Zabbix reacts to events by executing set of operations. An action can be defined for any event or set of events generated by Zabbix.
Action attributes:
Parameter | Description |
---|---|
Name | Unique action name. |
Event source | Source of event. Currently three sources are supported: Triggers - events generated by trigger status changes Discovery - events generated by network discovery module Auto registration - events generated by new active agents |
Enable escalations | Enable escalations. If enabled, the action will be escalated according to operation steps defined for operations. |
Period (seconds) | Time period for increase of escalation step. |
Default subject | Default notification subject. The subject may contain macros. |
Default message | Default notification message. The message may contain macros. |
Recovery message | If enabled, Zabbix will send a recovery message after the original problem is resolved. The messages will be sent only to those who received any message regarding this problem before. |
Recovery subject | Subject of the recovery message. It may contain macros. |
Recovery message | Recovery message. It may contain macros. |
Status | Action status: Enabled - action is active Disabled - action is disabled |
Warning: before enabling recovery messages or escalations, make sure to add "Trigger value = PROBLEM" condition to the action, otherwise remedy events can become escalated as well.
An action is executed only in case if an event matches defined set of conditions.
The following conditions can be defined for trigger based events:
Condition type | Supported operators | Description |
---|---|---|
Application | = like not like |
= - event came from a trigger, which refers to an item that is linked to the specified application like - event came from a trigger, which refers to an item that is linked to an application, containing the string not like - event came from trigger, which refers to an item that is linked to an application not containing the string |
Host group | = <> |
Compare against host group having a trigger which generated event. = - event came from this host group <> - event did not come from this host group |
Host template | = <> |
Compare against Host Template the trigger belongs to. = - event came from a trigger inherited from this Host Template <> - event did not come from a trigger inherited from this Host Template |
Host | = <> |
Compare against Host having a trigger which generated event. = - event came from this Host <> - event did not come from this Host |
Trigger | = <> |
Compare against Trigger which generated event. = - event generated by this Trigger <> - event generated by other Trigger |
Trigger description (name) | like not like |
Compare against Trigger Name which generated event. like - String can be found in Trigger Name. Case sensitive. not like - String cannot be found in Trigger Name. Case sensitive. Note: Entered value will be compared to trigger description (name) with all macros expanded. |
Trigger severity | = <> >= <= |
Compare with Trigger Severity. = - equal to trigger severity <> - not equal to trigger severity >= - more or equal to trigger severity <= - less or equal to trigger severity |
Trigger value | = | Compare with Trigger Value. = - equal to trigger value (OK or PROBLEM) |
Time period in | in | Event is within time period. in - event time matches the time period. See Time period specification page for description of the format. |
Maintenance status | = <> |
Check if host is in maintenance. = - Host is in maintenance mode. <> - Host is not in maintenance mode. |
Trigger value:
Trigger changes status from OK to PROBLEM (trigger value is PROBLEM) Trigger changes status from PROBLEM to OK (trigger value is OK)
Status change OK→UNKNOWN→PROBLEM is treated as OK→PROBLEM, and PROBLEM→UNKNOWN→OK as PROBLEM→OK.
The following conditions can be defined for Discovery based events:
Condition type | Supported operators | Description |
---|---|---|
Host IP | = <> |
Check if IP address of a discovered Host is or is not in the range of IP addresses. = - Host IP is in the range <> - Host IP is out of the range |
Service type | = <> |
Check if a discovered service. = - matches discovered service <> - event came from a different service |
Service port | = <> |
Check if TCP port number of a discovered service is or is not in the range of ports. = - service port is in the range <> - service port is out of the range |
Discovery status | = | Up - matches Host Up and Service Up events Down - matches Host Down and Service Down events |
Uptime/Downtime | >= <= |
Downtime for Host Down and Service Down events. Uptime for Host Up and Service Up events. >= - uptime/downtime is more or equal <= - uptime/downtime is less or equal. Parameter is given in seconds. |
Received value | = <> >= <= like not like |
Compare with value received from an agent (Zabbix, SNMP). String comparison. = - equal to the value <> - not equal to the value >= - more or equal to the value <= - less or equal to the value like - has a substring not like - does not have a substring. Parameter is given as a string. |
For example this set of conditions (calculation type: AND/OR):
is evaluated as
(Host group = Oracle servers or Host group = MySQL servers) and (Trigger name like 'Database is down' or Trigger name like 'Database is unavailable')
Operation or a set of operations is executed when event matches conditions.
Zabbix supports the following operations:
To successfully receive and read e-mails from Zabbix, e-mail servers/clients must support standard 'SMTP/MIME e-mail' format since Zabbix sends UTF-8 data. Starting from 1.8.2 the subject and the body of the message are base64-encoded to follow 'SMTP/MIME e-mail' format standard.
Starting with 1.8.3, if the subject contains ASCII characters only, it is not UTF-8 encoded.
Additional operations available for discovery events:
When adding a host, its name is decided by standard gethostbyname function. If the host can be resolved, resolved name is used. If not, IP address is used. Besides, if IPv6 address must be used for a host name, then all ":" (colons) are replaced by "_" (underscores), since ":" (colons) are not allowed in host names.
If performing discovery by a proxy, currently hostname lookup still takes place on Zabbix server.
If a host exists in Zabbix configuration with the same name as a newly discovered one, versions of Zabbix prior to 1.8 would add another host with the same name. Zabbix 1.8.1 and later adds _N to the hostname, where N is increasing number, starting with 2.
Operation attributes:
Parameter | Description |
---|---|
Step | If escalation is enabled for this action, escalation settings: From - execute for each step starting from this one To - till this (0, for all steps starting from From) Period - increase step number after this period, 0 - use default period. |
Operation type | Type of action: Send message - send message to user Execute command - execute remote command |
Event Source | |
Send message to | Send message to: Single user - a single user User group - to all members of a group |
Default message | If selected, default message will be used. |
Subject | Subject of the message. The subject may contain macros. |
Message | The message itself. The message may contain macros. |
Remote command | List of remote commands. |
Starting from 1.6.2, Zabbix sends notifications only to those users, which have read permissions to a host (trigger), which generated the event. At least one host of a trigger expression must be accessible.
As with some triggers event generation can be defined for every PROBLEM evaluation of the trigger, it is worthy of note that if escalations are defined for actions on these events, the execution of each new escalation supersedes the previous escalation, but for at least one escalation step that is always executed on the previous escalation.
The macros can be used for more efficient reporting.
Subject:
Message subject will be replaced by something like:
Message:
The message will be replaced by something like:
Message:
Latest value: {{HOSTNAME}:{TRIGGER.KEY}.last(0)}
MAX for 15 minutes: {{HOSTNAME}:{TRIGGER.KEY}.max(900)}
MIN for 15 minutes: {{HOSTNAME}:{TRIGGER.KEY}.min(900)}
The message will be replaced by something like: