Ad Widget

Collapse

User Account Lock Out Event Alert & Recovery

Collapse
This topic has been answered.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • socca1324
    Junior Member
    • Mar 2022
    • 2
    #1

    User Account Lock Out Event Alert & Recovery

    I am working on monitoring account lockouts utilizing eventlog[Security,,,,4740,,] on my primary Domain Controller with trigger logseverity(/<primary domain controller>/eventlog[Security,,,,4740,,])>0 This is working as expected. The part that has me stumped is the recovery expression. I am utilizing a similar structure as the account lockout except I am looking for EventID 4767. The event 4767 is showing in the logs when the account is unlocked however this isn't closing the problem and marking it as resolved.

    I can't figure out what I am missing, does anyone have any insight?

    Zabbix ver: 6.0.0beta1
    OS ver: Ubuntu 20.04.3 LTS
    DB Backend: MySQL
    Tags: active checks, domain controller, windows server
    • Answer selected by socca1324 at 07-03-2022, 15:34.
      cyber
      Senior Member
      Zabbix Certified SpecialistZabbix Certified Professional
      • Dec 2006
      • 4807
      So you are trying to implement it in a way that triggering an event based on one item and then recover it based on another item?

      Well... you are overlooking the basic concept of recovery expressions...
      1 Configuring a trigger
      https://www.zabbix.com/documentation/current/en/manual/config/triggers/trigger

      Recovery expression Logical expression (optional) defining additional conditions that have to be met before the problem is resolved, after the original problem expression has already been evaluated as FALSE.
      .
      So basically, you cannot make your trigger go false based on some other item...
        • Selected Answer

        Comment

        • cyber
          Senior Member
          Zabbix Certified SpecialistZabbix Certified Professional
          • Dec 2006
          • 4807
          #2
          So you are trying to implement it in a way that triggering an event based on one item and then recover it based on another item?

          Well... you are overlooking the basic concept of recovery expressions...
          1 Configuring a trigger
          https://www.zabbix.com/documentation/current/en/manual/config/triggers/trigger

          Recovery expression Logical expression (optional) defining additional conditions that have to be met before the problem is resolved, after the original problem expression has already been evaluated as FALSE.
          .
          So basically, you cannot make your trigger go false based on some other item...
            • Selected Answer

            Comment

            • socca1324
              Junior Member
              • Mar 2022
              • 2
              #3
              Ahh. It soundsl like if I were to add a secondary condition to the trigger expression, for instance if the event is X minutes old and then after X minutes pass the trigger will then also utilize the recover expression to resolve the problem?

                Comment

                • cyber
                  #3.1
                  cyber commented
                  07-03-2022, 12:23
                  Editing a comment
                  That sounds more like it....
                Previous template Next
                Working...