Ad Widget

Collapse

discard certain windows events at boot time (2 min)

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • jbcheck
    Junior Member
    • May 2022
    • 15
    #1

    discard certain windows events at boot time (2 min)

    Hi there!

    I'm monitoring some event logs of our windows hosts which works fine so far.

    I would like to filter out some well known errors that are reported on every reboot for certain systems, so that no problems / notifications are generated.
    And I don't want to filter out these events in general, but only in the first 2 min. after reboot (system.uptime?).

    How could I achieve this?

    zabbix_server 6.0.2 (raspi)
    zabbix_agent2 6.0.1 (Windows Server 2016)

    Item: Zabbix Agent (active) / Key:
    eventlog[DhcpAdminEvents,,"Warning|Error|Critical",,,,skip]

    Trigger:
    logseverity(/<host>/eventlog[DhcpAdminEvents,,"Warning|Error|Critical",,,,skip])=4 and logeventid(/<host>/eventlog[DhcpAdminEvents,,"Warning|Error|Critical",,,,skip],,"xxxxx")=0

    Thanks in advance and a great time!
    jb
    Tags: None
    • cyber
      Senior Member
      Zabbix Certified SpecialistZabbix Certified Professional
      • Dec 2006
      • 4807
      #2
      Add a check for uptime, and use it in trigger as additional expression... if uptime is too short, no alert...

        Comment

        • jbcheck
          Junior Member
          • May 2022
          • 15
          #3
          Thanks for the quick response!

          I've tried the following (first, inexperienced thought):

          logseverity(/host/eventlog[DNS Server,,"Warning|Error|Critical",,,,skip])=2
          and not (logeventid(/host/eventlog[DNS Server,,"Warning|Error|Critical",,,,skip],,"4013")=1
          and last(/host/system.uptime)<120)

          Don't fire if event-id is 4013 und the system.uptime is less than 2 min.
          This trigger will also fire every 30 sec. after the system is up for more than 2 min. = first thought wasn't as good.

          Is it possible to take into account the time when the event occurred?

          I'm totally confused at the moment ...

          Thanks a lot!
          jb

            Comment

            • cyber
              Senior Member
              Zabbix Certified SpecialistZabbix Certified Professional
              • Dec 2006
              • 4807
              #4
              If you are trying to avoid events during first 2 minutes, then I think it should be other way... and uptime > 120,

                Comment

                • jbcheck
                  Junior Member
                  • May 2022
                  • 15
                  #5
                  Hm, if I test the expressions every seems to be okay:

                  Click image for larger version Name: 2022-05-12 15_30_50-Clipboard.png Views: 236 Size: 34.4 KB ID: 444493
                  Click image for larger version Name: 2022-05-12 15_33_00-Clipboard.png Views: 251 Size: 33.3 KB ID: 444494
                  Click image for larger version Name: 2022-05-12 15_35_34-Clipboard.png Views: 238 Size: 33.6 KB ID: 444495

                  The corresponding warning message exists only once:

                  Click image for larger version Name: 2022-05-12 15_37_44-Window.png Views: 266 Size: 28.1 KB ID: 444496

                  Unfortunately the trigger fires every 30 seconds the wohle day. Maybe because system.uptime is > 120 seconds?
                  It seems like the engine doesn't recognize that the warning message has already been processed? How could this be corrected?

                  Nice day!
                  jb
                  Attached Files

                    Comment

                    • jbcheck
                      Junior Member
                      • May 2022
                      • 15
                      #6
                      Okay, another approach that works for me to skip recurring error messages during system (re)boot:

                      Item will also get Information Event-IDs:
                      eventlog[DNS Server,,"Information|Warning|Error|Critical",,,,sk ip]

                      A Trigger that handles DNS Event-IDs 4013 and 4:
                      Expression:
                      logseverity(/host/eventlog[DNS Server,,"Information|Warning|Error|Critical",,,,sk ip])=2
                      and logeventid(/host/eventlog[DNS Server,,"Information|Warning|Error|Critical",,,,sk ip],,"4013")=1
                      Recovery expression:
                      logeventid(/host/eventlog[DNS Server,,"Information|Warning|Error|Critical",,,,sk ip],,"4")=1

                      And a Trigger that handles any other Event-ID (4013 excluded):
                      logseverity(/host/eventlog[DNS Server,,"Information|Warning|Error|Critical",,,,sk ip])=2
                      and logeventid(/host/eventlog[DNS Server,,"Information|Warning|Error|Critical",,,,sk ip],,"4013")=0

                      Whereas a solution depending on the start time might be easier.

                      Ciao for now
                      jb

                        Comment

                        Previous template Next
                        Working...