Ad Widget

Collapse

Windows Event Log Trigger

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Cwohechler
    Junior Member
    • Sep 2021
    • 7
    #1

    Windows Event Log Trigger

    Running Zabbix 5.4 on CentOS 8. I have an item configured for a Windows Event Log that is deployed to the host only using the following key:
    eventlog[Veritas Enterprise Vault,,"Warning",,,,skip]

    This is working correctly filtering on Warning events in the Veritas Enterprise Vault log. I have a trigger for a specific Windows Event ID - 3454:
    count(/CPM-APP03/eventlog[Veritas Enterprise Vault,,"Warning",,,,skip],1h,,"3454")=1
    The trigger works but the trigger does not auto recover. I have tried to use a recovery expression and the find statement without success.

    Any suggestions
    Tags: None
    • Cwohechler
      Junior Member
      • Sep 2021
      • 7
      #2
      I ended up using this expression:

      logeventid(/CPM-APP03/eventlog[Veritas Enterprise Vault,,"Warning",,,,skip],,"3454")=1 and nodata(/CPM-APP03/eventlog[Veritas Enterprise Vault,,"Warning",,,,skip],180)<>1

      The trigger fires the alert then resolves the alert, however the alert fired 10 times. This event only occurs twice a day.

        Comment

        • Cwohechler
          Junior Member
          • Sep 2021
          • 7
          #3
          I have the solution. The trigger is setup with this expression:

          logeventid(/CPM-APP03/eventlog[Veritas Enterprise Vault,,"Warning",,,,skip],,"3454")=1 and nodata(/CPM-APP03/eventlog[Veritas Enterprise Vault,,"Warning",,,,skip],120)<>1

          I set the "Problem Event Generation Mode" to single event. The alert triggers twice a day with resolutions for each event.

            Comment

            • cyber
              Senior Member
              Zabbix Certified SpecialistZabbix Certified Professional
              • Dec 2006
              • 4807
              #4
              nodata (sec)
              Checking for no data received. sec - evaluation period in seconds.
              The period should not be less than 30 seconds because the history syncer process calculates this function only every 30 seconds.
              As nodata is recalculated every 30 seconds, then you can get multiple events, if you leave problem generation to "multiple". Setting it as "single" will keep it generating new one while problem is already active.

                Comment

                Previous template Next
                Working...