Hello,

I would check this documentation and checke, whether the Expression is valid:


And if you can confirm that you are getting back values from the item, you can test the trigger in the "Expression Constructor", whether it works. If it's not working, you won't get an event.

Hello,
Thanks for the answer !

I've checked the link you sended but i can't see the expression "logsource" and when i try with the expression "last" the test doesn't work (false) everytime, i've alose tried the example 3 (when a file is changed) and it doesn't do a thing
I Tried with the vfs.file.contents expression but i dont receive data anymore.


So i tried to test like you said, with the expression "logsource(/Authentification root/log[/var/log/TabletteManager/su.log,,,,,skip])=0"
i have 0 = true and 1 = false so i guess its not good, but in the latest data i do have my log.


i'm kind of blocked , i'm sure its my fault cause its litteraly my second time working with zabbix

So until you are getting a "0", an event will be triggered.
If you are getting a "1", the event will not be triggered. Seems to work correctly :-)

But I think what you need is the opposite. The trigger should becomes "TRUE" if you are getting back a "1".

I have tried with the expression "log[/var/log/TabletteManager/su.log,,,,,to root]" --> its supposed to show a trigger when a line is matching the string "to root" BUT when i test the trigger i get false

But if i check my log file the string "to root" is everywhere


So i dont have any notifications but i do have data in latest log, so i guess my trigger is sh*t

ok josoko i love you
so i tried like you said with 1 that need to return true

AND i do have a notification on dashboard.

we agree that we setup the trigger 1 because we need a match ? or did i miss understand something

I am confident. You are closer to a solution as you think.

But important is, that the ITEM is returning a Numeric Value which is not 1 until somebody is executing the "su" command. Either your item is working with "text" or "numeric values". But you cannot combine them. Because if your item is configured to numeric value, it would lead in an error, of you are sending back a "text" instead of a numeric value.

Ok so here when the "su" is used it return 1 and this numeric value trigger the trigger (thx captain obvious) and i guess my mistake was that i wanted to combine the two values,
Well really thanks for you help and your explanations, its really appreciated.
(also im sorry for my english, as you could have guessed its not my first language )

Logsource function is for windows events.

Your item (log[]...) returns logline(s) so your trigger expression has to be based on finding text or similar... As you seem to pull all lines from log (no regex in key parameters), then find (/host/key,<(sec|#num)<:time shift>>,<operator>,<pattern>) for example should do the trick for you ..
find//Authentification root/log[/var/log/TabletteManager/su.log,,,,,skip],"regexp","to root")=1 (dont have decent 6.0 available, writing it based on gut feeling..)
you can add nodata clause there also, so you can tune it a bit, when rised problem will be closed. "and nodata(/Authentification root/log[/var/log/TabletteManager/su.log,,,,,skip],1m)=0" autocloses problem 1 minute after last line from log is found...

you can also pick up just needed lines by adding a regex to key.. "log[/var/log/TabletteManager/su.log,"(to root)",,,skip]. Reducing the amount of data saved in DB.