I have Zabbix 6.0 LTS monitoring a log file on one of our production servers for any time a file is opened. This is important, if and only if that file is opened as read only first. My issues is how do I avoid needing to interact with Zabbix if that one corrolation is not an issue.
I have set up two items, one to catch the logs that say files are opened in read only mode, and one to catch when a file is opened. For the former, an event corrolation is in place so that if a file is opened in read only, then opened again but not in read only, the event is cleared. I use Tags to do it, somehow. But, there can be a large number of files on a server and, if I do my job right, this correlation does not happen. But that may mean that I get 20 or more spam notifications that files have opened and I have to go in and mass acknolewdge and close them. (Really not a BIG deal righ now but I will have 40+ servers... ) I have seen in the default templates several (most notibly the "Operating system information has changed" notification, that will close after like 5 min. The question is: How do I most effectivly set up the triggers to close automatically after a short pause if the correlation is not present?
FileOpendAsReadOnly:
log[{$EVENTLOGLOCATION},"\t(18)\t",,,skip,,,,]
PostProcessing: RegEx (\t(.*)$), Trim (\t)
Trigger: Length(last(/FMS Event Log/log[{$EVENTLOGLOCATION},"\t(18)\t",,,skip,,,,]))>0
FileOpened Item:
log[{$EVENTLOGLOCATION},"\t(184)\t",,,skip,,,,]
PostProcessing: RegEx (\t(.*)$), Trim (\t)
Trigger: length(last(/FMS Event Log/log[{$EVENTLOGLOCATION},"\t(184)\t",,,skip,,,,]))>0
Trigger Configuration Event Correlation
I have tried using the code from the "Operating system information has changed" code, or modifying it slightly to get the time close effect, but the corrolating nature of the issues always seems to get in the way. I can account for time, OR I can account for the correlating event, but I cannot figure out how to account for both. I have done some general Googling and have not found anything that really describes a step by step process to do it, but have seen some places that just say that it's a bit difficult to manage.
Frankly, I am questioning whether the items/triggers are set up right. All that jazz. So I am happy if there is a way to do it even if I have to change something about how I set the system up.
I have been using Zabbix for a while but have just now started a goal oriented look into templates. Zabbix docs have been hard for me to figure out, but I can thank them for getting me this far. I have a test enviroment that I can leverage. But it's probably just ignorance and blockheaddedness that is making it hard for me. I will update this post if I find any helpful links or details. Let me know if I can add somehting to help make this clearer. Thanks!