Monitor a specific Windows Event Log - ZABBIX Forums

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to REGISTER before you can post. To start viewing messages, select the forum that you want to visit from the selection below.

X

solutionssquad

Junior Member

Joined: May 2012

Posts: 14
#1

Monitor a specific Windows Event Log

12-07-2013, 18:01

Hi all,

I have spent the last 3 hours with no luck finding out how to do this.
I need to check the Windows Security Log for an Event ID 4624 with a logon type of 10.
How would I go about doing this?

Thanks much for your help.
Tags: None
Michael0

Member

Joined: Jan 2013

Posts: 68
#2

15-07-2013, 16:05

I´ve also searched for this for 2 weeks, you can use the Zabbix agent (active) checks:

.) create a new item
.) choose Type: Zabbix agent (active)
.) choose Key: eventlog[logtype,<pattern>,<severity>,<source>,<eventid>,<m axlines>,<mode>]

https://www.zabbix.com/documentation...agent/win_keys

For example, I want to monitor the windows "System" event logs with the severity "Warning" and event ID 123:

eventlog[System,,Warning,,123]

Than I set a trigger for this item:

{servername:eventlog[System,,Warning,,123].logseverity(0)}=2 & {servername:eventlog[System,,Warning,,123].nodata(180)}#1

So I will only get one zabbix alert when an event log entry with the event ID 123 was created.

Hope this helps!
Comment
solutionssquad

Junior Member

Joined: May 2012

Posts: 14
#3

15-07-2013, 19:26

That helped alot actually!
I was able to read a specific event ID.
But I'm still trying to create a trigger for the time to only notify if the event contains spcific items:
"Logon Type: 10". or
"A session was reconnected to a Window Station."
That, I can't figure out.

I have attached my actual Item.
Attached Files

Last edited by solutionssquad; 15-07-2013, 19:35.
Comment
tchjts1

Banned

Joined: May 2008

Posts: 1584
#4

16-07-2013, 07:27

The second parameter in your trigger (or key) string is for regexp. That would do what you want. In your trigger, note that regexp requires a case sensitive string, whereas iregexp is not case sensitive.

See this in the wiki:https://www.zabbix.com/documentation...zabbix_agent?s[]=regexp
Comment
Michael0

Member

Joined: Jan 2013

Posts: 68
#5

16-07-2013, 09:31

You can also try to use the pattern mode, to search for:

eventlog[Security,"Logon Type: 10"]

So the item will search for eventlogs in der Security log with "Logon Type: 10"
Comment
tchjts1

Banned

Joined: May 2008

Posts: 1584
#6

16-07-2013, 17:03

As an example of how we use it to trigger on the application log if the scan engine crashes...

Code:

(({MYSERVER:eventlog[Application].iregexp("The Scan Engine has crashed")})#0)
Comment
solutionssquad

Junior Member

Joined: May 2012

Posts: 14
#7

17-07-2013, 21:52

It worked!!!!
Thank you so much.
Now I just have to figure out how to get it t only alert me when a login occurs, not send a problem and an OK.
Comment
solutionssquad

Junior Member

Joined: May 2012

Posts: 14
#8

17-07-2013, 22:03

Spoke too soon, it's also doing it for logon type 5.

Code:

(({Windows Event Logs:eventlog[Security,,,,4624].iregexp("Logon Type: 10")})#0)
Comment
tchjts1

Banned

Joined: May 2008

Posts: 1584
#9

17-07-2013, 22:06

Ok, maybe try using regexp instead of iregexp. The Syntax you are looking for will have to be an exact match, including case sensitive.

But in your example, why is there so much space here? Is that the way it appears in your system log?

Code:

"Logon Type: 10"
Comment
solutionssquad

Junior Member

Joined: May 2012

Posts: 14
#10

17-07-2013, 22:08

That is how the event log has it.
Just changed to regex. lets see how it goes.
Comment
solutionssquad

Junior Member

Joined: May 2012

Posts: 14
#11

17-07-2013, 22:17

Bummer.
It's showing all logon types.
Comment
JimBurns83

Junior Member

Joined: Feb 2015

Posts: 1
#12

28-02-2015, 09:16

Originally posted by solutionssquad View Post

Bummer.
It's showing all logon types.

Could it be an issue with so many spaces? The regexp for multiple white space chars is \s+

So
Multiple Spaces

Becomes
Multiple\s+Spaces

Please note that \s and \S are exact opposite regexes
Comment
blinding

Junior Member

Joined: May 2015

Posts: 6
#13

08-06-2015, 21:40

I did time ago

This is what I did to check login on and login off on user and display a nice view on screem.

Image 1: I create a event log item: check Regular Expresion "@CustomUsername", and Event id 4624, and 4647, logon and logoff

Image 2: show regular expressions, matching username in this case CustomUsername, and shold match logon type 10, type 2 and logoff so, I make sure that is the correct, from the correct user. Spaces are take in cosideration, so I copy from event viewer : Logon Type: 10, and all other, Log on type 10 is from remote destop client, logon type 2 is directly into the pc, so correct espacing is set.

Image 3: I created a Calculated Item and look for data from the Data customusername Item, and specially search if data is logoff, if match result is 1, but is a sustract so 1-1 (cuz expresion if loggin off is the last is iqual to 1) result in 0. If log on result in this exp is 0 so 1-0 =1.

Image 4: Show value User LogOn Status, is 0 Not logged and 1 Logged.

Image 5: show how users is pull from event viewer when logged off and log on, check that it substract the data. So I with the calculated item i display nicely how show Image Number 6. Show me if user is log on or log off.

Take in mind. I created one calculation data (one Item) from every user, and one login activity from every user.
Attached Files

Last edited by blinding; 08-06-2015, 22:31.
Comment
fabian.fasser

Junior Member

Joined: Jun 2018

Posts: 1
#14

01-06-2018, 08:35

Hi everybody.

I have the same Problem with a eventlog item. I use a trigger to search into the application log to find every log with the EventID 9001 and the
Source which starts with MSSQL*.

eventlog[Application,,,^MSSQL,^(9001)$,,]

The problem is it does not work. Could anybody help me?

Thanks a lot
Comment

Previous template Next

Working...

X