Hey guys. I would like to know what you would use as an item and trigger for a intrustion detection in a way that I would like to detect logon error on my domain controllers.
The event id is 4771 and is already being processed. I need to know what you guys would use as the trigger for this.
Let's say I would like to be alerted when this specific event id occurs 10 times or more in 10 minutes, and then how would you clear it.
Item:
Zabbix agent active
Log
eventlog[Security,,"Failure Audit"]
Trigger:
Should filter on event id 4771
Should count the number of occurence in X time
Should clear after
Thanks a lot.
The event id is 4771 and is already being processed. I need to know what you guys would use as the trigger for this.
Let's say I would like to be alerted when this specific event id occurs 10 times or more in 10 minutes, and then how would you clear it.
Item:
Zabbix agent active
Log
eventlog[Security,,"Failure Audit"]
Trigger:
Should filter on event id 4771
Should count the number of occurence in X time
Should clear after
Thanks a lot.