Log based alerts triggering repeatedly
Hi I'm new to Zabbix and I think it's quite likely I'm doing something wrong, but I'm not certain. Perhaps someone here can help?
I have some string searches on my web access logs, to watch for attempted hacking activity. They work great, but every now and then Zabbix will trigger for old log entries. This creates a lot of spam and makes it difficult to follow the activity.
Here is the trigger expression I'm using:
{hostname:log[/etc/httpd/logs/access_log].str(htaccess)} or
{hostname:log[/etc/httpd/logs/access_log].str(c99.php)} or
{hostname:log[/etc/httpd/logs/access_log].str(r57.php)} or
{hostname:log[/etc/httpd/logs/access_log].str(filesman.php)} or
{hostname:log[/etc/httpd/logs/access_log].str(filemanager)} or
{hostname:log[/etc/httpd/logs/access_log].str(passthru)} or
{hostname:log[/etc/httpd/logs/access_log].str(shell_exec)} or
{hostname:log[/etc/httpd/logs/access_log].str(system)} or
{hostname:log[/etc/httpd/logs/access_log].str(phpinfo)} or
{hostname:log[/etc/httpd/logs/access_log].str(base64_decode)} or
{hostname:log[/etc/httpd/logs/access_log].str(edoced_46esab)} or
{hostname:log[/etc/httpd/logs/access_log].str(chmod)} or
{hostname:log[/etc/httpd/logs/access_log].str(mkdir)} or
{hostname:log[/etc/httpd/logs/access_log].str(fopen)} or
{hostname:log[/etc/httpd/logs/access_log].str(fclose)} or
{hostname:log[/etc/httpd/logs/access_log].str(w00tw00t)} or
{hostname:log[/etc/httpd/logs/access_log].str(setup.php)} or
{hostname:log[/etc/httpd/logs/access_log].str(readfile)} or
{hostname:log[/etc/httpd/logs/access_log].str(act=edit)} or
{hostname:log[/etc/httpd/logs/access_log].str(action=edit)}
Does Zabbix have a way to identify and ignore log entries which alerted previously? If so I think that must be broken.. if not, is there something I can do with my trigger expression to fix this? Help is appreciated.
I have some string searches on my web access logs, to watch for attempted hacking activity. They work great, but every now and then Zabbix will trigger for old log entries. This creates a lot of spam and makes it difficult to follow the activity.
Here is the trigger expression I'm using:
{hostname:log[/etc/httpd/logs/access_log].str(htaccess)} or
{hostname:log[/etc/httpd/logs/access_log].str(c99.php)} or
{hostname:log[/etc/httpd/logs/access_log].str(r57.php)} or
{hostname:log[/etc/httpd/logs/access_log].str(filesman.php)} or
{hostname:log[/etc/httpd/logs/access_log].str(filemanager)} or
{hostname:log[/etc/httpd/logs/access_log].str(passthru)} or
{hostname:log[/etc/httpd/logs/access_log].str(shell_exec)} or
{hostname:log[/etc/httpd/logs/access_log].str(system)} or
{hostname:log[/etc/httpd/logs/access_log].str(phpinfo)} or
{hostname:log[/etc/httpd/logs/access_log].str(base64_decode)} or
{hostname:log[/etc/httpd/logs/access_log].str(edoced_46esab)} or
{hostname:log[/etc/httpd/logs/access_log].str(chmod)} or
{hostname:log[/etc/httpd/logs/access_log].str(mkdir)} or
{hostname:log[/etc/httpd/logs/access_log].str(fopen)} or
{hostname:log[/etc/httpd/logs/access_log].str(fclose)} or
{hostname:log[/etc/httpd/logs/access_log].str(w00tw00t)} or
{hostname:log[/etc/httpd/logs/access_log].str(setup.php)} or
{hostname:log[/etc/httpd/logs/access_log].str(readfile)} or
{hostname:log[/etc/httpd/logs/access_log].str(act=edit)} or
{hostname:log[/etc/httpd/logs/access_log].str(action=edit)}
Does Zabbix have a way to identify and ignore log entries which alerted previously? If so I think that must be broken.. if not, is there something I can do with my trigger expression to fix this? Help is appreciated.
Comment