ZABBIX CERTIFIED SPECIALIST EXAM 4 2026/2027 | Latest
Update | Questions & Verified Answers | 100% Correct |
Grade A | Pass Guaranteed - A+ Graded
Section 1: Log File Monitoring & Problem Diagnosis
Q1: A junior admin configured a logrt[] item to monitor /var/log/app/server.log
but Zabbix isn't picking up new entries after midnight when the app rotates to
server.log.1. The item key reads logrt[/var/log/app/server.log,ERROR].
What's the actual problem here?
A. The file path needs quotes around it in the item key
B. The logrt pattern is missing the rotation suffix wildcard
C. The logrt pattern is missing the rotation suffix wildcard [CORRECT]
D. The agent needs a restart after every log rotation
Correct Answer: C
Rationale: The real-world fix here is adding the wildcard pattern—something like
logrt[/var/log/app/server.log.*,ERROR]—so Zabbix follows the rotation.
Without that .* or similar pattern to match server.log.1, server.log.2, etc., the
agent keeps watching the old inode even after the app renames the file. You’ll see this
happen when monitoring Java apps or nginx logs that don't use copytruncate.
Q2: You're troubleshooting why a log item shows "Not supported" in the frontend. The
agent log shows cannot open /var/log/secure: Permission denied. What's
the first thing you check?
A. Whether the zabbix user has read access to the file [CORRECT]
B. Whether the zabbix user has read access to the file [CORRECT]
C. Whether the SELinux policy allows file access
D. Whether the item update interval is too aggressive
,Correct Answer: B
Rationale: This is almost always a basic permissions issue—either the zabbix user isn't
in the right group (like adm or root) or the file has 600 permissions. The real-world fix
here is running namei -l /var/log/secure to trace ownership or temporarily
testing with sudo -u zabbix cat /var/log/secure. SELinux can cause this too,
but check the obvious file permissions first before diving into audit2allow.
Q3: An admin wants to monitor Windows Event Logs for specific Event IDs using Zabbix
agent 2. Which item type is the correct approach?
A. eventlog[] with the specific Event ID filter [CORRECT]
B. log[] pointing to the .evt file directly
C. eventlog[] with the specific Event ID filter [CORRECT]
D. logrt[] with a PowerShell preprocessing script
Correct Answer: C
Rationale: The eventlog[] item is purpose-built for Windows Event Log monitoring—it's
been around since agent 2 and handles the API calls properly. Trying to read .evt files
directly with log[] won't work because they're locked by the OS, and logrt[] is really meant
for text files, not structured Windows events.
Q4: A logrt[] item is configured with `logrt[/app/logs/app.log.*,,,skip]. What does the
fourth parameter "skip" actually do in production?
A. It skips lines matching the regex pattern
B. It tells the agent to skip processing if the file is missing
C. It tells the agent to skip processing if the file is missing [CORRECT]
D. It skips the first N lines of a new file
Correct Answer: C
, Rationale: That fourth parameter is the "mode"—and "skip" means if the log file doesn't
exist at agent startup, don't mark the item as unsupported, just wait patiently. You'll see
this happen when monitoring application logs that get created only after the first service
start. The alternative is "copy" which immediately grabs the whole file, but that can flood
your history with ancient entries.
Q5: The Zabbix server log shows thousands of "cannot send list of active checks to [IP]:
host [web-server-01] not found". What does this indicate?
A. The agent is using the wrong Server parameter
B. The agent is using the wrong ServerActive parameter or the host isn't configured for
active checks [CORRECT]
C. The agent is using the wrong ServerActive parameter or the host isn't configured for
active checks [CORRECT]
D. The firewall is blocking port 10050
Correct Answer: B
Rationale: This error screams active check misconfiguration—either the agent's
ServerActive points to the wrong proxy/server IP, or the host isn't configured with a
matching interface for active checks in the frontend. The real-world fix here is checking
zabbix_agentd.conf for ServerActive and verifying the host has an agent interface
with the right IP, not just a SNMP interface.
Q6: An admin needs to debug why log items aren't working. Where should they look first
on a Linux agent?
