Dumb(?) question about log monitoring :)

pineapple

Junior Member

Joined: Sep 2022

Posts: 1
#1

Dumb(?) question about log monitoring :)

26-11-2024, 19:55

Guys,
I have a log file that needs to be monitored (triggers with recovery). In short, the log is an output from script that is discovering domains in the forest. Here's an example:

14620:2024-11-26T17:19:21.3771631+00:00 [ ADDSDiscovery ] ERROR: some.domain.com
14620:2024-11-26T17:19:22.3771631+00:00 [ ADDSDiscovery ] ERROR: another.domain.com
14620:2024-11-26T17:19:23.3771631+00:00 [ ADDSDiscovery ] OK: some.domain.com

The problem I've got is that my trigger expression nicely detects the ERROR, but I need to combine it with a domain name...

The item key is: log[C:\\ProgramData\\Zabbix\\logs\\ADDSDiscovery.log,, 65001]

The trigger expression is: find(/Active Directory/log[C:\\ProgramData\\Zabbix\\logs\\ADDSDiscovery.log,, 65001],#1,"like","ERROR")=1
The trigger recovery is: find(/Active Directory/log[C:\\ProgramData\\Zabbix\\logs\\ADDSDiscovery.log,, 65001],#1,"like","OK")=1

I'm unable to distinguish errors per domain... If there is a OK entry between two failures, the first one is being resolved. I need Zabbix to grab that domain as well...

Is there any way to achieve what I'm planning to do? I hope I clearly described my requirement
Tags: None
cyber

Senior Member

Joined: Dec 2006

Posts: 4807
#2

27-11-2024, 17:09

To grab something from data and use in event, you need to set tags... like tag name "domain" and value "{{ITEM.VALUE}.regsub("\[ ADDSDiscovery \] [ERROR|OK]: (.*?)",\1)}" this will put (I hope, if I did not do any mistakes) that domainname into tag value...
and you probably should use "event generation" -> "multiple" and "ok event closes" -> "All problems if tag values match"

TBH I dont have any similar case at hand to test ..:P
👍 1
Comment

Ad Widget

Dumb(?) question about log monitoring :)

Dumb(?) question about log monitoring :)

Comment