Ad Widget

Collapse

Emails after three times 4625 An account failed to log on.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

    Emails after three times 4625 An account failed to log on.

    Hi All,

    I'm new to the forum and I have something I can't seem to figure out.
    I'm pretty much a newbie to Zabbix as well, so bear with me.

    I have everything set up to send an email when
    4625 An account failed to log on
    Has been logged in the Windows Security log.
    So everything works as should, but now the one who wants to use and implement it, doesn't want an email everytime someone makes one typo, but just after 3 times of trying, so they can be proactive and find out if the user is having trouble logging in or if there is another (security) issue.

    How do I configure Zabbix to only send an email after three login failures from the same user account?
    The info I get back from Windows Security Log does have the User Account in it, but this is just one text field and I cannot filter on it..... I think, but I am not sure here.

    Can anyone push me in the right direction here?

    Many thanks in advance.

    With kind regards,

    Cornelis

    Edit (because of malfunctioning earlier post)

    Ok, I have it partially done. I created a trigger expression with the following:


    Code:
     
     {WinDev1810Eval:eventlog[Security,,,,^(4625)$].logseverity(0)}=7 and {WinDev1810Eval:eventlog[Security,,,,^(4625)$].count(5m)}>2
    so at the 3rd time it will send out an email.

    I am not able to filter out the username from the information field so far. I suspect I have to create a custom macro, but I can't figure out how. Even after reading the documentation several times.
    I have this in the agent default message:

    Code:
    {ITEM.VALUE}.regsub(Account\s+Name:\s+"([A-Za-z0-9]+)$",\1)}
    Anyone ?

Announcement

Collapse
No announcement yet.
Working...
X