Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-26832

Provide an expert guidance on an issue regarding excessive audit log generation on our database server.

XMLWordPrintable

    • Icon: Incident report Incident report
    • Resolution: Unresolved
    • Icon: Trivial Trivial
    • None
    • None
    • None
    • None

      1. Problem Description:

      Our Database Server, MSSQL 2019, which is configured with the Audit Enabled, is generating an unusually high volume of audit logs. Our analysis indicates this is caused by queries from our IT monitoring system, Zabbix.

      The daily volume of these audit files (with a .DML extension) is approximately 400 MB, which is causing storage management issues and making meaningful security audits difficult due to the noise.

      2. Environment Details:

      Product in Question: [SQL Server 2019]

      Monitoring Tool: Zabbix Agent2 [Version 6.4]

      Zabbix Template Used: Template DB MSSQL by ODBC

      Database User for Monitoring: [zabbix_user]

      Server Operating System: [Windows Server 2016]

      3. Analysis and Actions Already Taken:

      Our investigation has confirmed that the log entries are generated by queries executed by the Zabbix agent. The standard Zabbix template for SQL monitoring frequently runs a master item that executes a broad query, SHOW GLOBAL STATUS;, to collect hundreds of performance metrics at once. Our audit policy is currently logging these operations.

      To mitigate this, we have already performed the following actions within Zabbix:

      Increased the polling interval of the main master item (db.odbc.get[get_status_variables,...]) from 2 minutes to 5 minutes.

      Increased the polling interval of other database detail items from 4 minutes to 15 minutes.

      Disabled all unused or unsupported items within the Zabbix template to reduce the number of queries.

      Result: Despite these changes, the daily audit log size has not been significantly reduced. This indicates that while the frequency of queries was lowered, the verbose nature of each logged query continues to fill the logs.

      4. Specific Questions and Request for Guidance:

      We believe the most effective, long-term solution is to refine the audit configuration to intelligently handle monitoring traffic, rather than further reducing our monitoring capabilities.

      Could you please provide your official recommendation and best practices for this scenario?

      Our goal is to maintain our comprehensive database monitoring from Zabbix while preventing its benign, high-frequency queries from flooding our audit logs.

      Thank you for your time and assistance. We look forward to your recommendations.

            zabbix.support Zabbix Support Team
            luis.maguiña Luis Maguiña
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: