Ad Widget

Collapse

Windows event log monitoring with ignore list

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Avalonit
    Junior Member
    • Mar 2015
    • 7
    #1

    Windows event log monitoring with ignore list

    Hi All,

    Though a lot has been said about event log monitoring, i still can't figure this out:
    How do i get a trigger when an error arrives in the system log, that is not in a predefined ignore list?
    For example event ID 1111 appears every day but is not interesting. It needs to be filtered out coz if a box is flashing error all the time and no action required, my brain tends to filter out the entire box after a while.. the cry wolf effect.

    I tried solving this by creating a new filtered event log on the windows machine ( so do the filtering there) but unfortunately zabbix doesn't seem to want to read out non standard logs and i'm not getting any data from them.

    Any thoughs and or examples will be greatly appreciated
    Tags: None
    • pablos
      Junior Member
      • Mar 2015
      • 22
      #2
      Hi,

      IIRC, eventlog() only works against Windows logs. You could use a Regular Expression to ignore certain Event ID's with the eventlog(). Or the other way to do is if you're only interested in a certain number of events, you can filter that way. The documentation, I believe, has an example: eventlog[Security,,"Failure Audit",,^(529|680)$]

      See https://www.zabbix.com/documentation...ent/win_keys?s[]=eventlog

      Cheers,
      -pablo

        Comment

        • Avalonit
          Junior Member
          • Mar 2015
          • 7
          #3
          Hi Pablo

          Txs for your reply, I'm pretty new to zabbix so could you please give an example?

          I tried this for a trigger in order to get warnings but not on eventID 3,4, or 8 but i'm not sure what i'm doing
          {Windows Logging:eventlog[Application,,Warning|Error,,,,].logseverity(0)}=2 and
          {Windows Logging:eventlog[Application,,Warning|Error,,,,].logeventid(3|4|8)}=0
          is this correct?

          I made the refreshrate 60 seconds, so every 60 seconds zabbix gets the even log entry's that happened since last time, let's say there where 10 new entry's. now if one of them is a warning with an ID different than 3,4 or 8 i get a warning?
          I'm not understanding the logic when multiple values are returned

            Comment

            • pablos
              Junior Member
              • Mar 2015
              • 22
              #4
              Hi,

              Before I create a Trigger, I first verify my Item is working properly. That is, data is flowing from it back to the Zabbix server. I use Monitoring > Latest data.

              Have you confirmed data is flowing? If there's no data, well, there'll be no Trigger firing.

              After I've confirmed the flow do I create a Trigger.

              Looking at your Trigger definition it looks right to me. If you're unsure about Regular Expressions, you can always test it out using Zabbix: Administrationg > General > regular expressions, create a bogus one with your string and confirm it.

              Code:
              {Windows Logging:eventlog[Application,,Warning|Error,,,,].logseverity(0)}=2 
and
{Windows Logging:eventlog[Application,,Warning|Error,,,,].logeventid(3|4|8)}=0
              HTH.

              Cheers,
              -pablo

                Comment

                • Avalonit
                  Junior Member
                  • Mar 2015
                  • 7
                  #5
                  Hi Pablo

                  Data is flowing fine and triggers are working
                  Only problem i have now is once a trigger has occurred, it won't go away.

                  I have tried these kind of constructions:

                  {Windows Logging:eventlog[System].logseverity(0)}=4 and
                  {Windows Logging:eventlog[System].nodata(600)} and
                  {Windows Logging:eventlog[System].logeventid(10009|1111|7034)}=0

                  hoping to clear the trigger after 10 minutes but it's not working.
                  Can you tell me what i'm doing wrong?

                  thanks again

                    Comment

                    • pablos
                      Junior Member
                      • Mar 2015
                      • 22
                      #6
                      Hi,

                      I spent way too much time sorting your exact problem. Below is how I resolved it:

                      Just a moment...
                      https://www.zabbix.com/forum/showthread.php?t=49072


                      Cheers,
                      -pablo

                        Comment

                        • Avalonit
                          Junior Member
                          • Mar 2015
                          • 7
                          #7
                          Txs I'll have to find some time to study this, and convert it to mysql.. keep you posted

                            Comment

                            • pablos
                              Junior Member
                              • Mar 2015
                              • 22
                              #8
                              You're welcome ... when you get a chance, read the post carefully, I reference the original MySQL code. You can use it as your template instead.

                                Comment

                                Previous template Next
                                Working...