Using event tags for correlation

Correlation in Zabbix can be used on two different levels:

  • On trigger level
  • On Global level

Trigger level-based correlation: As the name suggests, this occurs on triggers and can be used to relate different problems to a solution by closing, for example, a trigger. Trigger-based event correlation, in short, allows us to correlate separate problems reported by one trigger. It's very useful for log-monitoring, SNMP traps, and so on. In Chapter 10, Advanced Item Monitoring, we will see how we can use trigger-based correlation in our log monitoring to close triggers based on tags.

Global-based correlation: This is a way to correlate problems to a solution based on different triggers by making use of global rules. Global event correlation allows us to do some preprocessing of problems based on the event tag information on a trigger. Here, we will create a global correlation rule and, based on this rule, problems can be closed. This allows us to focus on the root cause of the problems instead of having to look through a list of trigger problems.

Let's have a look at our event correlation screen by going to Configuration | Event correlation and clicking on Create correlation:

When creating a new condition, we have several options to chose from:

  • Old event tag: Specify the old event tag for matching
  • New event tag: Specify the new event tag for matching
  • New event host group: Specify the new event host group for matching
  • Event tag pair: Specify new event tag and old event tag for matching (values are used)
  • Old event tag value: Specify the old event tag name and value for matching
  • New event tag value: Specify the new event tag name and value for matching

Let's imagine we have a trigger on a MS SQL Server that monitors a log for this application and detects an error. Let's also imagine we have added a tag on this trigger with the name Application with the problem tag:

Next, we have another trigger that monitors the service state of this MS SQL Server with the Service tag and stopped value:

We now have two triggers in error state, one that warns us of the errors in the log file and another trigger that warns us that the service is stopped. What we have to do now in our global correlation rule is create a rule that closes the old event and only keeps the new event open:

 

 

 

In our condition, we will create a rule that says that Old event tag Application equals Ms SQL Server and that the new tag service should contain stopped in our Operations tab. We can then add that old events can be closed by Zabbix:

This will allow us to focus on only one problem by closing the old event,  meaning that we are only focusing on the newly created event.

Of course, it can happen that we first see the service as stopped and then the error in the log file. For cases like this, we have to create another correlation rule.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.224.59.231