Uploaded image for project: 'ZABBIX FEATURE REQUESTS'
  1. ZABBIX FEATURE REQUESTS
  2. ZBXNEXT-8182

Possibility to access Windows Log metadatas in preprocessing

    XMLWordPrintable

Details

    • New Feature Request
    • Status: Confirmed
    • Minor
    • Resolution: Unresolved
    • 6.0.12
    • None
    • Server (S)
    • None

    Description

      First of all, our use case.
      We use Zabbix for monitoring our Windows servers. So, our template includes items like the following:

      eventlog[Application,,"Warning|Error|Critical",,,100,skip]
      eventlog[System,,"Warning|Error|Critical",,,100,skip]
      

      The main idea is to inform the appropriate person about any significant messages in Windows Event Log.
      The main problem is to define the term "significant message" technically, because:

      • there are some messages with level=Error that could be safely ignored;
      • there are some messages with level=Warning that really are very important (for example, messages from a RAID Controller about a failed disk).

      So, in practice our trigger expressions are complex enough. Often they have logic like the following:

      IF (
        (level=Error OR level=Critical)
        AND
          NOT (source='Source1' AND eventid='1111') //ignore errors with id=1111 from Source1
        AND
          NOT (source='Source2' AND eventid='2222') //ignore errors with id=2222 from Source2
        AND
          NOT (source='Source3' AND eventid='3333') //ignore errors with id=3333 from Source3
      [...]
      ) OR (
        level=Warning
        AND (
          (source='SourceX' AND eventid='XXXX') //accept warnings with id=XXXX from SourceX
          OR
          (source='SourceY' AND eventid='YYYY') //accept warnings with id=YYYY from SourceY
        )
      )
      

      It could be great if some of this logic be available in preprocessing: for example, if (source='Source1' AND eventid='1111') then just discard a value. It could dramatically simplify our trigger expressions.

      Unfortunately, at the moment all these Event Log's metadata (EventID, Source, Severity, original timestamp) could not be accessible during a preprocessing stage.

      There could be different approaches to implement these checks, for example - make the system macros {ITEM.LOG.*<1-9>} ({ITEM.LOG.EVENTID}, {ITEM.LOG.NSEVERITY}, {ITEM.LOG.SOURCE}) available during preprocessing; or some functions like logeventid()/logseverity()/logsource() available in JavaScript.

       

      Attachments

        Activity

          People

            wiper Andris Zeila
            constantin.oshmyan Constantin Oshmyan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: