Ad Widget

Collapse

Zabbix 7.2.2 security log monitoring

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • VladJack
    Junior Member
    • Feb 2025
    • 8
    #1

    Zabbix 7.2.2 security log monitoring

    hi,

    we are monitoring security events using zabbix, and have found issue with our triger configuration:
    Click image for larger version Name: image.png Views: 157 Size: 46.8 KB ID: 501335

    If user is added at same time to many groups triger not trigered and we cannot search for logs in Monitoring -> Problems, but if we do right click on 4728 an event and do History -> Windows security (ID4728) we can see events, however if needed we cant search for events in this area (or we are missing how to serach them?)

    Maybe we should change "PROBLEM event generation mode" to Multiple?
    PROBLEM event generation mode
    please help.

    Thank you.
    Tags: None
    • VladJack
      Junior Member
      • Feb 2025
      • 8
      #2
      Hi,

      Just a small update — the issue seems to occur only when a user is added to multiple groups at the same time.

      For example, when a user is added to a single group in one action, a single 4728 event is generated. However, if the user is added to multiple security groups in one action, multiple 4728 events are generated. I can see all of them in Zabbix if I search using the specific domain controller’s values.

      The problem is that no trigger is activated when a user is added to multiple groups at once, so we can't see any event listed under "Problems".

      Any ideas on how to handle this?

        Comment

        • cyber
          Senior Member
          Zabbix Certified SpecialistZabbix Certified Professional
          • Dec 2006
          • 4807
          #3
          Your trigger activates when first log event is found... you trigger goes to TRUE state. it stays there until either part of expression goes to FALSE making whole expression false.. So, even if Zabbix picks up multiple events from logfile in one run, it will generate only one event, as you have "single" problem generation. It will only generate next, if problem becomes false at one moment (probably after no events have been found in 600s time... Your will not get any new ones also, when you add a user to a group every minute, or in every 5 minute, because that 10m timer (from last data arrival) has not yet expired... it just resets it to start again.

            Comment

            • VladJack
              #3.1
              VladJack commented
              10-04-2025, 13:47
              Editing a comment
              thx for explanaition, any workarround?
            • cyber
              Senior Member
              Zabbix Certified SpecialistZabbix Certified Professional
              • Dec 2006
              • 4807
              #4
              Try with Multiple ...

                Comment

                • VladJack
                  Junior Member
                  • Feb 2025
                  • 8
                  #5
                  Multiple not ok it just creates continuesly problem events... just so many of them something must be tuned.
                  Question, we are ok to leave with some events not trigger problem, but can we somehow search in zabbix history values? And maybe create reports?
                  I see for example we have all values collected in 4728 event history but without searh it is difficult to use collected values...

                    Comment

                    • VladJack
                      Junior Member
                      • Feb 2025
                      • 8
                      #6
                      Any ideas?

                        Comment

                        Previous template Next
                        Working...