Hi,
I'd like to configure a trigger alert that includes the account username and the suspected user's IP address.
Example:
Failed logon (User: [email protected], from IP address: 192.168.15.12)
HOST NAME: CONTOSO
ITEM
Name: Failed logon
Type: Zabbix agent (active)
Key: eventlog[Security,,,,^4625,,),1m,,]
Type of information: Log
Update interval: 1 m
Preprocessing:
Type: Regular expression
Expression: Account For Which Logon Failed:\s+(?:.|\s)*?Account Name:\s+([^\s]+)
Output: \1
TRIGGER
Name: Failed logon (User: {ITEM.LASTVALUE1} from IP address: {ITEM.LASTVALUE2})
Expression: count(/CONTOSO/eventlog(Security,,,,^4625,,),1m,,)>0
OK Event generation: Expression
PROBLEM event generation mode: Multiple
Current result:
Failed logon (User: [email protected] from IP address: "UNKNOWN")
I tried creating a master item and dependent items, but I couldn't add extra information about the user's IP address.
I have the following expression:
Source Network Address:\s+(\S+), Output: \1
How or where I need to use it.
Sample log from Zabbix:
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: [email protected]
Account Domain: contoso
Failure Reason: Unknown user name or bad password.
...
Source Network Address: 192.168.15.12
I'd like to configure a trigger alert that includes the account username and the suspected user's IP address.
Example:
Failed logon (User: [email protected], from IP address: 192.168.15.12)
HOST NAME: CONTOSO
ITEM
Name: Failed logon
Type: Zabbix agent (active)
Key: eventlog[Security,,,,^4625,,),1m,,]
Type of information: Log
Update interval: 1 m
Preprocessing:
Type: Regular expression
Expression: Account For Which Logon Failed:\s+(?:.|\s)*?Account Name:\s+([^\s]+)
Output: \1
TRIGGER
Name: Failed logon (User: {ITEM.LASTVALUE1} from IP address: {ITEM.LASTVALUE2})
Expression: count(/CONTOSO/eventlog(Security,,,,^4625,,),1m,,)>0
OK Event generation: Expression
PROBLEM event generation mode: Multiple
Current result:
Failed logon (User: [email protected] from IP address: "UNKNOWN")
I tried creating a master item and dependent items, but I couldn't add extra information about the user's IP address.
I have the following expression:
Source Network Address:\s+(\S+), Output: \1
How or where I need to use it.
Sample log from Zabbix:
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: [email protected]
Account Domain: contoso
Failure Reason: Unknown user name or bad password.
...
Source Network Address: 192.168.15.12