Use Zabbix to alert when there is a user lockout on a host.
I am currently looking into what Zabbix can do for my company and we want to get alerts when a 4740 event log is generated on a host. I am aware that this is possible but I am not sure how to start on constructing the expression for the trigger. I have seen this phrase "eventlog[Security,,,,^4740$]" being passed around but this doesn't seem to be a part of the expression. What do I need to know to move forward?
-
-
Do you need to know at the host level, or at the domain level?
The Windows admins where I work chose to use a custom script, run via the agent on one of our domain controllers, rather than the eventlog[] item on a per host basis. I'm not sure why they chose that, but we do have a large-enough population that we care more about if the number of lockouts has recently increased by a bunch (indicating we're probably getting a brute-force attack somewhere) than about any particular host having a lockout.-
I was planning to use it om the DC but I would be willing to try it on the agent. -
You can still do the check on the domain controller, as long as you're willing to run the Zabbix agent or agent2 on your DCs. My question about "host level, or at the domain level" was whether you needed separate checks and potentially alerts for every Windows host, or whether you just needed to know at the domain level whether lockouts were occurring.
-
Comment