[ZBXNEXT-1701] support global regexps in "logsource()" trigger function Created: 2013 Apr 08  Updated: 2018 Jul 19  Resolved: 2018 Jul 19

Status: Closed
Project: ZABBIX FEATURE REQUESTS
Component/s: Server (S)
Affects Version/s: 2.0.5
Fix Version/s: 4.0.0alpha9, 4.0 (plan)

Type: New Feature Request Priority: Trivial
Reporter: Prostrelov Assignee: Viktors Tjarve
Resolution: Fixed Votes: 5
Labels: eventlog, globalregexps, logmonitoring, regexps
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
Sub-task
Team: Team A
Sprint: Sprint 35, Sprint 36, Sprint 37, Sprint 38
Story Points: 2

 Description   

It would be great if we could use global regular expressions in triggers.
I need to receive unknown events from eventlog but only those that i need. So i can create a list (global regular expression) of events ID's that i don't need.
As we know different application(sources) can have same ID numbers. So we need to connect ID's numbers and application names.

And it would be much easier if we could use this triggers for events from specific application and with all ID's except the list from global expression @ID_EVENTLOG ...

{TESTCOMP:eventlog[System,,"Warning|Error"].logsource("WinHTTP")}=1&{TESTCOMP:eventlog[System,,"Warning|Error"].logeventid(@ID_EVENTLOG)}=0

... and this triggers for events from application that we don't know yet:

{TESTCOMP:eventlog[System,,"Warning|Error"].logsource(@APPLICAION_EVENTLOG)}=0

**@ID_EVENTLOG: ID that we don't whant to receive
**@APPLICATION_EVENTLOG: APPLICATION that we already know



 Comments   
Comment by Oleksii Zagorskyi [ 2013 Apr 08 ]

Initially discussed on forum (in Russion) https://www.zabbix.com/forum/showthread.php?p=129687#post129687

Comment by Oleksii Zagorskyi [ 2013 Apr 08 ]

Actually this issue reporter wanted to say that trigger function logsource() doesn't support global regexps and it's the feature he requested to implement.

I'm fixing issue summary.

Comment by Oleksii Zagorskyi [ 2013 Apr 08 ]

A couple words about backward compatibility.

List of logsources you can find in this registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\<eventlogtype>

I briefly checked and I did not find logsource names which are "similar". By "similar" I mean if one full name is a part of another name.
Well, there is a few exceptions - COM, COM+; acpi,acpiec; OSPF,OSPFmib; pci,pciide; Print,PrintFilterPipelineSvc; SNMP,SNMPTRAP but we could ignore them, this is just 1% or less of all names .

So if we replace current functionality to use a regexp instead of "exact text match" we should not have any problems with backward compatibility.

Just a note: identical logsource name cannot be shared between two/more different log types.
Attempt to create such log record (manually for example by "eventcreate" windows command) will cause an error.

Voted !

Comment by Daniel V [ 2017 Feb 28 ]

I know this is a very old issue, yet I ran exactly into this problem. I want Zabbix to alert me each time an event has the severity Warning, Error or Critical. Yet I want to filter events which I don't care about.

Best example is the System event from TerminalServices-Printers. This is an Error but, not relevant in any form. See for more info:
https://support.microsoft.com/en-us/help/2004736/if-you-use-terminal-services-with-the-printers-option-selected-to-connect-to-a-windows-server-2008-r2,-it-may-log-error-terminalservices-printers-1111.

Is there a chance this gets implemented in Zabbix anytime soon? Or is there already a solution to this in 3.X?

Comment by Viktors Tjarve [ 2018 Jun 20 ]

Fixed in development branch svn://svn.zabbix.com/branches/dev/ZBXNEXT-1701

Comment by Viktors Tjarve [ 2018 Jul 12 ]

 

Source Expected
logsource(abc) logsource(^abc$)
logsource("abc") logsource("^abc$")
logsource( abc ) logsource( ^abc $)
logsource( "abc" ) logsource( "^abc$" )
logsource("\"abc\"") logsource("^\"abc\"$")
logsource("\"a\bc\"") logsource("^\"a\\bc\"$")
logsource("a\"bc") logsource("^a\"bc$")
logsource(a\"bc)
logsource(^a\\"bc$)
logsource() logsource(^$)
logsource( ) logsource( ^$)
logsource("") logsource("^$")

 

Comment by Viktors Tjarve [ 2018 Jul 17 ]

Released in:

  • 4.0.0alpha9 r82798
Generated at Fri Mar 29 02:06:46 EET 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.