Zabbix false trigger, how to write an expression correctly?

S

sflyer2019-02-28 11:55:49

Windows

sflyer, 2019-02-28 11:55:49

I receive an event log from the windows server and look for an error using the expression:

{Windows AD SEC:eventlog["Microsoft-Windows-Backup",,,].logeventid(19)}=1

And it works great. But today I received a false positive - event 192 appeared and the trigger worked on it. How to set exact search by logeventid?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

S

sflyer, 2019-03-01
@sflyer

The result is this.
If the zabbix server version is 3.4 or higher, POSIX won't work (it doesn't respond to it at all). You need to use PCRE. This is what I did now, and it works great.
To compose my regular expression, I found a good service for this https://regex101.com/ , quite convenient.

Y

Yuri Samoilov, 2019-02-28
@takezi

logeventid accepts a regular expression, I can't vouch for the accuracy, maybe something like this:

{Windows AD SEC:eventlog["Microsoft-Windows-Backup",,,].logeventid(\b1[19]\b)}=1

S

Sergey Ryzhkin, 2019-02-28
@Franciz

I'm not sure, but maybe this is the problem - logeventid(19) ?
Have you tried specifying 192 instead of 19 ?