Ad Widget

**ISiroshtan** · 03-12-2021, 13:25

Looking at screenshot and text I have a strong feeling tabs were removed from text by forum engine when you posted.. still tried to account for it. Please do try the following:

1. Trigger name:

Code:

{{ITEM.VALUE}.regsub("Account Name:\s*(.*)",\1)} created the user {{ITEM.VALUE}.regsub("New Account:\s*Security ID:.*\\(.*)",\1)}

2. Trigger name:

Code:

{{ITEM.VALUE}.regsub("Account Name:\s*(.*)\n(.|\n)*?Account Name:\s(.*)", "\1 created the user \3")}

**ISiroshtan** · 03-12-2021, 12:13

Hi there.

Please try following approaches, pretty sure both of them should work(tested on my LAB with Zabbix 5.0).

1. Trigger name:

Code:

{{ITEM.VALUE}.regsub("Account Name: (.*)",\1)} created the user {{ITEM.VALUE}.regsub("New Account:\nSecurity ID: .*\\(.*)",\1)}

2. Trigger name:

Code:

{{ITEM.VALUE}.regsub("Account Name: (.*)\n(.|\n)*?Account Name: (.*)", "\1 created the user \3")}

**ErmTV** · 03-12-2021, 12:52

Originally posted by ISiroshtan

Hi there.

Please try following approaches, pretty sure both of them should work(tested on my LAB with Zabbix 5.0).

1. Trigger name:

Code:

{{ITEM.VALUE}.regsub("Account Name: (.*)",\1)} created the user {{ITEM.VALUE}.regsub("New Account:\nSecurity ID: .*\\(.*)",\1)}

2. Trigger name:

Code:

{{ITEM.VALUE}.regsub("Account Name: (.*)\n(.|\n)*?Account Name: (.*)", "\1 created the user \3")}

Hello.
I tried to paste the code you suggested now.
When using the first option, only "created the user" will remain in the trigger name
When using the second option, the trigger name is empty.
I just pasted the options you suggested in the trigger name, did I do the right thing?

**ISiroshtan** · 03-12-2021, 12:55

Please kindly specify which version of Zabbix server you using and add a screenshot showing how said information appear in "Latest data" inside of Zabbix.

**ErmTV** · 03-12-2021, 13:02

Originally posted by ISiroshtan

Please kindly specify which version of Zabbix server you using and add a screenshot showing how said information appear in "Latest data" inside of Zabbix.

zabbix_server (Zabbix) 5.0.11
Revision 15ae5548ce 26 April 2021, compilation time: Apr 26 2021 11:24:33

**ISiroshtan** · 03-12-2021, 13:07

Ok, can you copy me data from "Latest data" as text(feel free to replace domain and usernames with whatever you want)? The data contains extra spaces/tabs/new lines, which I obviously did not account for when writing the regexp.

**ErmTV** · 03-12-2021, 13:13

Originally posted by ISiroshtan

Ok, can you copy me data from "Latest data" as text(feel free to replace domain and usernames with whatever you want)? The data contains extra spaces/tabs/new lines, which I obviously did not account for when writing the regexp.

Attached! Thank you so much for your attention to my problem!

Code:

A user account was created.



Subject:

Security ID: CONTOSO\Administrator

Account Name: Administrator

Account Domain: CONTOSO

Logon ID: 0x0000000



New Account:

Security ID: CONTOSO\testauditt

Account Name: testauditt

Account Domain: CONTOSO



Attributes:

SAM Account Name: testauditt

Display Name: testauditt

User Principal Name: [email protected]

Home Directory: -

Home Drive: -

Script Path: -

Profile Path: -

User Workstations: -

Password Last Set: <never>

Account Expires: <never>

Primary Group ID: 111

Allowed To Delegate To: -

Old UAC Value: 0x0

New UAC Value: 0x00

User Account Control:

Account Disabled

'Password Not Required' - Enabled

'Normal Account' - Enabled

User Parameters: -

SID History: -

Logon Hours: <value not set>



Additional Information:

Privileges

**ISiroshtan** · 03-12-2021, 13:25

Looking at screenshot and text I have a strong feeling tabs were removed from text by forum engine when you posted.. still tried to account for it. Please do try the following:

1. Trigger name:

Code:

{{ITEM.VALUE}.regsub("Account Name:\s*(.*)",\1)} created the user {{ITEM.VALUE}.regsub("New Account:\s*Security ID:.*\\(.*)",\1)}

2. Trigger name:

Code:

{{ITEM.VALUE}.regsub("Account Name:\s*(.*)\n(.|\n)*?Account Name:\s(.*)", "\1 created the user \3")}

**ErmTV** · 03-12-2021, 14:35

Originally posted by ISiroshtan

Looking at screenshot and text I have a strong feeling tabs were removed from text by forum engine when you posted.. still tried to account for it. Please do try the following:

1. Trigger name:

Code:

{{ITEM.VALUE}.regsub("Account Name:\s*(.*)",\1)} created the user {{ITEM.VALUE}.regsub("New Account:\s*Security ID:.*\\(.*)",\1)}

2. Trigger name:

Code:

{{ITEM.VALUE}.regsub("Account Name:\s*(.*)\n(.|\n)*?Account Name:\s(.*)", "\1 created the user \3")}

It works!!! Thank you very much!

**ErmTV** · 06-12-2021, 14:32

Originally posted by ISiroshtan

Looking at screenshot and text I have a strong feeling tabs were removed from text by forum engine when you posted.. still tried to account for it. Please do try the following:

1. Trigger name:

Code:

{{ITEM.VALUE}.regsub("Account Name:\s*(.*)",\1)} created the user {{ITEM.VALUE}.regsub("New Account:\s*Security ID:.*\\(.*)",\1)}

2. Trigger name:

Code:

{{ITEM.VALUE}.regsub("Account Name:\s*(.*)\n(.|\n)*?Account Name:\s(.*)", "\1 created the user \3")}

Hello!
Could you tell me how it works? So that I don't write to the forum every time +)
For example, we have a line:

Code:

{{ITEM.VALUE}.regsub("Account Name:\s*(.*)",\1)} created the user {{ITEM.VALUE}.regsub("New Account:\s*Security ID:.*\\(.*)",\1)}

What the parameters "\ s *" "\ 1" "(. *)" Mean. Please tell me where you can read about it?

**ISiroshtan** · 06-12-2021, 14:46

Hey there mate.

https://regex101.com/ - generally a good utility to test a regexp. But be mindful as regexp from this website sometime needs to be changed slightly to comply with PHP and Zabbix parsing (notable the use of " inside of regexp that needs to be escaped by backslash). Also, you need to disable global and multiline options on this website

You can use wiki for some theory + some cheat sheet:

PCRE Regular Expression Cheatsheet - Debuggex

https://www.debuggex.com/cheatsheet/regex/pcre

javascript,regex,regular expression,visual,nfa,dfa,state,debugger,helper,tester,match,random match

https://en.wikipedia.org/wiki/Perl_C...ar_Expressions

Also you can reach me in personal message and we can have discussion if you need to know something in particular.

Still, to answer your questions on specific symbols:

\s - any whitespace character, including but not limited to space, tab, new line.
\s* - any number(including zero) of whitespace characters
(.*) - match any number of any characters (in non multi-line mode it will match up to a new-line character) and remember them as a "match group"
\1 - return whatever you remembered as a group 1 (also not really part of expression itself but an output syntax that is also supported in Zabbix )

Hope it helps.

Ad Widget

Same values in the log (output in the trigger name)

Same values in the log (output in the trigger name)

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment