Ad Widget

Collapse

Trigger when specific user logs in (Win)

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • gian72
    Junior Member
    Zabbix Certified Specialist
    • Aug 2009
    • 14
    #1

    Trigger when specific user logs in (Win)

    Hi all, I'm working all the day and come to no solution...

    What I'm trying to do is to trigger an alert when a user (administrator) logs on a windows machine.

    So what I've done till now:
    Configured the zabbix_agentd.conf: inserted the hostname
    Created an item: Eventlog Security with type zabbix agent (active), key eventlog[Security], type of information Log
    Created a trigger VARIOUS TRIGGER like this two one
    ({__Server.Win32:eventlog[Security].str(Successful Logon: User Name: administrator)}=1)

    ({__Server.Win32:eventlog[Security].logsource(Security)}=1)&({__Server.Win32:eventlog[Security].str(Successful Network Logon: User Name: administrator)}=1)


    In the recived data I can see:

    [2009.Aug.07 15:52:22] 2009.Aug.07 15:52:19 Security Unknown Successful Logon: User Name: administrator

    So I supposed that when a user administrator logs in it shoukld fire up a trigger, but the trigger remains allways in FALSE state.

    Soes someone solved this problem?

    Thanks in advance for any help, Gianluca
    Tags: None
    • gian72
      Junior Member
      Zabbix Certified Specialist
      • Aug 2009
      • 14
      #2
      hi nobody has this type of problem?
      Thanks Gianluca

        Comment

        • claudio
          Junior Member
          • Aug 2009
          • 11
          #3
          Ciao Gianluca,
          we're facing a similar issue, but we're actually trying to filter the log at the agent level (so we can reduce network traffic). Same issue: the regexp is not working. Running the Agent in debug mode and snooping in the JSON version it seems that there are many new lines and carriage returns.
          I don't know if that's the issue, but if you have any update please let me know.

          EDIT: I just discovered that matching is performed with the REG_NEWLINE Flags, which should:
          " Allow anchors to match after newline characters in the string and prevents . or [^...] from matching newlines. " which at least for our purpose seems to be interesting.
          Last edited by claudio; 04-09-2009, 17:16.

            Comment

            • gian72
              Junior Member
              Zabbix Certified Specialist
              • Aug 2009
              • 14
              #4
              Thanks claudio.
              Can you provide me with some more detalis?
              I'm trying it with this solution, but it does not work:
              1) create a vbscript that tells me who is online:

              Code:
              strComputer = "."   ' " use "." for local computer 


Set objWMI = GetObject("winmgmts:" _ 
              & "{impersonationLevel=impersonate}!\\" _ 
              & strComputer & "\root\cimv2") 


Set colSessions = objWMI.ExecQuery _ 
    ("Select * from Win32_LogonSession Where LogonType = 2") 


If colSessions.Count = 0 Then 
   Wscript.Echo "Nessun utente trovato - No user logged on" 
Else 
  
   For Each objSession in colSessions 
     
     Set colList = objWMI.ExecQuery("Associators of " _ 
         & "{Win32_LogonSession.LogonId=" & objSession.LogonId & "} " _ 
         & "Where AssocClass=Win32_LoggedOnUser Role=Dependent" ) 
     For Each objItem in colList 
       WScript.Echo objItem.Name & " รจ online - is online"
     Next 
   Next 
End If
              2) created in zabbix_agentd.conf and entry like this:
              Code:
              UserParameter=useronline,%systemroot%\system32\cscript.exe /nologo c:\programmi\zabbix\scripts\user.vbs

              but calling "useronline" function with zabbix does not fire a trigger...

              Thanks, Gianluca

                Comment

                • claudio
                  Junior Member
                  • Aug 2009
                  • 11
                  #5
                  Oh well, looks like a quite different issue actually.
                  What is the output of the call itself (you can easily tell enabling full debugging on the agent, it will log whatever it is returning to the server in JSON format)

                    Comment

                    Previous template Next
                    Working...