I´ve also searched for this for 2 weeks, you can use the Zabbix agent (active) checks:

.) create a new item
.) choose Type: Zabbix agent (active)
.) choose Key: eventlog[logtype,<pattern>,<severity>,<source>,<eventid>,<m axlines>,<mode>]



For example, I want to monitor the windows "System" event logs with the severity "Warning" and event ID 123:

eventlog[System,,Warning,,123]

Than I set a trigger for this item:

{servername:eventlog[System,,Warning,,123].logseverity(0)}=2 & {servername:eventlog[System,,Warning,,123].nodata(180)}#1


So I will only get one zabbix alert when an event log entry with the event ID 123 was created.

Hope this helps!

That helped alot actually!
I was able to read a specific event ID.
But I'm still trying to create a trigger for the time to only notify if the event contains spcific items:
"Logon Type: 10". or
"A session was reconnected to a Window Station."
That, I can't figure out.

I have attached my actual Item.

The second parameter in your trigger (or key) string is for regexp. That would do what you want. In your trigger, note that regexp requires a case sensitive string, whereas iregexp is not case sensitive.

See this in the wiki:https://www.zabbix.com/documentation...zabbix_agent?s[]=regexp

You can also try to use the pattern mode, to search for:

eventlog[Security,"Logon Type: 10"]

So the item will search for eventlogs in der Security log with "Logon Type: 10"

As an example of how we use it to trigger on the application log if the scan engine crashes...

It worked!!!!
Thank you so much.
Now I just have to figure out how to get it t only alert me when a login occurs, not send a problem and an OK.

Spoke too soon, it's also doing it for logon type 5.

Ok, maybe try using regexp instead of iregexp. The Syntax you are looking for will have to be an exact match, including case sensitive.

But in your example, why is there so much space here? Is that the way it appears in your system log?

That is how the event log has it.
Just changed to regex. lets see how it goes.

Bummer.
It's showing all logon types.

Could it be an issue with so many spaces? The regexp for multiple white space chars is \s+

So
Multiple Spaces

Becomes
Multiple\s+Spaces

Please note that \s and \S are exact opposite regexes

I did time ago

This is what I did to check login on and login off on user and display a nice view on screem.

Image 1: I create a event log item: check Regular Expresion "@CustomUsername", and Event id 4624, and 4647, logon and logoff

Image 2: show regular expressions, matching username in this case CustomUsername, and shold match logon type 10, type 2 and logoff so, I make sure that is the correct, from the correct user. Spaces are take in cosideration, so I copy from event viewer : Logon Type: 10, and all other, Log on type 10 is from remote destop client, logon type 2 is directly into the pc, so correct espacing is set.

Image 3: I created a Calculated Item and look for data from the Data customusername Item, and specially search if data is logoff, if match result is 1, but is a sustract so 1-1 (cuz expresion if loggin off is the last is iqual to 1) result in 0. If log on result in this exp is 0 so 1-0 =1.

Image 4: Show value User LogOn Status, is 0 Not logged and 1 Logged.



Image 5: show how users is pull from event viewer when logged off and log on, check that it substract the data. So I with the calculated item i display nicely how show Image Number 6. Show me if user is log on or log off.


Take in mind. I created one calculation data (one Item) from every user, and one login activity from every user.

Hi everybody.

I have the same Problem with a eventlog item. I use a trigger to search into the application log to find every log with the EventID 9001 and the
Source which starts with MSSQL*.

eventlog[Application,,,^MSSQL,^(9001)$,,]

The problem is it does not work. Could anybody help me?

Thanks a lot

Hello

I try do do the same thing but on a Windows XP.
Has anyone monitored the event log on a Windows XP?

The logs are then stored in "C:\WINDOWS\system32\config" and the name off the log I want to monitor is "SysEvent.Evt".
My item key is but so far I get nothing but errors.