Hi guys,
Just wondering if anybody have already or can give a hint on how to create a trigger in zabbix to monitor automatically logs and trigger based on a pattern. For example Zabbix reads the following log:
192.168.1.105 webmail "CN=User1/COM" [01/Mar/2018:14:53:25 +0100] "GET .... "
192.168.1.112 webmail "CN=User3/COM" [01/Mar/2018:14:53:15 +0100] "GET .... "
192.168.1.111 webmail "CN=User1/COM" [01/Mar/2018:14:52:55 +0100] "GET .... "
............
I would like to find out from in the last 5 minute log, all the duplicate entries based on "CN=...." and compare the IP from the beginning. If it differs, then to trigger a problem.
Kind of find when during a period of time same user connects from different IP, to trigger a problem. So as a result to get a trigger with the values
192.168.1.105 webmail "CN=User1/COM" [01/Mar/2018:14:53:25 +0100] "GET .... "
192.168.1.111 webmail "CN=User1/COM" [01/Mar/2018:14:52:55 +0100] "GET .... "
=================================================
Actually let's ease up a little bit the problem. Let's say we have the following log
192.168.1.105 webmail "CN=User1/COM" [01/Mar/2018:14:53:25 +0100] "GET .... "
192.168.1.111 webmail "CN=User1/COM" [01/Mar/2018:14:52:55 +0100] "GET .... "
192.168.1.111 webmail "CN=User1/COM" [01/Mar/2018:14:52:35 +0100] "GET .... "
192.168.1.111 webmail "CN=User1/COM" [01/Mar/2018:14:40:55 +0100] "GET .... "
How based on the entries from the last 5 minute in the log compare the IP from the beginning. If it differs, then to trigger a problem.
Just wondering if anybody have already or can give a hint on how to create a trigger in zabbix to monitor automatically logs and trigger based on a pattern. For example Zabbix reads the following log:
192.168.1.105 webmail "CN=User1/COM" [01/Mar/2018:14:53:25 +0100] "GET .... "
192.168.1.112 webmail "CN=User3/COM" [01/Mar/2018:14:53:15 +0100] "GET .... "
192.168.1.111 webmail "CN=User1/COM" [01/Mar/2018:14:52:55 +0100] "GET .... "
............
I would like to find out from in the last 5 minute log, all the duplicate entries based on "CN=...." and compare the IP from the beginning. If it differs, then to trigger a problem.
Kind of find when during a period of time same user connects from different IP, to trigger a problem. So as a result to get a trigger with the values
192.168.1.105 webmail "CN=User1/COM" [01/Mar/2018:14:53:25 +0100] "GET .... "
192.168.1.111 webmail "CN=User1/COM" [01/Mar/2018:14:52:55 +0100] "GET .... "
=================================================
Actually let's ease up a little bit the problem. Let's say we have the following log
192.168.1.105 webmail "CN=User1/COM" [01/Mar/2018:14:53:25 +0100] "GET .... "
192.168.1.111 webmail "CN=User1/COM" [01/Mar/2018:14:52:55 +0100] "GET .... "
192.168.1.111 webmail "CN=User1/COM" [01/Mar/2018:14:52:35 +0100] "GET .... "
192.168.1.111 webmail "CN=User1/COM" [01/Mar/2018:14:40:55 +0100] "GET .... "
How based on the entries from the last 5 minute in the log compare the IP from the beginning. If it differs, then to trigger a problem.