This guide explains how to monitor Windows event logs with Zabbix using active checks. With Zabbix Windows-specific item keys, you can collect and analyze critical events (such as failed logon attempts, system errors, etc.) in real time.
Who this guide is for
This guide is designed for new Zabbix users and network administrators who want to monitor Windows event logs. For advanced configuration options, refer to the Windows-specific item keys documentation.
Prerequisites
Before proceeding with this guide, you need to download and install Zabbix server and Zabbix frontend according to the instructions for your OS. You also need Zabbix agent downloaded and installed on the Windows machine you want to monitor.
1. Open zabbix_agentd.conf
(default path C:\Program Files\Zabbix Agent\zabbix_agentd.conf
) on your Windows host and ensure that the ServerActive parameter is set to the IP address of your Zabbix server, and the Hostname parameter matches the host name that will be defined in Zabbix frontend. This enables the agent to request active checks for its host and from the specified Zabbix server. For example:
2. Restart Zabbix agent service to apply the changes:
3. Check that the Windows host is running:
1. Navigate to Data collection > Hosts and create a host:
In the Templates field you may add the "Windows by Zabbix agent active" template to help you troubleshoot by observing whether other active items on the same host are updating.
2. Create a new item with the following parameters:
skip
parameter), enter the following item key: eventlog[Security,,,,4625,,skip]
3. Click Add to save the item.
Congratulations! Zabbix is now set up to collect your Windows event logs. To verify that event logs are being collected, you can test the "Security log: failed logon events" item by logging out of your Windows account and attempting to log in using incorrect credentials.
Then, view the collected logs in Zabbix frontend:
1. Navigate to Monitoring > Latest data in Zabbix frontend.
2. Filter by your "MyWindowsHost" host in the Name field.
3. Click History to view recorded log values.
4. If log values are absent, proceed to the Troubleshooting section of the guide.
This guide provides basic configuration steps for sending email alerts.
1. Navigate to User settings > Profile, switch to the Media tab and add your email.
2. Follow the guide for Receiving a problem notification.
Next time, when Zabbix detects a problem, you should receive an alert via email.
If you encounter issues with collecting or viewing Windows event logs, use the tips below to identify and resolve common problems:
1. On Zabbix server (Linux) list your iptables rules with the following command:
and verify there’s an ACCEPT rule for TCP port 10051.
2. Make sure your eventlog[...]
key uses the exact log name (case-sensitive), event ID, mode (e.g. skip) and other parameters exactly as shown in the Windows-specific item keys.
See also: