Hi all! I'd like to create a trigger which alerts me when there are several failed attemps (in a time lapse) to login to a terminal server. My trigger is like {MYTS:eventlog[Application,,Information,RDPDefender,^0$].logeventid(0)}=1 but I need to add the condition told before, I mean I need this trigger should be activated if this event id takes place several times (e.g. 20) in 300 seconds for example. How should I construct it? I thank You all very much. Have a nice day, Sara
-
-
You can make a calculated data element that accumulates the values of "main item triggers" ( logeventid(MYTS:eventlog[Application,,Information,RDPDefender,^0$],0) ) and then use it in a trigger expression with functions (like count, avg, min,max) with a time period. -
Thank You Hamardaban. So, I have to set eventlog[Application,,Information,RDPDefender,^0$],0) as key? What about the formula? how should I compile it? Many thanks, SaraComment
-
logeventid("eventlog[Application,,Information,RDPDefender,^0$]",0) - it's formula
key - as you wishLast edited by Hamardaban; 26-01-2021, 19:48.
-
-
Hi again and thanks! Zabbix tells me Details Cannot add item- Invalid parameter "/1/params": incorrect calculated item formula starting from "eventlog[Application,,Information,RDPDefender,^0$],0)"
Comment
-
hi! I'm really sorry to bother You, i created the item and put the term eventlog in key field. I created a trigger but it does not work, it turns gray (the trigger shows the just key field, not the formula). I need to create a trigger that alerts me when there are more than 20 specific events in a lapse of time. But i'm doing something wrong. Many thanks, SaraComment
-
Show a screenshot of the item and the trigger.Comment
-
Hi Hamardaban, thank you very much again. I attached the screenshot You requested, I think the problem is about the trigger syntax, it does not contain all the informations... (Cannot evaluate function "logeventid(0)"
So I have to compile the key field with right data. Plus, is there a way to tell the trigger not to include certain data? (I mean the events containing e.g. 127.0.0.1) Thank You and have a nice day! Sara
Attached FilesLast edited by Sara.Art; 28-01-2021, 10:14.Comment
-
-
Hi Cyber, if I create the item as Zabbix Agent active Type and Type of information Log, it starts collecting the data. But I cannot (or better, I don't know how to) create a trigger that counts at least a number of events in a time lapse. Plus I wonder if it's possible to exclude all the information containing a specific "word", such as 127.0.0.1.
Why ma I looking for this trigger? I'm monitoring a Terminal Server, sometimes it suffers attacks from outside (several failed attemps to login from "outside") and I'd like to know it this happens. Cheers! SaraComment
-
Thanks Cyber! where shound i add regex? (I have some text to exclude). Sorry for my poor knowledge... SaraComment
-
{yourhost:eventid[Applicatiom,,Information,RDPDefender,^0$].count(5m,".*\D(?!127\.0\.0\.1\D)\d+\.\d+\.\d+.\d+ .*",regexp)}>20 and {yourhost:eventid[Applicatiom,,Information,RDPDefender,^0$].now()}>0Comment
-
Good Morning Semiadmin and thank You very much for Your reply. So the trigger you wrote excludes the lines which contain 127.0.0.0.1, right? If i'd like to exclude some terms too where exactly i'll have to add? Many thanks again! SaraComment
-
Hi, Sara. You have to modify the regexp. How you do this depends on the text of the log. As an option you may put regexp with excluding into the item key: ventlog[Application,<regexp>,Information,RDPDefender,^0$]. In this case, no need to use regexp in the trigger expression, just .count(5m)>20 and .now()>0Comment
-
Thanks Semiadmin, I'll do some tests in order to achieve my goal. Have a nice day! SaraComment
-
You problems start already way before trigger... I don't even understand, what you re trying to achieve with that item...Comment
-
So you seem to have an item "eventlog[Application,,Information,RDPDefender,^0$]. This returns all lines, which indicate a failed login, I assume?
Why do you want another calculated item... count() should be enough.
{yourhost:eventid[Applicatiom,,Information,RDPDefender,^0$].count(5m)}>20
If you want to exclude some of them, try to modify item, so it does not pick up those. There is this field in parameters, where you can add regex to match needed text.Comment
Comment