-
New Feature Request
-
Resolution: Unresolved
-
Minor
-
None
-
6.0.12
-
None
First of all, our use case.
We use Zabbix for monitoring our Windows servers. So, our template includes items like the following:
eventlog[Application,,"Warning|Error|Critical",,,100,skip] eventlog[System,,"Warning|Error|Critical",,,100,skip]
The main idea is to inform the appropriate person about any significant messages in Windows Event Log.
The main problem is to define the term "significant message" technically, because:
- there are some messages with level=Error that could be safely ignored;
- there are some messages with level=Warning that really are very important (for example, messages from a RAID Controller about a failed disk).
So, in practice our trigger expressions are complex enough. Often they have logic like the following:
IF ( (level=Error OR level=Critical) AND NOT (source='Source1' AND eventid='1111') //ignore errors with id=1111 from Source1 AND NOT (source='Source2' AND eventid='2222') //ignore errors with id=2222 from Source2 AND NOT (source='Source3' AND eventid='3333') //ignore errors with id=3333 from Source3 [...] ) OR ( level=Warning AND ( (source='SourceX' AND eventid='XXXX') //accept warnings with id=XXXX from SourceX OR (source='SourceY' AND eventid='YYYY') //accept warnings with id=YYYY from SourceY ) )
It could be great if some of this logic be available in preprocessing: for example, if (source='Source1' AND eventid='1111') then just discard a value. It could dramatically simplify our trigger expressions.
Unfortunately, at the moment all these Event Log's metadata (EventID, Source, Severity, original timestamp) could not be accessible during a preprocessing stage.
There could be different approaches to implement these checks, for example - make the system macros {ITEM.LOG.*<1-9>} ({ITEM.LOG.EVENTID}, {ITEM.LOG.NSEVERITY}, {ITEM.LOG.SOURCE}) available during preprocessing; or some functions like logeventid()/logseverity()/logsource() available in JavaScript.