www.zabbix.com/documentation...agent/win_keys .

When you have your data coming in, you can create your triggers depending on the events you are looking for. Basically you can have only one trigger per each eventlog which fires on every eventlog entry and then later you can modify the trigger by excluding the eventids you don't want to get notified about.

Best Regards,
Ingus

**jeroenmgage** · 25-06-2014, 09:50

Thank you!

I have created items for the Application and System log and I see things coming in. So that works like a charm!

Also I've created triggers for Warnings and Errors. Works great as well. But how would I then add exclusions for the eventid's I don't want to get notified on? Say, in a few months I've gathered the following list of eventid's that I would want to be notified on: (just a random bunch of numbers, but to get the idea!

) 1001 to 1005, 3056, 3058, 4055, 4897, 4988, 5089, 5123, 5345, 5553, 5676, 5678 to 5700, 6486. Would I then get an expression like this:

{Template Test Windows Eventlogs:eventlog[System,,,,,,skip].logseverity(0)}=4 & {Template Test Windows Eventlogs:eventlog[System,,,,,,skip].nodata(5)}=0{Template Test Windows Eventlogs:eventlog[System,,,,,,skip].logeventid(1001)}#0{Template Test Windows Eventlogs:eventlog[System,,,,,,skip].logeventid(1002)}#0{Template Test Windows Eventlogs:eventlog[System,,,,,,skip].logeventid(1003)}#0{Template Test Windows Eventlogs:eventlog[System,,,,,,skip].logeventid(1004)}#0{Template Test Windows Eventlogs:eventlog[System,,,,,,skip].logeventid(1005)}#0{Template Test Windows Eventlogs:eventlog[System,,,,,,skip].logeventid(3056)}#0(and so on?)

Regards,
Jeroen

**ingus.vilnis** · 25-06-2014, 11:05

Jeroen,

Glad that you have your logs coming in!

The trigger expression can be simplified in your case by having the desired eventid's in one row separated by logical OR.

Code:

{Template Test Windows Eventlogs:eventlog[System,,,,,,skip].logseverity(0)}=4 & 
{Template Test Windows Eventlogs:eventlog[System,,,,,,skip].nodata(5)}=0 & 
{Template Test Windows Eventlogs:eventlog[System,,,,,,skip].logeventid(^1001$|^1002$|^3056$)}=1

What are the extra symbols there, you may ask? They are used to match the exact eventid in Windows log.
^ - start of line
$ - end of line
| - logical OR

Best Regards,
Ingus

**jeroenmgage** · 25-06-2014, 11:41

Hi Ingus,

Thank you again for your prompt response and clear explanation. This is indeed a far more manageable expression.

Regards,
Jeroen

Ad Widget

Windows Eventlogs

Windows Eventlogs

Comment

Comment

Comment

Comment