Search code examples
zabbix

Trigger count SNMP traps

I have SNMP trap sending message to Zabbix each time there's login failure. Message looks like:

20161207.134900 XCB-SNMP-MIB::xcbLoginFailure 0 (null) XCB-SNMP-MIB::description Authentication failed; username='sgsgsgsgsg' XCB-SNMP-MIB::peerAddress 10.138.1.31

I want to for example to get notification when in last 2 minutes I got more than 5 failed logins (so I got more than 5 traps), I tried to do expression like that:

{Testhost:snmptrap["XCB-SNMP-MIB::xcbLoginFailure"].count(2m)}>5

But it isn't working. Is there any mistake in expression, or should I look somewhere else for reason trigger isn't working? If expression is bad, how can I fix it?

Screenshots:

enter image description here

enter image description here

Solution

  • To make it work I changed:

    {Testhost:snmptrap["XCB-SNMP-MIB::xcbLoginFailure"].count(2m)}>5

    to:

    {Testhost:snmptrap["XCB-SNMP-MIB::xcbLoginFailure"].count(2m,username)}>5

    since I got 2 types of login failure messages:

    20161208.131643 XCB-SNMP-MIB::xcbLoginFailure 0 (null) XCB-SNMP-MIB::description Authentication failed; username='dgdg' XCB-SNMP-MIB::peerAddress 10.138.1.31

    and:

    20161208.131641 XCB-SNMP-MIB::xcbLoginFailure 0 (null) XCB-SNMP-MIB::description Invalid username; username='' XCB-SNMP-MIB::peerAddress 10.138.1.31

    and both of them contain "username", so I just count how many times that phraze occured.