Monitoring

Zabbix Server

Zabbix Server events covering all five event sources: trigger problems and recoveries, operator acknowledgments, network discovery, active agent autoregistration, and internal state changes. Includes correlated problem-recovery chains with monotonically increasing event IDs, weighted severity distribution across six Zabbix severity levels, and ECS-compatible JSON output.

View on GitHub

Quick Start

uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
  --path generators/monitoring-zabbix/generator.yml \
  --id monitoring-zabbix \
  --live-mode true

Event Types

Event ID	Description	Frequency	Category
trigger-problem	Trigger problem — new alerts from threshold breaches	40%	host
trigger-recovery	Trigger recovery — resolved problems with correlated IDs	25%	host
acknowledge	Acknowledgment — operator actions on open problems	15%	process
internal	Internal event — unsupported items, unknown triggers, failed LLD	10%	host
discovery	Network discovery — host/service up/down from scheduled scans	7%	network
autoregistration	Autoregistration — new agents joining monitored infrastructure	3%	host

Realism Features

Problem-recovery correlation via shared state pool with matching trigger IDs and calculated durations
Monotonically increasing event IDs via shared counter across all event types
15 trigger scenarios covering CPU, memory, disk, network, service availability, agent connectivity, MySQL, I/O wait, SSL, temperature, swap, and process count
Weighted severity distribution across all six Zabbix levels (Not classified through Disaster)
Operator workflow simulation with six action types: acknowledge, add message, change severity, close, suppress, unsuppress
Internal event subtypes: unsupported items (50%), unknown triggers (30%), failed LLD rules (20%)
Network discovery with Zabbix agent, ICMP, TCP, and SNMPv2 check types
20 monitored hosts across Linux servers, Windows servers, workstations, and network devices

Sample Output

{
    "@timestamp": "2026-03-07T14:22:31.456Z",
    "event": {
        "kind": "alert",
        "module": "zabbix",
        "dataset": "zabbix.events",
        "category": ["host"],
        "type": ["info"],
        "severity": 8,
        "outcome": "success",
        "timezone": "UTC",
        "created": "2026-03-07T14:22:31.456Z"
    },
    "message": "High CPU utilization on SRV-WEB01",
    "observer": {
        "vendor": "Zabbix",
        "product": "Zabbix Server",
        "version": "7.0.6",
        "hostname": "zabbix-srv01",
        "ip": ["10.1.0.5"]
    },
    "zabbix": {
        "event": {
            "eventid": 5000042,
            "source": 0,
            "object": 0,
            "objectid": "13500",
            "value": 1,
            "acknowledged": false,
            "severity": 4,
            "severity_name": "High",
            "name": "High CPU utilization on SRV-WEB01",
            "opdata": "CPU: {ITEM.LASTVALUE1}%",
            "suppressed": false,
            "problem_duration": 0
        },
        "trigger": {
            "triggerid": "13500",
            "description": "High CPU utilization on {HOST.NAME}",
            "expression": "avg(/host/system.cpu.util,5m)>90",
            "priority": 4,
            "priority_name": "High",
            "status": "enabled",
            "value": 1,
            "tags": [
                {"tag": "scope", "value": "performance"},
                {"tag": "component", "value": "cpu"}
            ]
        },
        "host": {
            "hostid": "10084",
            "host": "SRV-WEB01",
            "host_group": "Linux servers/Web"
        },
        "item": {
            "name": "CPU utilization",
            "key_": "system.cpu.util"
        }
    },
    "host": {
        "hostname": "SRV-WEB01",
        "ip": ["10.1.2.20"],
        "os": {
            "name": "Linux",
            "version": "Ubuntu 22.04"
        }
    },
    "agent": {
        "type": "zabbix-agent",
        "version": "7.0.6"
    },
    "related": {
        "hosts": ["SRV-WEB01"],
        "ip": ["10.1.2.20"]
    }
}

Parameters

Parameter	Default	Description
zabbix_server	zabbix-srv01	Zabbix server hostname
zabbix_server_ip	10.1.0.5	Zabbix server IP address
zabbix_version	7.0.6	Zabbix server version
agent_version	7.0.6	Default Zabbix agent version

Related Generators

Endpoint

Windows Security Event Log

The Security channel of Windows Event Log — logon/logoff sessions, process creation, privilege escalation, account management, and audit policy changes from a 120-host Active Directory fleet.

Network

Cisco ASA Firewall

Cisco ASA adaptive security appliance syslog — TCP/UDP/ICMP connection lifecycle, ACL permit/deny decisions, NAT translations, VPN tunnel events, and failover status messages.

Web & Access

Nginx Access & Error Logs

Nginx reverse proxy and web server — access logs with upstream timing, error logs with module context, bot/crawler traffic, scanner probes, and correlated 4xx/5xx error entries.