Ad Widget

Collapse

Trying to make a trigger of a monitored logfile

Collapse
This topic has been answered.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • look2
    Junior Member
    • Sep 2022
    • 5
    #1

    Trying to make a trigger of a monitored logfile

    Hi !

    I'm trying to get a trigger when there is a specific entry in a logfile.
    I wan't to know when a specific user logs on.
    I have made the item, and it's working:

    name: eidadminlogin
    type: ZABBIX_ACTIVE
    key: 'log[/var/log/auth.log,*eidadmin*,,,skip]'
    delay: 1s
    trends: '0'
    value_type: LOG​

    but the trigger won't work:

    expression: 'last(/eidadmin_logon/log[/var/log/auth.log,*eidadmin*,,,skip])=1'
    name: test
    priority: WARNING​
    Tags: None
    • Answer selected by look2 at 12-01-2023, 17:02.
      fvilarnovo
      Junior Member
      • Jan 2023
      • 17
      Hi,
      You could check in "latest data" what kind of information the item has. As posted, it's going to be a string and you are evaluating numeric in the trigger. A good way to test this, is the "expression constructor" (test button) the value eidadmin is not equal to 1.

      So, what you probably want to do is use a string function:

      9 String functions
      https://www.zabbix.com/documentation/current/en/manual/appendix/functions/string


      Or since you are already filtering at the item level the string that you want, what you could do is use a nodata function, while there are no new matches, the item won't trigger. If there are matches in X time, then it's a problem. This would allow to self recover as after the time passes the condition is no longer matched. For example:

      nodata(/HOST-TEST/log[/var/log/LOGFILE,alarm,,,,,,,],1m)=0

      Hope it helps.
        • Selected Answer

        Comment

        • fvilarnovo
          Junior Member
          • Jan 2023
          • 17
          #2
          Hi,
          You could check in "latest data" what kind of information the item has. As posted, it's going to be a string and you are evaluating numeric in the trigger. A good way to test this, is the "expression constructor" (test button) the value eidadmin is not equal to 1.

          So, what you probably want to do is use a string function:

          9 String functions
          https://www.zabbix.com/documentation/current/en/manual/appendix/functions/string


          Or since you are already filtering at the item level the string that you want, what you could do is use a nodata function, while there are no new matches, the item won't trigger. If there are matches in X time, then it's a problem. This would allow to self recover as after the time passes the condition is no longer matched. For example:

          nodata(/HOST-TEST/log[/var/log/LOGFILE,alarm,,,,,,,],1m)=0

          Hope it helps.
            • Selected Answer

            Comment

            • look2
              Junior Member
              • Sep 2022
              • 5
              #3
              I might not do this right, perhaps there is a better way to do it. Bur when the user logos on the machine, I get "Accepted password for eidadmin" in the item. When that happens I want a trigger. I will try the nodata option and see.

                Comment

                • cyber
                  Senior Member
                  Zabbix Certified SpecialistZabbix Certified Professional
                  • Dec 2006
                  • 4807
                  #4
                  if you need to find a pattern in returned text, then use find() function for that, not last... ie
                  Code:
                  find(/eidadmin_logon/log[/var/log/auth.log],,"like","Accepted password for eidadmin")
                  and then add nodata clause also, so it would go away in time... otherwise it never gets OK again

                    Comment

                    • look2
                      Junior Member
                      • Sep 2022
                      • 5
                      #5
                      It works with the answer from fvilarnovo​ Thank you very much.

                        Comment

                        Previous template Next
                        Working...