I have a problem with zabbix, i want him to search trough /var/log/log.auth and send a notification when someone logs into by SSH. I know how to send notifications when trigger is active but i don't know how to create this exact trigger.
You should set up a log item like log[/var/log/log.auth,authentication successful] (or the exact string you are looking for in the logfile.
Then you should create a corresponding trigger with the regexp function: .regexp(authentication successful)}=1
From the doc, regexp:
Returns:
1 - found
0 - otherwise
It's a bit redundant, but it's good to filter out everything you don't need before storing it into zabbix.