Monitor a specific Windows Event Log

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

    Monitor a specific Windows Event Log

    Hi all,

    I have spent the last 3 hours with no luck finding out how to do this.
    I need to check the Windows Security Log for an Event ID 4624 with a logon type of 10.
    How would I go about doing this?

    Thanks much for your help.

    #2
    I´ve also searched for this for 2 weeks, you can use the Zabbix agent (active) checks:

    .) create a new item
    .) choose Type: Zabbix agent (active)
    .) choose Key: eventlog[logtype,<pattern>,<severity>,<source>,<eventid>,<m axlines>,<mode>]

    https://www.zabbix.com/documentation...agent/win_keys

    For example, I want to monitor the windows "System" event logs with the severity "Warning" and event ID 123:

    eventlog[System,,Warning,,123]

    Than I set a trigger for this item:

    {servername:eventlog[System,,Warning,,123].logseverity(0)}=2 & {servername:eventlog[System,,Warning,,123].nodata(180)}#1


    So I will only get one zabbix alert when an event log entry with the event ID 123 was created.

    Hope this helps!

    Comment


      #3
      That helped alot actually!
      I was able to read a specific event ID.
      But I'm still trying to create a trigger for the time to only notify if the event contains spcific items:
      "Logon Type: 10". or
      "A session was reconnected to a Window Station."
      That, I can't figure out.

      I have attached my actual Item.
      Attached Files
      Last edited by solutionssquad; 15-07-2013, 19:35.

      Comment


        #4
        The second parameter in your trigger (or key) string is for regexp. That would do what you want. In your trigger, note that regexp requires a case sensitive string, whereas iregexp is not case sensitive.

        See this in the wiki:https://www.zabbix.com/documentation...zabbix_agent?s[]=regexp

        Comment


          #5
          You can also try to use the pattern mode, to search for:

          eventlog[Security,"Logon Type: 10"]

          So the item will search for eventlogs in der Security log with "Logon Type: 10"

          Comment


            #6
            As an example of how we use it to trigger on the application log if the scan engine crashes...


            Code:
            (({MYSERVER:eventlog[Application].iregexp("The Scan Engine has crashed")})#0)

            Comment


              #7
              It worked!!!!
              Thank you so much.
              Now I just have to figure out how to get it t only alert me when a login occurs, not send a problem and an OK.

              Comment


                #8
                Spoke too soon, it's also doing it for logon type 5.


                Code:
                (({Windows Event Logs:eventlog[Security,,,,4624].iregexp("Logon Type:			10")})#0)

                Comment


                  #9
                  Ok, maybe try using regexp instead of iregexp. The Syntax you are looking for will have to be an exact match, including case sensitive.

                  But in your example, why is there so much space here? Is that the way it appears in your system log?

                  Code:
                  "Logon Type:			10"

                  Comment


                    #10
                    That is how the event log has it.
                    Just changed to regex. lets see how it goes.

                    Comment


                      #11
                      Bummer.
                      It's showing all logon types.

                      Comment


                        #12
                        Originally posted by solutionssquad View Post
                        Bummer.
                        It's showing all logon types.
                        Could it be an issue with so many spaces? The regexp for multiple white space chars is \s+

                        So
                        Multiple Spaces

                        Becomes
                        Multiple\s+Spaces

                        Please note that \s and \S are exact opposite regexes

                        Comment


                          #13
                          I did time ago

                          This is what I did to check login on and login off on user and display a nice view on screem.

                          Image 1: I create a event log item: check Regular Expresion "@CustomUsername", and Event id 4624, and 4647, logon and logoff

                          Image 2: show regular expressions, matching username in this case CustomUsername, and shold match logon type 10, type 2 and logoff so, I make sure that is the correct, from the correct user. Spaces are take in cosideration, so I copy from event viewer : Logon Type: 10, and all other, Log on type 10 is from remote destop client, logon type 2 is directly into the pc, so correct espacing is set.

                          Image 3: I created a Calculated Item and look for data from the Data customusername Item, and specially search if data is logoff, if match result is 1, but is a sustract so 1-1 (cuz expresion if loggin off is the last is iqual to 1) result in 0. If log on result in this exp is 0 so 1-0 =1.

                          Image 4: Show value User LogOn Status, is 0 Not logged and 1 Logged.



                          Image 5: show how users is pull from event viewer when logged off and log on, check that it substract the data. So I with the calculated item i display nicely how show Image Number 6. Show me if user is log on or log off.


                          Take in mind. I created one calculation data (one Item) from every user, and one login activity from every user.
                          Attached Files
                          Last edited by blinding; 08-06-2015, 22:31.

                          Comment


                            #14
                            Hi everybody.

                            I have the same Problem with a eventlog item. I use a trigger to search into the application log to find every log with the EventID 9001 and the
                            Source which starts with MSSQL*.

                            eventlog[Application,,,^MSSQL,^(9001)$,,]

                            The problem is it does not work. Could anybody help me?

                            Thanks a lot

                            Comment

                            Announcement

                            Collapse

                            Announcement

                            Meet Zabbix Dev Team at the Zabbix Summit 2018!
                            See more
                            See less
                            Working...
                            X