Hello,
I am new to zabbix, using server 6.0.6.
Among other things, I am trying to use log item monitoring mechanism to detect certain entries (e.g. package manager (apt, snap) usage) in .bash_history file on Ubuntu 20.04.
I have two Ubuntu 20.04 VMs:
Machine A - has zabbix server installed
Machine B - has zabbix agent installed
The idea was to use Machine A to monitor files both on machine A and machine B.
I have 2 hosts defined on Machine A (zabbix conf):
- HPP Zabix server
- TS-SCADA
Each host has several items defined. Both hosts have "detect package manager usage" item configured using standard item:
key -> log[/home/scada/.bash_history,"(apt|snap|apt-get) install",,,skip,,,,]
Type of information -> Log
Update interval -> 1s
Storage period -> 90d
Both hosts have corresponding triggers defined to fire upon expression:
HPP Zabbix server
nodata(/HPP Zabbix server/log[/home/scada/.bash_history,"(apt|snap|apt-get) install",,,skip,,,,],30)=0
TS-SCADA
nodata(/TS-SCADA/log[/home/scada/.bash_history,"(apt|snap|apt-get) install",,,skip,,,,],30)=0
Items and triggers are enabled.
Everything works as expected on Machine A (where server is installed). Trigger gets fired when .bash_history gets updated and above mentioned regex condition is met. I can see PROBLEM coming up on the dashboard.
Trigger does not fire when .bash_history is updated on Machine B (TS-SCADA) but I can see Item history when I check Latest data so I guess active check works fine (firewall is not the issue).
Is do not see a problem with trigger Expression used as it works on Machine A. Communication between active agent on B and server on A works, otherwise I would not be able to see Latest data for B.
In zabbix_agentd.conf on Machine B I have set Server and ServerActive params to match IP address of Machine A and Hostname=TS-SCADA.
I am attaching debug4 filtered server logs:
- log_monitor_success.txt captured when trigger get fired (Machine A file changed)
- log_monitor_fail.txt captured when trigger does not get fired (Machine B file changed)
Any help would be appreciated!
I am new to zabbix, using server 6.0.6.
Among other things, I am trying to use log item monitoring mechanism to detect certain entries (e.g. package manager (apt, snap) usage) in .bash_history file on Ubuntu 20.04.
I have two Ubuntu 20.04 VMs:
Machine A - has zabbix server installed
Machine B - has zabbix agent installed
The idea was to use Machine A to monitor files both on machine A and machine B.
I have 2 hosts defined on Machine A (zabbix conf):
- HPP Zabix server
- TS-SCADA
Each host has several items defined. Both hosts have "detect package manager usage" item configured using standard item:
key -> log[/home/scada/.bash_history,"(apt|snap|apt-get) install",,,skip,,,,]
Type of information -> Log
Update interval -> 1s
Storage period -> 90d
Both hosts have corresponding triggers defined to fire upon expression:
HPP Zabbix server
nodata(/HPP Zabbix server/log[/home/scada/.bash_history,"(apt|snap|apt-get) install",,,skip,,,,],30)=0
TS-SCADA
nodata(/TS-SCADA/log[/home/scada/.bash_history,"(apt|snap|apt-get) install",,,skip,,,,],30)=0
Items and triggers are enabled.
Everything works as expected on Machine A (where server is installed). Trigger gets fired when .bash_history gets updated and above mentioned regex condition is met. I can see PROBLEM coming up on the dashboard.
Trigger does not fire when .bash_history is updated on Machine B (TS-SCADA) but I can see Item history when I check Latest data so I guess active check works fine (firewall is not the issue).
Is do not see a problem with trigger Expression used as it works on Machine A. Communication between active agent on B and server on A works, otherwise I would not be able to see Latest data for B.
In zabbix_agentd.conf on Machine B I have set Server and ServerActive params to match IP address of Machine A and Hostname=TS-SCADA.
I am attaching debug4 filtered server logs:
- log_monitor_success.txt captured when trigger get fired (Machine A file changed)
- log_monitor_fail.txt captured when trigger does not get fired (Machine B file changed)
Any help would be appreciated!
Comment