Hi everybody,

I´m looking for a way to to get a trigger that triggers when an active directory user gets lockedout, and clears only when the users gets unlocked.

Right now I have an Item and Trigger that alerts when a Specific user gets locked out, but clears after a couple of minutes.
Item
Name: Event Log - Account JDoe locked out
Type: Zabbix agent (active)
Key: eventlog[Security,"jdoe",,,4740,10,skip]
Type of information: Log

Trigger
Name: Event Log - JDoe Locked Out on {HOST.NAME}
Expression: {Windows Server 2016 - Account Locked Out:eventlog[Security,"jdoe",,,4740,10,skip].logeventid()}=1 and {Windows Server 2016 - Account Locked Out:eventlog[Security,"jdoe",,,4740,10,skip].nodata(90)}=0

These are in a template attached to our Primary Domain Controller.

I created another Item that collects data for the user being unlocked, but can´t find a way of getting them to work together. Something to keep in mind we have over 10 Domain Controllers and I think the way these logs works is, the PDC is always notified when a user gets lockedout but not neccesarily when it gets unlocked, that could be on any other Domain Controller.
Item
Name: Event Log - Account JDoe was unlocked
Type: Zabbix agent (active)
Key: eventlog[Security,"jdoe",,,4767,10,skip]
Type of information: Log

The idea behind this is to get an alert on the dashboard when VIP Users get lockedout, that only clears when the users gets unlocked.

Thanks to everyone in advance!