Bump

any idea?

I'm trying to figure out how to do this as well. Has anyone successfully monitored the additional eventlogs such as Microsoft->Windows->Backup or Microsoft->Windows->GroupPolicy?

satchelp,

have you find a answer yet?

Wilco

Unfortunately I did not find a way to do this successfully.

I did find an event in the regular System log that was also an indication of the problem I was looking for in the more specific log. If anyone figures out how to do this I'd still be interested.

Have somone try this already with the new zabbix version?

any updates on this?

EDIT: Is the correct way to use "Microsoft-Windows-Backup/Operational" instead of say "System".

Event Log Windows BUMP

I've been trying to access the "Microsoft-Windows-TaskScheduler/Operational" Event Log using the Zabbix Agent Active check but with no success. This thread seems to be the closest to what I am experiencing.

I've tried encoding the '/' in the check (with %4), as it appears encoded on the actual file system (Microsoft-Windows-TaskScheduler%4Operational.evtx). However based on the debug logging it may be decoding it before executing the check on the actual system.

For example, the log is located on the file system at C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx, but if you set a check w/ key "eventlog[Microsoft-Windows-TaskScheduler%4Operational,,Error]" I see it appear in the debug log as "eventlog[Microsoft-Windows-TaskScheduler\/Operational,,Error]", so consequently I think its looking for "Microsoft-Windows-TaskScheduler/Operational.evtx" on the file system which may or may not be the case if they are reading it from file or using some Win API.

I am successfully using the Agent for all the base (application and system) event logs. Has anyone solved this? Is there a feature request that anyone is aware of for this?

Thanks,
Joel.

Same problem

I’m trying read the backup logfile of a SBS2011 server.
In a template I created an item and a trigger.
Item : eventlog[Microsoft-Windows-Backup,,"information",,^14$]
Trigger: {Servername:eventlog[Microsoft-Windows-Backup,,"information",,^14$].logseverity(0)}=1 & { Servername:eventlog[Microsoft-Windows-Backup,,"information",,^14$].nodata(86000)}#1
Or
Trigger: {Servername:eventlog[Microsoft-Windows-Backup,,"information",,^14$].logseverity(0)}=1 & { Servername:eventlog[“Microsoft-Windows-Backup.evtx”,,"information",,^14$].nodata(86000)}#1
This error is the result
Evaluation failed for function

have the same problem with Microsoft-Windows-Kernel-WHEA/Errors
someone suggested using ps script to convert windows log files to txt.
still waiting for zabbix fix.

Okay
Just started using zabbix again and got successful logging of the System, Security and Application logs working, however on Win7 And Win2008R2 the sub categories including Group Policy and Firewall weren't working. Subsequently I tried even copying the file with the %4 or '/' character in them to this:
c:\windows\system32\winevt\logs\firewall.evtx
I then tried monitoring it with the key: eventlog[Firewall] it didn't work because I believe the logname is that big long thing with the '/' and %4 embedded in it.

There are supposedly some fixes in the works for this:

- currently not resolved, but there is a referenced patch in this support article to this:

There is a patch in here that is supposed to have fixed it.

The patch came out in July.
I updated my zabbix to 2.0.6 in June.
It doesn't look like they've released the agent that includes this patch, you need to build/compile it yourself. I've contacted the developer to see if he can release a test executable of this. I'll keep this post updated if any further developments occur. I'm really itching to get this working to monitor the windows firewall on a bunch of my hosts.

Told ya I'd be back! So this has been fixed finally in ZBX-2008 & ZBXNEXT-934.

So in order to monitor the conventions of the Applications & Services log here is my example, I wanted to monitor the Windows Firewall, the actual location of these files on Windows 7 is in the following location:

C:\Windows\System32\winevt\Logs\

The Windows Firewall is in this filename: Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

So my item in zabbix is this:

Item Type: Zabbix Agent Active
Item Key: eventlog[Microsoft-Windows-Windows Firewall with Advanced Security/Firewall]
Type of Information: Log

This works with Win7 Pro 64bit, with Zabbix Host 2.2.2 and 2.2.1 Windows Agent. I am now able to capture the firewall logs of a host with Zabbix and also trigger on alerts and severities of items in the Applications & Services.

I am deploying this across my network and will test against Server 2012 and 2008R2 and will post back the results.

So basically find which log you want to monitor and go to C:\Windows\System32\winevt\Logs\ and just substitute the %4 for a forward-slash "/" and you should be golden! Goodluck and thank you Zabbix team for finally getting this fixed!

Perfect!!

This saved me!!

Before I was trying to use Microsoft-Windows-Hyper-V-VMMS/Admin which is the name on Event Viewer, but on C:\windows\system32\WinEvt\Logs the log name is icrosoft-Windows-Hyper-V-VMMS-Admin which works !!!
Thank you!!