Ad Widget

**Person** · 03-04-2025, 21:00

Hi thanks for your reply I did some research into trying to find the 4624 event logs through Zabbix and found others were saying to try and set up an item like this.

Name- User sign-in
Type- Zabbix agent (active)
Key- eventlog[Security,,,,4624]
Type of information- Log
Update interval- 30s

After adding this item to the template and signing out of the host and then signing in I checked the latest data in the monitoring tab and found no information stored under the item in there.
Not sure if this is supposed to work or if I'm doing this incorrectly or if maybe it is for an older version of Zabbix.

**Moob** · 03-04-2025, 22:20

Hi,

Try something like

Code:

eventlog[Security,,,,4624,,]

Keep in mind that event ID 4624 also will catch system logons like NTAUTHORITY so you will need to preprocess its output to get only real user logons.

Regards

**Person** · 03-04-2025, 22:47

Hi I was able to try and put in the code you provided so now the item looks like this

Name- User sign-in
Type- Zabbix agent (active)
Key- eventlog[Security,,,,4624,,]
Type of information- Log
Update interval- 30s

After adding the new code and updating the item I went to check the latest data and now a message is saying "The "eventlog" key is not supported in test or single passive check mode".
I have not added in the preprocessing because I'm not sure what needs to be added for this particular item and I'm not sure if this is being caused because of the preprocessing or if it is something else.

Thank you for your help

**Moob** · 03-04-2025, 23:45

Hi,

saying "The "eventlog" key is not supported in test or single passive check mode".

If it is saying this, is the agent configured in active mode ?

Your agent config should contain something like

Code:

#Server=<zabbix ip address or FQDN> the entire row should be commented out
StartAgents=0
ServerActive=<zabbix server ip address or FQDN>:10051

Regards

**Person** · 04-04-2025, 00:23

Hi,

I'm not sure if the agent is configured in active mode I looked at the config file located in the C:\Program Files\Zabbix Agent 2\zabbix_agent2.conf but when i looked at it compared to what you sent me
within my config file I do not see the three lines but I did find a couple of lines that have some of the same things.
For the StartAgents there is only one line with it commented out "# Mandatory: yes, if StartAgents is not explicitly set to 0"
For the ServerActive there are a bunch of commented out lines with it in and then one line underneath all the rest that says "ServerActive=127.0.0.1"
not sure if those are what I'm supposed to be looking for or if I should add in what you have provided to me.

Thanks

**Moob** · 04-04-2025, 22:15

Originally posted by Person

Hi,

I'm not sure if the agent is configured in active mode I looked at the config file located in the C:\Program Files\Zabbix Agent 2\zabbix_agent2.conf but when i looked at it compared to what you sent me
within my config file I do not see the three lines but I did find a couple of lines that have some of the same things.
For the StartAgents there is only one line with it commented out "# Mandatory: yes, if StartAgents is not explicitly set to 0"
For the ServerActive there are a bunch of commented out lines with it in and then one line underneath all the rest that says "ServerActive=127.0.0.1"
not sure if those are what I'm supposed to be looking for or if I should add in what you have provided to me.

Thanks

Well, you need at least ServerActive=<ip address zabbix server> and make a comment off the "Server" option.

As you seem to use 'Agent 2' StartAgents is no longer supported for Agent2 so you do not need that. Same goes for using a port 10051, thats only when connecting to a Zabbix Proxy

Regards

**Person** · 08-04-2025, 20:31

Thank you so much for the help with this issue I was able to change the ServerActive to the server IP address in the config file and now I'm seeing the logon and logoff for the user in the monitoring tab.
However now when I take a look at the host in the data collection tab it is yellow in the availability and says "Get value from agent failed: cannot establish TCP connection to [[Host Computer]:10050]: timed out"
I'm assuming that this something related to what I changed in the config file.

Thanks

**Moob** · 08-04-2025, 21:44

Hi,

and says "Get value from agent failed: cannot establish TCP connection to [[Host Computer]:10050]: timed out"

Means the zabbix server is trying to reach the host computer via its passive mode and because it is configure in active mode you get this error message. You might want to check if the hostname in de agent config is exactly the same as the host name in the zabbix server. This is mandatory in actvie mode. If the agent is only active you could try to remove the interface. Not sure if you need to recreate the host to loose it though.
Keep in mind that an agent can be configured both active and passive.

See also https://www.zabbix.com/documentation...rt/host?hl=ZBX

Regards

**Person** · 08-04-2025, 22:06

Thank you again so much for your response I was able to fix by going into the config file and setting the Server=Zabbix to the server IP address and then it seemed to stop having the issue.
I just have two more questions how should I set up Preprocessing to get rid of the NT AUTHORITY logs like you mentioned before and what would be the best way to setup a trigger for these items.

Thanks

Ad Widget

Monitoring When Windows User login and logout

Monitoring When Windows User login and logout

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment