Hello,
I am attempting to have zabbix report failed logins to a windows server.
I have created a key in a template called 'Log Test'
eventlog[Security,,,,4625]
and a trigger in the same template
{Log Test:eventlog[Security,,,,4625].logseverity(0)}=1
This works, and under 'Latest Data' I can see the events pop up.
The problems are
1). I get the entire log output when I look at history. I don't want it. I only want the following fields:
Account Name: nameofuser
Failure Reason: Unknown user name or bad password.
Workstation Name: workstation-name
2). How can I make say, 10 repeated attempts within 5 minutes show an alert on the dashboard, preferably showing the username and workstation name?
I am attempting to have zabbix report failed logins to a windows server.
I have created a key in a template called 'Log Test'
eventlog[Security,,,,4625]
and a trigger in the same template
{Log Test:eventlog[Security,,,,4625].logseverity(0)}=1
This works, and under 'Latest Data' I can see the events pop up.
The problems are
1). I get the entire log output when I look at history. I don't want it. I only want the following fields:
Account Name: nameofuser
Failure Reason: Unknown user name or bad password.
Workstation Name: workstation-name
2). How can I make say, 10 repeated attempts within 5 minutes show an alert on the dashboard, preferably showing the username and workstation name?