Ad Widget

Collapse

Windows Event Log Monitoring - Changes to Item do not always work/take effect

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • th3axman
    Junior Member
    • Mar 2020
    • 10
    #1

    Windows Event Log Monitoring - Changes to Item do not always work/take effect

    ***I apologize if this has already been addressed in another post, but I've spent a considerable amount of time searching and I haven't found anything.***

    I need some assistance with an issue I'm having with Windows event log monitoring. I'm on version 4.0.11 of the Zabbix Server and Agent. The Agent is running on a Windows 2016 box.

    The first attached screenshot illustrates the Item configuration using "skip" mode. Data appears in the Latest Data section, but all entries from the event log are pulled into Zabbix.
    • For new Items, does the agent always send all entries from the event log even if "skip" is used? I was under the impression the agent would only send event log entries created since the Agent was started when "skip" is specified.
    The second attached screenshot shows that I changed the item key from "skip" to "all" (the default mode). I also cleared all history and trend data for the item. I waited 30 minutes to an hour, but nothing appears in Latest Data.
    • Can someone help me understand why changing from "skip" to "all" results in no data being sent by the Agent to the Zabbix Server?
      • It acts as thought it is still in "skip" mode.
      • I've tried clearing history and trend data multiple times as well as restarting the agent multiple times.
      • The only way I can get "all" to work again is by deleting and recreating the Item.
    Attached Files
    Last edited by th3axman; 25-01-2021, 18:09.
    Tags: None
    • th3axman
      Junior Member
      • Mar 2020
      • 10
      #2
      Hi cyber, thank you for the information!

      I want to make sure I understand, if I perform the following actions then all old crap will always get pulled even though I use "skip" on a new item for the same thing (e.g. same event log). Is that correct? That seems to be the behavior you are describing and that I am seeing.
      1. Create an item that uses "all"
      2. Let the item using "all" pull data from the server/agent
      3. Delete the item using "all"
      4. Create a new item using "skip" for the same server/agent and specific event log
      5. Let the item using "skip" pull data from the server/agent
      Thank you,

      Jason

        Comment

        • th3axman
          Junior Member
          • Mar 2020
          • 10
          #3
          Hey cyber,

          So I confirmed that creating a new item using "skip" works, but that's not really where I'm seeing the issue.

          I was expecting that if I change an item from "skip" to "all" that the agent would go back and pull everything from the beginning of the event log. Instead, the agent stays in "skip" mode. In that case, the only way to get the agent to send everything is to delete and recreate it using "all".

          I fully understand and agree with the logic that if you change from "all" to "skip", the agent and Zabbix Server are not going to go back and remove all previously pulled data. On the other hand, from the standpoint of user expectation, it seems somewhat problematic that if I change the item from "skip" to "all" that the agent will continue to function in "skip" mode.

          In all honesty, I really only care about "skip" mode since, as Dmitry Lambert points out, 99% of the time you want to use "skip" mode anyway.

          Thanks,

          Jason

            Comment

            Previous template Next
            Working...