The Problem With Zabbix Action Escalation
Your Zabbix trigger fires at 2 AM. The action sends a notification to the on-call engineer. Nobody responds. Zabbix dutifully runs through its escalation steps — and sends the same notification again. Maybe it copies in a second email address. The engineer is still asleep, the email inbox is still silent, and your database is still down.
This is the gap in Zabbix's native escalation model. The platform is excellent at detecting problems and firing actions, but the escalation steps inside a Zabbix action are really just repeated notification attempts to a fixed list of contacts. There is no concept of "if nobody acknowledged this within 15 minutes, wake up someone different." That logic has to live somewhere else.
This article shows you how to close that gap by routing Zabbix alerts through Alert24, which handles the acknowledgment tracking and true multi-tier escalation while Zabbix keeps doing what it does best: monitoring.
What Zabbix Action Escalation Actually Does
Before wiring anything up, it helps to be precise about what Zabbix gives you out of the box.
In Zabbix, an action has a sequence of operations and recovery operations. You can add escalation steps that fire at defined intervals — say, step 1 at 0 minutes, step 2 at 15 minutes, step 3 at 30 minutes. Each step can send a message to a user, a user group, or run a remote command.
The step-based model looks like escalation, but it has a critical limitation: Zabbix has no acknowledgment gate between steps. Steps run on their schedule regardless of whether anyone responded. You can configure "stop escalation on acknowledgment" at the trigger level, but this only prevents further steps if someone logs into Zabbix and manually acknowledges the event. An SMS reply, a phone call, a Slack reaction — none of those count to Zabbix.
What you actually need is:
- Notify person A on channel X
- If person A does not acknowledge within N minutes, notify person B on channel Y (possibly phone call, not just email)
- If neither acknowledges, notify person C and optionally page a manager
- Track all of this with a single incident record so nobody duplicates work
That is incident management, not just notification. Zabbix is not designed to do it. Alert24 is.
Architecture: Zabbix Fires, Alert24 Routes
The integration is straightforward. Zabbix sends alerts to Alert24 via webhook. Alert24 opens an incident, starts the escalation policy timer, and manages everything from there. Zabbix continues to resolve the trigger when the underlying problem clears, which Alert24 picks up to auto-resolve the incident.
Zabbix trigger fires
│
▼
Zabbix action → HTTP webhook → Alert24 ingest endpoint
│
▼
Alert24 opens incident
Notifies tier-1 on-call
│
[ 15 min timer starts ]
│
acknowledged? ──yes──► incident assigned, timer stops
│
no
│
▼
Escalates to tier-2
(different person, phone call)
│
[ 15 min timer restarts ]
│
acknowledged? ──yes──► escalation noted, incident continues
│
no
│
▼
Escalates to manager / broadcast
The key difference from native Zabbix escalation: the timer resets on each tier, and the next tier is a genuinely different person or group, contacted through a channel appropriate for urgency (voice call, SMS, push).
Step 1: Create a Webhook Media Type in Zabbix
In Zabbix 6.x and 7.x, navigate to Administration → Media types → Create media type and select type Webhook.
The script below sends the essential fields Alert24 needs to create and resolve incidents. Paste it into the script field:
var params = JSON.parse(value);
var req = new CurlHttpRequest();
req.AddHeader('Content-Type: application/json');
req.AddHeader('Authorization: Bearer ' + params.alert24_token);
var payload = JSON.stringify({
summary: params.subject,
severity: params.severity,
source: 'zabbix',
dedup_key: params.event_id,
status: params.event_value === '1' ? 'trigger' : 'resolve',
details: {
host: params.host,
trigger: params.trigger_name,
event_id: params.event_id
}
});
var url = 'https://api.alert24.com/v1/ingest/generic';
var response = req.Post(url, payload);
if (req.Status() !== 200 && req.Status() !== 201) {
throw 'Alert24 ingest failed: HTTP ' + req.Status() + ' ' + response;
}
return 'OK';
Add the following parameters to the media type (these become available as params.* in the script):
| Parameter | Value |
|---|---|
alert24_token |
Your Alert24 integration token |
subject |
{TRIGGER.NAME}: {HOST.NAME} |
severity |
{TRIGGER.NSEVERITY} |
event_id |
{EVENT.ID} |
event_value |
{EVENT.VALUE} (1 = problem, 0 = resolved) |
host |
{HOST.NAME} |
trigger_name |
{TRIGGER.NAME} |
Step 2: Assign the Media Type to a User
Create a dedicated Zabbix user (e.g., alert24-router) and assign the webhook media type to it. Use a generic severity threshold — you likely want Alert24 to receive everything from Warning upward and let Alert24's routing rules determine what actually pages someone.
This separation is intentional: Zabbix decides what is a problem, Alert24 decides who to wake up and when.
Step 3: Create the Zabbix Action
Create a new action under Configuration → Actions → Trigger actions. Set your filter conditions (host groups, severities, etc.) then add a single operation:
- Send message to user
alert24-router - Send only to: your Alert24 webhook media type
- Step 1, duration: 0 (immediate)
You do not need multiple escalation steps in Zabbix anymore. One step fires immediately, delivers the event to Alert24, and Alert24 handles everything that follows. This simplifies your Zabbix action configuration considerably.
Add a recovery operation using the same user and media type so Alert24 receives the resolve signal and closes the incident automatically.
Step 4: Configure Escalation Policy in Alert24
In Alert24, open your integration settings and create an escalation policy for your Zabbix integration:
- Tier 1: Notify on-call engineer via push notification and SMS. Wait 15 minutes.
- Tier 2: If unacknowledged, call the on-call engineer's phone and notify the secondary on-call via SMS. Wait 15 minutes.
- Tier 3: Notify the engineering manager and post to your incident Slack channel.
The on-call schedule rotates weekly, so the person in tier 1 on Monday night is different from the person on Thursday night. Zabbix has no concept of this rotation. Alert24 resolves it by consulting the active schedule at the moment the incident opens.
What "Acknowledged" Means Here
In Alert24, acknowledgment can come from:
- Replying to the SMS with a designated keyword
- Pressing a key on the voice call prompt
- Clicking acknowledge in the Alert24 mobile app or web console
- An API call from your runbook automation
Any of these stops the escalation timer. The incident stays open until someone resolves it, but no further paging happens.
Comparing the Two Approaches
| Capability | Zabbix native escalation | Zabbix + Alert24 |
|---|---|---|
| Notify multiple contacts on schedule | Yes | Yes |
| Different people per tier | Partial (user groups) | Yes, with on-call rotation |
| Different channels per tier (SMS → voice) | No | Yes |
| Acknowledgment gates escalation | Only via Zabbix UI | Any channel |
| On-call schedule rotation | No | Yes |
| Incident audit trail | Zabbix event log | Dedicated incident timeline |
| Auto-resolve on trigger clear | Yes | Yes (via resolve event) |
Next Steps
If you have an existing Zabbix installation, the integration takes about 30 minutes to set up end to end. Start with a single non-critical host group, verify that alerts open and resolve correctly in Alert24, then expand to production.
The webhook media type script above is intentionally minimal. You can extend it to pass tags, trigger URLs, or custom fields that appear in the Alert24 incident detail view — useful when your on-call engineer needs context fast.
From there, look at Alert24's status page feature. Once your incidents are tracked in one place, you have the data you need to publish a status page that reflects actual incident state rather than a manually updated spreadsheet.