Ad Widget

Collapse

exclude an event type from events in eventlog monitoring on windows?

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • tserreyn
    Junior Member
    • Jun 2012
    • 26
    #1

    exclude an event type from events in eventlog monitoring on windows?

    So I finally got around to implementing AD DS Health and Performance template. WOW. caught a bunch of things and have been cleaning them up. However it alerts on warning and alerts as it should, but as part of this we get warnings when backups are occuring.

    Item as defined:

    eventlog[DFS Replication,,"Warning|Error"]

    however I want to exclude event id 9036 (paused for backup) as this would be a normal occurance (It really shouldn't be logged as a warning, more informational IMHO).

    Is there an easy way to exclude this?

    1. DFS Replication Events (VM-DC2-2022:eventlog[DFS Replication,,"Warning|Error"]): The DFS Replication service is stopping communication with partner VM-DC1-2022 for replication group Domain System Volume due to an error. The service will retry the connection periodically.

    Additional Information:
    Error: 9036 (Paused for backup or restore)
    Connection ID: DF3ACFF1-593A-4FA3-AD55-F32F7D27AB54
    Replication Group ID: FBAF7A7A-B8FE-4AB6-882B-4FBA6EB90932
    2. DFS Replication Events (VM-DC2-2022:eventlog[DFS Replication,,"Warning|Error"]): The DFS Replication service is stopping communication with partner VM-DC1-2022 for replication group Domain System Volume due to an error. The service will retry the connection periodically.​
    Tags: None
    • cyber
      Senior Member
      Zabbix Certified SpecialistZabbix Certified Professional
      • Dec 2006
      • 4811
      #2
      eventlog item has more parameters that that..

      eventlog[name,<regexp>,<severity>,<source>,<eventid>,<maxli nes>,<mode>]​

      You are just using 2, name and severity...
      name - name of event log
      regexp - regular expression describing the required pattern
      severity - regular expression describing severity
      This parameter accepts the following values: "Information", "Warning", "Error", "Critical", "Verbose" (since Zabbix 2.2.0 running on Windows Vista or newer)
      source - regular expression describing source identifier (regular expression is supported since Zabbix 2.2.0)
      eventid - regular expression describing the event identifier(s)
      maxlines - maximum number of new lines per second the agent will send to Zabbix server or proxy. This parameter overrides the value of 'MaxLinesPerSecond' in zabbix_agentd.win.conf
      mode - possible values:
      all (default), skip - skip processing of older data (affects only newly created items).

      But adding 3rd for eventID (ignore) regex might work "eventlog[DFS Replication,,"Warning|Error",,"^(?!(9036)$).*$"]​"
      you can add additional event id-s there with | like (9036|500|680)

        Comment

        • tserreyn
          #2.1
          tserreyn commented
          07-10-2022, 14:26
          Editing a comment
          yes, I agree that the documentation suggests that that would be a solution, but my attempts to implement it according to the documentation have failed. Hence my posting it here to see if anyone else has done something like this.
        • tserreyn
          Junior Member
          • Jun 2012
          • 26
          #3
          Ok so follow up question. Has anyone used ignore regex with eventlog?

            Comment

            • cyber
              Senior Member
              Zabbix Certified SpecialistZabbix Certified Professional
              • Dec 2006
              • 4811
              #4
              Other option is to make a trigger to exclude that particular ID... Something like adding "and logeventid (^9036$)​ = 0"

                Comment

                • tserreyn
                  Junior Member
                  • Jun 2012
                  • 26
                  #5
                  ended up excluding the events from the event log gathering. Tested and seems to work, no longer getting the warning alerts, and still getting others. Realistically, should still gather it and just tag it as informational as it is a "normal" warning about replication being paused for backup, which everyone does right

                  eventlog[DFS Replication,,"Warning|Error",,!(9036)]​

                    Comment

                    • tomski
                      Junior Member
                      • Jul 2023
                      • 1
                      #6
                      Hi tserreyn
                      For those less skilled people (like me) would you be so kind to post screenshots of your item and trigger configs for this specific item, please?

                      Thanks!
                      T

                        Comment

                        Previous template Next
                        Working...