Ad Widget

Collapse

Windows Eventlog monitoring and auto close

Collapse
This topic has been answered.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Punster Madhatter
    Junior Member
    • Dec 2020
    • 7
    #1

    Windows Eventlog monitoring and auto close

    Hello
    I am struggeling a bit with Eventlog monitoring for Windows. What I am trying to achieve is for Zabbix to "Auto close" a problem when a spesific event appears in the Windows EventViewer.

    Background: MPIO on a Windows Server has two paths to its storage. When both paths are up and operational, this will be for example EventID 666. If one path goes down, this is cirtical and generates EventID 667. When the offline path is back online I would like the problem to "Auto close"(EventID 666).

    Is this possible or am I doing something completely wrong?

    Agent: Zabbix Agent (Active)
    The Item key is: eventlog[Application,,Information,Zabbix,666,,skip]
    Trigger Expression: logeventid(/Hyper1Active/eventlog[Application,,Information,Zabbix,666,,skip])=0

    and

    The key is: eventlog[Application,,Error,Zabbix,667,,skip]
    Trigger Expression: logeventid(/Hyper1Active/eventlog[Application,,Error,Zabbix,667,,skip])=1​

    Video showing the config details..
    https://drive.google.com/file/d/1c5D...ew?usp=sharing

    PS
    In the video I am manually creating these fictional EventIDs on the Windows Server :-)​
    Tags: None
    • Answer selected by Punster Madhatter at 30-10-2023, 16:47.
      ISiroshtan
      Senior Member
      • Nov 2019
      • 324
      Ah, that absolutely makes sense, my bad. We did change the key of item, right? So we also need to change the key of item in trigger expression. Silly me.

      Also, we actually need to add the regexp we checking for in trigger expression. I somehow thought it's already there../

      Please try the following:
      logeventid(/Hyper1Active/eventlog[Application,,Information,Zabbix,^(666|667)$,,skip],,666)=1
        • Selected Answer

        Comment

        • ISiroshtan
          Senior Member
          • Nov 2019
          • 324
          #2
          I would step away from idea of sending those two events into separate items and instead would collect them under same item. Based on documentation the <eventid> part of the item is actually a regex. So going with item key something like
          eventlog[Application,,Information,Zabbix,^(666|667)$,,skip]
          should do the trick. After that just have a single trigger with expression
          logeventid(/Hyper1Active/eventlog[Application,,Information,Zabbix,666,,skip])=1
          This way as soon as 666 event is collected by the item ​the alert will fire. As soon as any other event collected (and outside of 666 we only collect 667) - the alert will be resolved.

            Comment

            • Punster Madhatter
              Junior Member
              • Dec 2020
              • 7
              #3
              Hello and thank you for your reply. I deleted all settings on this host and added the values as you suggest.
              However. When I try adding the Expression on the trigger I get this error:

              logeventid(/Hyper1Active/eventlog[Application,,Information,Zabbix,666,,skip]): Unknown host item, no such item in selected host

              The whole procedure here

              https://drive.google.com/file/d/16WQ...ew?usp=sharing

                Comment

                • ISiroshtan
                  Senior Member
                  • Nov 2019
                  • 324
                  #4
                  Ah, that absolutely makes sense, my bad. We did change the key of item, right? So we also need to change the key of item in trigger expression. Silly me.

                  Also, we actually need to add the regexp we checking for in trigger expression. I somehow thought it's already there../

                  Please try the following:
                  logeventid(/Hyper1Active/eventlog[Application,,Information,Zabbix,^(666|667)$,,skip],,666)=1
                    • Selected Answer

                    Comment

                    • Punster Madhatter
                      Junior Member
                      • Dec 2020
                      • 7
                      #5
                      Thank you very much. It is working as expected now. I did a few tweaks to what you suggest, but Problems aut-close now. Great!

                      The Item for the host looks like this.
                      eventlog[Application,,Information|Error,Zabbix,^(666|667)$, ,skip]

                      The Trigger Expression like this.
                      logeventid(/Hyper1Active/eventlog[Application,,Information|Error,Zabbix,^(666|667)$, ,skip],,666)=0

                      Click image for larger version Name: Log.png Views: 466 Size: 31.9 KB ID: 473218

                        Comment

                        Previous template Next
                        Working...