Hello,
I have a problem with some (but not all!) "eventlog[]" items since I upgraded my Zabbix server to version 6. They are missing the source, severity, and timestamp values, but the agent sends them correctly. This is the data from the agent, with all the information in the first record:
On the server, however, the history for the item shows the text (from the "value" key), but the local time, source, and severity columns are empty, so my trigger that matches on the severity does not fire. The trigger expression is just "logseverity(/hostname/eventlog[Security,,,,@Authentication Event IDs])=7".
Other similar items have all fields present in history. It _may_ be relevant that they are reading logs other than Security, but since the data is in the request above, I don't think it is.
Server and client are both version 6.0.3, installed at about the same time. The last time the trigger fired was just before the upgrade to 6.
What could be wrong here? I see the agent sent two records, and the second one really makes no sense to me.
Thanks!
I have a problem with some (but not all!) "eventlog[]" items since I upgraded my Zabbix server to version 6. They are missing the source, severity, and timestamp values, but the agent sends them correctly. This is the data from the agent, with all the information in the first record:
Code:
{
"request": "agent data",
"session": "...",
"data":
[
{
"host": "hostname",
"key": "eventlog[Security,,,,@Authentication Event IDs]",
"value": "...censored...",
"lastlogsize": 13541184,
"timestamp": 1651216161,
"source": "Microsoft-Windows-Security-Auditing",
"severity": 7,
"eventid": 4771,
"id": 5939,
"clock": 1651216225,
"ns": 940128100
},
{
"host": "hostname",
"key": "eventlog[Security,,,,@Authentication Event IDs]",
"lastlogsize": 13541241,
"id": 5940,
"clock": 1651216226,
"ns": 33243500
}
],
"clock": 1651216226,
"ns": 37036500
}
Other similar items have all fields present in history. It _may_ be relevant that they are reading logs other than Security, but since the data is in the request above, I don't think it is.
Server and client are both version 6.0.3, installed at about the same time. The last time the trigger fired was just before the upgrade to 6.
What could be wrong here? I see the agent sent two records, and the second one really makes no sense to me.
Thanks!
Comment