Emails after three times 4625 An account failed to log on.

  • Filter
  • Time
  • Show
Clear All
new posts

    Emails after three times 4625 An account failed to log on.

    Hi All,

    I'm new to the forum and I have something I can't seem to figure out.
    I'm pretty much a newbie to Zabbix as well, so bear with me.

    I have everything set up to send an email when
    4625 An account failed to log on
    Has been logged in the Windows Security log.
    So everything works as should, but now the one who wants to use and implement it, doesn't want an email everytime someone makes one typo, but just after 3 times of trying, so they can be pro active and find out if the user is having trouble logging in or if there is another (security) issue.

    How do I configure Zabbix to only send an email after three login failures from the same user account?
    The info I get back from Windows Security Log does have the User Account in it, but this is just one text field and I cannot filter on it..... I think, I am not sure here.

    Can anyone push me in the right direction here?

    Many thanks in advance.

    With kind regards,

    Last edited by cornelvis; 11-01-2019, 17:21.

    Ok, I have it partially done. I created a trigger expression with the following:

    {WinDev1810Eval:eventlog[Security,,,,^(4625)$].logseverity(0)}=7 and {WinDev1810Eval:eventlog[Security,,,,^(4625)$].count(5m)}>2
    so at the 3rd time it will send out an email.

    I am not able to filter out the username from the information field so far.
    I have this in the agent default message:




      I was trying to solve the same thing and I came to the conclusion it cant be done easily ( im often wrong ) - because what will happen in 2 users will login to the system in 5 minutes ? - example 1st 2 unsuccesfull login , 2nd 2 unsucesfull login - basically you have 4 events with event 4625 but not from 1 user - I couldnt find a way how to identify by trigger that the user name is the same - you could create 100 triggers for 100 users names - but if you dont have the list of users its hard

      if youll know or find a way around without external tools ( script, userparameter, ...) it will be great

      mine kinda workaround:

      1. nontechnical - presuade security to setup policy - after 3 unssucesfull logins locked account - then look locked account event id
      2. technical - i asked my colleauge with powershell powers to do a script and then used it as as userparamater - be carefull it could take along time to parse eventlog always from begining ( maybe some logic to remember last palce in log can be implemented ) - in testing


        powershell method used in the script


          one observation I have made is that seems that some events are being delayed with this setup of item ( sometimes 5 min, sometimes 30 min, sometimes 1 hours ) - i guess this was because the agent with s1st setup couldnt sent enough lines at once at internal 1m

          I did change it to 1s and 500 lines

          just one of the things ( im also pretty new with eventlog monitoring ) - maybe we'll have to change it to elastic eg. can somebody bring insight where the issue might be ( i guess simply agent has a lot of work and the windows event logs are not as "good" as linux log )

          worth to mention that boith item has a preprocessing rule ( could thi cause a delay ? )

          regular expression - Account Name:\t\t([\w\S]*\.[\w\S]*) - /1

          1st key setup

          eventlog[Security,"Account Name:\t\t[\w\S]*\.[\w\S]*",,Microsoft-Windows-Security-Auditing,4624,,skip] item interval 1m

          2nd key setup

          eventlog[Security,"Account Name:\t\t[\w\S]*\.[\w\S]*",,Microsoft-Windows-Security-Auditing,4624,500,skip] adjusted parameter for maxlines sent for second to 500 and interval of item chnaged to 1s
          Last edited by gofree; 12-01-2019, 16:47.


            Example of delayed events

            could it be caused by this issue
            Attached Files
            Last edited by gofree; 13-01-2019, 10:47.



            No announcement yet.