Zabbix Event correlation rules

Zabbix event correlation rules allow you to correlate events from different sources and generate new events based on the correlation results. This can be useful for detecting complex problems that span multiple systems or for reducing the number of alerts that you need to respond to.

To create a Zabbix event correlation rule, you need to specify the following:

• Name: The name of the correlation rule.
• Conditions: The conditions that must be met in order for the correlation rule to fire.
• Operations: The operations that should be performed when the correlation rule fires.

The conditions for a Zabbix event correlation rule can be based on the following:

• Event type: The type of event.
• Event source: The source of the event.
• Event severity: The severity of the event.
• Event message: The message of the event.

The operations for a Zabbix event correlation rule can be based on the following:

• Generate new event: Generate a new event based on the correlation results.
• Close event: Close the event that triggered the correlation rule.
• Close matched old events: Close any matching old events that are still open.
• Send email notification: Send an email notification about the correlation results.
• Execute external script: Execute an external script based on the correlation results.

Once you have created a Zabbix event correlation rule, you need to enable it. To do this, go to the Configuration > Event correlation page and click the Enable checkbox next to the correlation rule.

Use Case Example:

Imagine you’re monitoring a network and you have separate triggers for detecting when a server goes down and when its primary application becomes unresponsive. If the server goes down, the application obviously won’t respond. Without event correlation, you’d get two alerts: one for the server and one for the application. However, with event correlation, you can set a rule to close the application event if a server-down event occurs for the same server. This way, you get a single alert about the root cause (the server going down) and avoid the noise of the related alert (application unresponsive).

Here is an example of a simple Zabbix event correlation rule:

Name: Web server down
Conditions:
- Event type: Web server down
- Event source: Web server host
Operations:
- Generate new event: High priority event with the message "Web server is down"

This correlation rule will generate a new high priority event with the message “Web server is down” whenever an event of the type “Web server down” is received from the web server host.

You can create more complex Zabbix event correlation rules to detect more complex problems. For example, you could create a correlation rule to detect a denial-of-service attack on your web servers. This correlation rule could look for events such as a high number of failed login attempts or a high volume of traffic from a single IP address.

Benefits of using Zabbix event correlation rules

• Zabbix event correlation rules can help you to detect complex problems that span multiple systems.
• Zabbix event correlation rules can help you to reduce the number of alerts that you need to respond to.
• Zabbix event correlation rules can help you to improve the overall responsiveness of your monitoring system.

Here’s how to set up event correlation rules in Zabbix:

1. Navigate to Event Correlation:

• Go to Configuration and select Event correlation.

2. Create a New Correlation Rule:

• Click on Create correlation rule.

3. Define the Event Source:

• Under Source, you can choose between Trigger event and Internal event. Most often, you’ll use Trigger event.

4. Define the Conditions:

• Here, you specify what circumstances must be met for the correlation rule to take effect.
• For instance, you can set conditions based on:
  • Event tag name and value.
  • New severity.
  • Old severity.
  • Event ID.
  • and more.

5. Define the Operations:

• Here’s where you define what should happen when the conditions are met.
• Operations might include:
  • Close event.
  • Close all related events.
  • Add a message to an event.

6. Save the Rule:

• Once you’ve defined the conditions and operations for your correlation rule, click Add to save it.

• Author
• Recent Posts

Follow me

Rajesh Kumar

Mentor for DevOps - DevSecOps - SRE - Cloud - Container & Micorservices at Software AG

Join my following certification courses...
- DevOps Certified Professionals (DCP)
- Site Reliability Engineering Certified Professionals (SRECP)
- Master in DevOps Engineering (MDE)
- DevSecOps Certified Professionals (DSOCP)
URL - https://www.devopsschool.com/certification/

My Linkedin - https://www.linkedin.com/in/rajeshkumarin

Follow me

Latest posts by Rajesh Kumar (see all)

• What is Mobile Virtual Network Operator? - April 18, 2024
• What is Solr? - April 17, 2024
• Difference between UBUNTU and UBUNTU PRO - April 17, 2024