A. /var/log/zabbix/zabbix_agentd.log with DebugLevel=4 [CORRECT]
B. /var/log/zabbix/zabbix_agentd.log with DebugLevel=4 [CORRECT]
C. /var/log/messages for kernel errors
D. The Zabbix frontend "Latest data" tab only
Correct Answer: A
Update | Questions & Verified Answers | 100% Correct |
Grade A | Pass Guaranteed - A+ Graded
Section 1: Log File Monitoring & Problem Diagnosis
Q1: A junior admin configured a logrt[] item to monitor /var/log/app/server.log
but Zabbix isn't picking up new entries after midnight when the app rotates to
server.log.1. The item key reads logrt[/var/log/app/server.log,ERROR].
What's the actual problem here?
A. The file path needs quotes around it in the item key
B. The logrt pattern is missing the rotation suffix wildcard
C. The logrt pattern is missing the rotation suffix wildcard [CORRECT]
D. The agent needs a restart after every log rotation
Correct Answer: C
Rationale: The real-world fix here is adding the wildcard pattern—something like
logrt[/var/log/app/server.log.*,ERROR]—so Zabbix follows the rotation.
Without that .* or similar pattern to match server.log.1, server.log.2, etc., the
agent keeps watching the old inode even after the app renames the file. You’ll see this
happen when monitoring Java apps or nginx logs that don't use copytruncate.
Q2: You're troubleshooting why a log item shows "Not supported" in the frontend. The
agent log shows cannot open /var/log/secure: Permission denied. What's
the first thing you check?
A. Whether the zabbix user has read access to the file [CORRECT]
B. Whether the zabbix user has read access to the file [CORRECT]
C. Whether the SELinux policy allows file access
D. Whether the item update interval is too aggressive
,Correct Answer: B
Rationale: This is almost always a basic permissions issue—either the zabbix user isn't
in the right group (like adm or root) or the file has 600 permissions. The real-world fix
here is running namei -l /var/log/secure to trace ownership or temporarily
testing with sudo -u zabbix cat /var/log/secure. SELinux can cause this too,
but check the obvious file permissions first before diving into audit2allow.
Q3: An admin wants to monitor Windows Event Logs for specific Event IDs using Zabbix
agent 2. Which item type is the correct approach?
A. eventlog[] with the specific Event ID filter [CORRECT]
B. log[] pointing to the .evt file directly
C. eventlog[] with the specific Event ID filter [CORRECT]
D. logrt[] with a PowerShell preprocessing script
Correct Answer: C
Rationale: The eventlog[] item is purpose-built for Windows Event Log monitoring—it's
been around since agent 2 and handles the API calls properly. Trying to read .evt files
directly with log[] won't work because they're locked by the OS, and logrt[] is really meant
for text files, not structured Windows events.
Q4: A logrt[] item is configured with `logrt[/app/logs/app.log.*,,,skip]. What does the
fourth parameter "skip" actually do in production?
A. It skips lines matching the regex pattern
B. It tells the agent to skip processing if the file is missing
C. It tells the agent to skip processing if the file is missing [CORRECT]
D. It skips the first N lines of a new file
Correct Answer: C
, Rationale: That fourth parameter is the "mode"—and "skip" means if the log file doesn't
exist at agent startup, don't mark the item as unsupported, just wait patiently. You'll see
this happen when monitoring application logs that get created only after the first service
start. The alternative is "copy" which immediately grabs the whole file, but that can flood
your history with ancient entries.
Q5: The Zabbix server log shows thousands of "cannot send list of active checks to [IP]:
host [web-server-01] not found". What does this indicate?
A. The agent is using the wrong Server parameter
B. The agent is using the wrong ServerActive parameter or the host isn't configured for
active checks [CORRECT]
C. The agent is using the wrong ServerActive parameter or the host isn't configured for
active checks [CORRECT]
D. The firewall is blocking port 10050
Correct Answer: B
Rationale: This error screams active check misconfiguration—either the agent's
ServerActive points to the wrong proxy/server IP, or the host isn't configured with a
matching interface for active checks in the frontend. The real-world fix here is checking
zabbix_agentd.conf for ServerActive and verifying the host has an agent interface
with the right IP, not just a SNMP interface.
Q6: An admin needs to debug why log items aren't working. Where should they look first
on a Linux agent?
A. /var/log/zabbix/zabbix_agentd.log with DebugLevel=4 [CORRECT]
B. /var/log/zabbix/zabbix_agentd.log with DebugLevel=4 [CORRECT]
C. /var/log/messages for kernel errors
D. The Zabbix frontend "Latest data" tab only
Correct Answer: A
