Ad Widget

Collapse

eventlogid & regexp

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • thuizt
    Junior Member
    • Apr 2012
    • 3
    #1

    eventlogid & regexp

    Hello all,

    We are monitoring the Windows eventlog ID 4625 for failed logons which works perfectly, well.... to perfectly actually.

    We would like to filter out the IPv6 lines which we are not interested in as they have a different source.
    We like to trigger only on the not IPv6 events.

    We see in all the monitor Values the: "network address from source: fe80::xxxx "

    Have been trying and searching unsuccessfully to create a trigger.
    Any help much appreciated
    Tags: None
    • jhboricua
      Senior Member
      • Dec 2021
      • 113
      #2
      It would help to know how your eventlog item is configured.

        Comment

        • thuizt
          Junior Member
          • Apr 2012
          • 3
          #3
          Item:
          eventlog[Security,,,,4625,,skip]

          itemdata:
          An account failed to logon. : Accountname: XXX: Workstation name: XXX : Networkaddress source: fe80::xxxx:xxxx:xxxx:xxxx

          current trigger:
          logeventid(/Windows Event Log by Zabbix agent active/eventlog[Security,,,,4625,,skip])=1

          If the logon is from IPv4 we like to be triggered.
          If the logon is from IPv6 (fe80:xx....) that has a different reason we don't want to see in Zabbix.

            Comment

            • cyber
              Senior Member
              Zabbix Certified SpecialistZabbix Certified Professional
              • Dec 2006
              • 4807
              #4
              Your current trigger only looks for eventID. You need to createa new one, which looks into received value and parses out required info.
              something like
              Code:
              find(/host/eventlog[Security,,,,4625,,skip],,regexp,"Networkaddress source: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}")
              this should match in case there is v4 address and ignore those with v6 address...
                👍 2

                Comment

                Previous template Next
                Working...