Hi all,
I ran into a problem recently. I'm trying to process specific SNMP traps that are send from a Forti Analyzer to the Zabbix proxy (6.0.5). I've created a SNMP-trap item that serves as the main text retreiver. This works, I get the text from the SNMP trap in the latest data, but it is quite unreadable. Therefore I've created several dependent items that use some clever preprocessing with RegEx to filter out the specific keywords that I want to use in my trigger. Again, all these (5) dependent items have the proper values in the history.
Then I created a trigger with a simple condition that uses one of the dependent items. This trigger goes in the problem state correctly, but I never see the event in my problem view.
Just as a test, I created a similar trigger on the main item and this one does work!
I even tried to make the trigger dependent on the trigger of the main item. Still no luck.
What am I missing here?
I've attached two screenshots, showing the problem state of the triggers, and the history of the dependent items. Also below is the yaml export of the host itself.
I ran into a problem recently. I'm trying to process specific SNMP traps that are send from a Forti Analyzer to the Zabbix proxy (6.0.5). I've created a SNMP-trap item that serves as the main text retreiver. This works, I get the text from the SNMP trap in the latest data, but it is quite unreadable. Therefore I've created several dependent items that use some clever preprocessing with RegEx to filter out the specific keywords that I want to use in my trigger. Again, all these (5) dependent items have the proper values in the history.
Then I created a trigger with a simple condition that uses one of the dependent items. This trigger goes in the problem state correctly, but I never see the event in my problem view.
Just as a test, I created a similar trigger on the main item and this one does work!
I even tried to make the trigger dependent on the trigger of the main item. Still no luck.
What am I missing here?
I've attached two screenshots, showing the problem state of the triggers, and the history of the dependent items. Also below is the yaml export of the host itself.
Code:
zabbix_export:
version: '6.0'
date: '2022-06-14T12:30:48Z'
groups:
-
uuid: e7e4b6c2b70245e1bba35ca0b934b935
name: Klanten/BUCH
hosts:
-
host: buch-faz-p01.buch
name: buch-faz-p01.buch
proxy:
name: sbe.dc1
templates:
-
name: 'FortiManager SNMP'
groups:
-
name: Klanten/BUCH
interfaces:
-
type: SNMP
useip: 'NO'
ip: 172.31.236.16
dns: buch-faz-p01.buch
port: '161'
details:
community: solidmon
interface_ref: if1
items:
-
name: buch.alert.action
type: DEPENDENT
key: buch.alert.action
delay: '0'
history: 1w
trends: '0'
value_type: TEXT
preprocessing:
-
type: REGEX
parameters:
- '\ action=(.*?)(?=\ ([a-z])+=)'
- \1
-
type: TRIM
parameters:
- '"'
master_item:
key: 'snmptrap[.*trigger=BUCH-.*]'
-
name: buch.alert.dstip
type: DEPENDENT
key: buch.alert.dstip
delay: '0'
history: 1w
trends: '0'
value_type: TEXT
preprocessing:
-
type: REGEX
parameters:
- '\ dstip=(.*?)(?=\ ([a-z])+=)'
- \1
master_item:
key: 'snmptrap[.*trigger=BUCH-.*]'
-
name: buch.alert.severity
type: DEPENDENT
key: buch.alert.severity
delay: '0'
history: 1w
trends: '0'
value_type: TEXT
preprocessing:
-
type: REGEX
parameters:
- '\ severity=(.*?)(?=\ ([a-z])+=)'
- \1
-
type: TRIM
parameters:
- '"'
master_item:
key: 'snmptrap[.*trigger=BUCH-.*]'
-
name: buch.alert.srcip
type: DEPENDENT
key: buch.alert.srcip
delay: '0'
history: 1w
trends: '0'
value_type: TEXT
preprocessing:
-
type: REGEX
parameters:
- '\ srcip=(.*?)(?=\ ([a-z])+=)'
- \1
master_item:
key: 'snmptrap[.*trigger=BUCH-.*]'
-
name: buch.alert.subject
type: DEPENDENT
key: buch.alert.subject
delay: '0'
history: 1w
trends: '0'
value_type: TEXT
preprocessing:
-
type: REGEX
parameters:
- '\ subject=(.*?)(?=\ ([a-z])+=)'
- \1
master_item:
key: 'snmptrap[.*trigger=BUCH-.*]'
triggers:
-
expression: 'nodata(/buch-faz-p01.buch/buch.alert.subject,15m)=0'
recovery_mode: RECOVERY_EXPRESSION
recovery_expression: 'nodata(/buch-faz-p01.buch/buch.alert.subject,12h)=1'
correlation_mode: TAG_VALUE
correlation_tag: subject
name: 'Ongoing attack : {ITEM.VALUE1}'
event_name: 'subject:{ITEM.LASTVALUE1}'
manual_close: 'YES'
dependencies:
-
name: 'SNMP trap from IOC trigger!'
expression: 'nodata(/buch-faz-p01.buch/snmptrap[.*trigger=BUCH-.*],15m)=0'
tags:
-
tag: subject
value: '{ITEM.VALUE1}'
-
name: 'BUCH Custom alert'
type: SNMP_TRAP
key: 'snmptrap[.*trigger=BUCH-.*]'
delay: '0'
history: 2w
trends: '0'
value_type: TEXT
interface_ref: if1
tags:
-
tag: IOC-source
value: Datacenter
triggers:
-
expression: 'nodata(/buch-faz-p01.buch/snmptrap[.*trigger=BUCH-.*],15m)=0'
name: 'SNMP trap from IOC trigger!'
inventory:
name: BUCH-FAZ-P01
hardware: buch-faz-p01
software: 'v7.0.2-build0180 211019 (GA)'
contact: [email protected]
location: 'xxxxxxxxxx'
inventory_mode: AUTOMATIC
triggers:
-
expression: |
length(last(/buch-faz-p01.buch/buch.alert.subject))>0 and length(last(/buch-faz-p01.buch/buch.alert.severity))>0 and length(last(/buch-faz-p01.buch/buch.alert.action))>0 and
length(last(/buch-faz-p01.buch/buch.alert.srcip))>0 and length(last(/buch-faz-p01.buch/buch.alert.dstip))>0
recovery_mode: RECOVERY_EXPRESSION
recovery_expression: 'nodata(/buch-faz-p01.buch/buch.alert.subject,12h)=1'
name: 'Detected {ITEM.VALUE2} IOC: {ITEM.VALUE1} srcip:{ITEM.VALUE4} -> dstip:{ITEM.VALUE5} action:{ITEM.VALUE3}'
priority: INFO
manual_close: 'YES'
dependencies:
-
name: 'SNMP trap from IOC trigger!'
expression: 'nodata(/buch-faz-p01.buch/snmptrap[.*trigger=BUCH-.*],15m)=0'