Zabbix Win Event log monitoring logging events that don't exist
Hi Everyone,
I have a weird situation where Zabbix is capturing event log data that I can't seem to locate in the event log on the host in question.
As an example, I am trying to capture anytime a particular service state is changed from auto start to disabled via the System Event log (Source: Service Control Manager, event ID 7040 and event text contains "The start type of the 'service_name_goes_here' service was changed from auto start to disabled.")
Below is my exact item key (using Zabbix agent (active) and type of info is Log and my update interval is set at a reasonable 1m)
eventlog[System,"The start type of the Illumio VEN Agent Manager Service service was changed from auto start to disabled.",,Service Control Manager,7040,,skip]
My issue here is that when looking at latest data and history for this item on the host I can see the events collected don't actually exist in the Windows event log on the host. See below.. these aren't in the Windows event log, so where is Zabbix getting this data from? Because of these ghost entries, it's throwing off my triggers and sending alerts when there really isn't anything to alert for.
Timestamp Local Time Source Severity Event ID Value
I have a weird situation where Zabbix is capturing event log data that I can't seem to locate in the event log on the host in question.
As an example, I am trying to capture anytime a particular service state is changed from auto start to disabled via the System Event log (Source: Service Control Manager, event ID 7040 and event text contains "The start type of the 'service_name_goes_here' service was changed from auto start to disabled.")
Below is my exact item key (using Zabbix agent (active) and type of info is Log and my update interval is set at a reasonable 1m)
eventlog[System,"The start type of the Illumio VEN Agent Manager Service service was changed from auto start to disabled.",,Service Control Manager,7040,,skip]
My issue here is that when looking at latest data and history for this item on the host I can see the events collected don't actually exist in the Windows event log on the host. See below.. these aren't in the Windows event log, so where is Zabbix getting this data from? Because of these ghost entries, it's throwing off my triggers and sending alerts when there really isn't anything to alert for.
| 2024-03-17 15:44:14 | 2024-03-16 22:29:46 | Service Control Manager | Information | 7040 | The start type of the Illumio VEN Platform Handler Service service was changed from auto start to disabled. |
| 2024-03-17 13:53:21 | 2024-03-16 21:01:46 | Service Control Manager | Information | 7040 | The start type of the Illumio VEN Platform Handler Service service was changed from auto start to disabled. |
| 2024-03-17 13:52:17 | 2024-03-09 20:01:43 | Service Control Manager | Information | 7040 | The start type of the Illumio VEN Platform Handler Service service was changed from auto start to disabled. |
| 2024-03-17 13:51:13 | 2024-03-04 01:08:04 | Service Control Manager | Information | 7040 | The start type of the Illumio VEN Platform Handler Service service was changed from auto start to disabled. |
| 2024-03-17 13:49:08 | 2024-02-25 15:59:30 | Service Control Manager | Information | 7040 | The start type of the Illumio VEN Platform Handler Service service was changed from auto start to disabled. |
| 2024-03-17 13:49:07 | 2024-02-21 11:28:58 | Service Control Manager | Information | 7040 | The start type of the Illumio VEN Platform Handler Service service was changed from auto start to disabled. |
Comment