Rather than creating a new forum topic, you probably should have just kept this question in your original topic, since it's the same question: https://www.zabbix.com/forum/zabbix-...ows-event-4672

Can you show us the configuration screen for this trigger?

Does it work the way you want it to if you switch the "PROBLEM event generation mode" from "Single" to "Multiple"?

As a newbie to Zabbix, I find the mechanics of triggers and windows log retrieval a bit difficult. I now realize through some trial and error that the triggers will reset after some time, so I set the monitoring interval to 30 minutes and the PROBLEM event generation mode to "Single". Seems to be working satisfactorily now. Can you explain how zabbix decides if it's a PROBLEM or OK situation? And thanks for your help and patience. I know from past experience in other areas that it's frustrating working with "newbies".

It's fine, you haven't required any "patience" on my part! Besides the best part about working with newbies: they typically ask the easiest questions!

The thresholds that determine "is this a problem?" are determined by the "Problem expression" part of the trigger. If you're not using a "Recovery expression", then the logic in the "Problem expression" also controls when a problem switches back to "OK".

Giving the documentation chapter on triggers a slow, thorough re-read might help fill in some conceptual gaps, especially now that you've had to set up some triggers and have a bit of experience with them. https://www.zabbix.com/documentation...onfig/triggers


I suspect that part of the difficulty you're encountering is that you started with a much more complicated case than a simple "is C: more than 90% full" type threshold. Based on what you've said in comment #3, I suspect (but am not certain) that the only reason your trigger is clearing is that the function(s) you're using are only looking at the last batch of log file lines submitted, so after 30 minutes your client is submitting a new batch of messages and if there haven't been any logins in the new batch, the previous PROBLEM event clears. If that works for you, that's fine, but my guess is it isn't quite what you actually want.

In my experience cleaning Windows event log triggers is somewhat difficult.

In an ideal conditions the event with error also has related information event that comes after the problem is resolved. If this is your case you can use the second event in recovery expression of your trigger. You will however need to create an item to collect the OK state event first.

Sometimes only errors are logged and not OK states. In this case you can either do what you did - look at the 30 minutes interval of collected logs - if there are no errors - your trigger will take it as a recovery and clear your problem. This is OK for intermittent things like someone changed his/hers password or someone triggered 404 HTTP code on a web server.

It is not OK for events like your service crashed or that your file system reports errors.

In this case you should try to collect some information from the host that indicates that the problem is fixed - if it is not possible to automate - it's best to leave such trigger without recovery expression and with manual close option ticked. This way the trigger will stay in problem mode until some operator checks /fixes the actual problem and closes it manually in the zabbix web interface.