Hello everyone,
I was new to Zabbix one month ago so I am still learning. And still have problems.
I have created 2 items (active checks) which look for invalid connection attempts via ssh:
item one: log.count[/var/log/auth.log,: Invalid user ]
item two: log.count[/var/log/auth.log,: Invalid user .* 192.168.23.26]
The second one is here to avoid raising an alarm if the IP 192.168.23.26 made the failed connection attempt.
The correspondent trigger is:
{Template Authentication failure - Debian-like:log.count[/var/log/auth.log,: Invalid user .* 192.168.23.26].last()}=0 and {Template Authentication failure - Debian-like:log.count[/var/log/auth.log,: Invalid user ].last()}>3
The graphs work well in the "monitoring/latest data", both items show what they are supposed to show, but the mail I receive show wrong values (I have made the login attempts from host2 192.168.23.26):
Item values:
1. Log check - Discard host2 Invalid connexion attempts Debian-like (host1:log.count[/var/log/auth.log,: Invalid user .* 192.168.23.26]): 0
2. Log check - Invalid connexion attempts Debian-like (host1:log.count[/var/log/auth.log,: Invalid user ]): 7
it should have been 7 and 7!
Now the weird thing... Same items, just one operator in trigger has changed:
{Template Authentication failure - Debian-like:log.count[/var/log/auth.log,: Invalid user .* 192.168.23.26].last()}>0 and {Template Authentication failure - Debian-like:log.count[/var/log/auth.log,: Invalid user ].last()}>3
The mail I receive:
Item values:
1. Log check - Discard nessus Invalid connexion attempts Debian-like (alf:log.count[/var/log/auth.log,: Invalid user .* 192.168.23.26]): 8
2. Log check - Invalid connexion attempts Debian-like (alf:log.count[/var/log/auth.log,: Invalid user ]): 8
Good values! 8 and 8
Does anybody know what I do wrong?
Cheers!
I was new to Zabbix one month ago so I am still learning. And still have problems.
I have created 2 items (active checks) which look for invalid connection attempts via ssh:
item one: log.count[/var/log/auth.log,: Invalid user ]
item two: log.count[/var/log/auth.log,: Invalid user .* 192.168.23.26]
The second one is here to avoid raising an alarm if the IP 192.168.23.26 made the failed connection attempt.
The correspondent trigger is:
{Template Authentication failure - Debian-like:log.count[/var/log/auth.log,: Invalid user .* 192.168.23.26].last()}=0 and {Template Authentication failure - Debian-like:log.count[/var/log/auth.log,: Invalid user ].last()}>3
The graphs work well in the "monitoring/latest data", both items show what they are supposed to show, but the mail I receive show wrong values (I have made the login attempts from host2 192.168.23.26):
Item values:
1. Log check - Discard host2 Invalid connexion attempts Debian-like (host1:log.count[/var/log/auth.log,: Invalid user .* 192.168.23.26]): 0
2. Log check - Invalid connexion attempts Debian-like (host1:log.count[/var/log/auth.log,: Invalid user ]): 7
it should have been 7 and 7!
Now the weird thing... Same items, just one operator in trigger has changed:
{Template Authentication failure - Debian-like:log.count[/var/log/auth.log,: Invalid user .* 192.168.23.26].last()}>0 and {Template Authentication failure - Debian-like:log.count[/var/log/auth.log,: Invalid user ].last()}>3
The mail I receive:
Item values:
1. Log check - Discard nessus Invalid connexion attempts Debian-like (alf:log.count[/var/log/auth.log,: Invalid user .* 192.168.23.26]): 8
2. Log check - Invalid connexion attempts Debian-like (alf:log.count[/var/log/auth.log,: Invalid user ]): 8
Good values! 8 and 8
Does anybody know what I do wrong?
Cheers!