"I defined an item to import these logs into zabbix, then I defined a trigger for this item"

I am working on the same issue. I am have zabbix monitoring an eventlog[security] and its working fine. I can view all the details in the history page. Now I am trying to send emails based on the type of message (critical, information, warning, ect) and I am having issues with the triggers.

How are you defining the trigger? I have been trying the vfs.file.cksum but that is not working at all. I get a error saying something about the parameter being wrong.


"Is there a way to switch the trigger to FALSE once the new logs have been read by the user?"

From what I can tell by working on this (very limited and little experiance with zabbix, quite the newbie at the moment so I may be completly wrong) it appears to me that the alert stays active until the next check. I noticed the same thing earlier, and when I set the time check to 2 sec. it stopped.

Sorry I cant be much more help at the moment. I will report back if I find anything.

OK well I have been digging through the forums and I found this:


I reset all of my configurations to what they list for everything (setup, items, triggers, ect) and it appears to all be working now. I am going to test a few things and hopefully all the problems will go away

Still dont have a complete answer for you though as I am once again having that same problem, even with the 2 sec checking...I will report back if I get anything else working.

[edit] I got nothin and I need a break from digging around the documentaion/forums.
At this point, I have it where when the log is updated, the trigger goes ON, and after a while it goes to unknown. However, because it never goes OFF any new items are never sent to the email.

The configuration I need it in is that every log event of a certain type needs to be sent to email.

Well I am afraid I dont have much.
Now that I have it switching 'on' then to 'unknown' I have been trying to figure out why it will not switch off or send more email. I found that zabbix will send the very first item in the log and nothing else so you have to clear the log and reset zabbix...every time...arg

It recieves the new log entry within seconds, it just. will. not. send. emails!

and apparently no one else ever monitors their logs or knows the answer and everyone just gives up. There are tons of post going back as far as 2004 that have very similar problems like this with log monitoring and I can not find a single resolution that works...

Getting close!!

OK so for anyone else who is trying to do this...

In order to have your log send alerts, it has to turn off. It cant just go into an unknown state. So in your trigger configuration (Configuration->Triggers->click on the trigger for your log), your expression should be: {Computer:eventlog[EventLog].nodata(30)}#1

Replace Computer with your Computer Client, if your are using log instead of eventlog then replace that too, and the EventLog will change depending on if it is one of the 3 defaults in windows or ones from Linux or one you created.

It will now turn on if there is new data and off if there isnt 30 seconds later! (eg if you have alerts being sent out, they will work now)

I am still fine tuning this a bit as I would like A LOT more control then what it currently is at, but the biggest step is complete.
[EDIT]: I found this post that really helped making the emails worthwhile. Still not where I would like it, but getting closer! http://www.zabbix.com/forum/showpost...92&postcount=2

Thanks to all the wonderful help and suggestions from everyone!

Thank you cstackpole for your investigations. Based on this, here is an example (cookbook) for everybody also struggling around with eventlog:

-) the source is "W32Time"
-) the description contains "synchronisiert"
-) the trigger goes off after 30 seconds
-) the eventdetails should be reportet in the mail

1) Create an item
Type: ZABBIX agent (active)
Key: eventlog[System]
Type of information: Log

2) Create a trigger
({mypc:eventlog[System].logsource(W32Time)}=1)&({mypc:eventlog[System].str(synchronisiert)}=1)&({mypc:eventlog[System].nodata(30)}#1)
you can add "logseverity()" the same way

3) Create a action
Condition: Host = mypc; Trigger value = ON (when you only want one message)
Message: {mypc:eventlog[System].last(0)}

Is this also for removing the "UNKNOWN" from the trigger?

Action Message Detail

I can get the {ITEM.LASTVALUE} data to display in my email messages, but I'd also like the Event ID and Event Source.

Does anyone know how to do this?

Action Conditions using Templates

I cannot get an Action to occur when I use a Trigger = "System Event - Error: Template_Windows Event Logs".

The system simply ignores the Action. I assume it doesn't parse the macro.

Does anyone know a workaround?

Bump

I'm also very interested in how to do this.