yes they are built into the windows template

eventlog[system]
eventlog[application]
eventlog[security]

they return severity and the description

Windows Template

Saw this thread regarding eventlog items. I upgraded my 1.1 environment to 1.4.2 and then imported templates from Wiki. I do not see eventlog ityems in my new template.

Are the 1.4.1/2 clean DB templates the same as those on Wiki?

Thanks Guys for your help ... i'll made some test asap !!

My bad - they are not in the template but they should be IMHO

I believe the wiki templates and those in the download are the same. I have ben using zabbix since an early beta of 1.1 so I have my own templates at this point.

Guys.

can you please give some more information on this as this is what i am looking to do.

I am looking to capture

Source: Security

Category: Account Management

Event ID: 633

Type: SuccessA

User: User Who made the change

Computer: Computer the change was made on

Description: The Description of the change

Can anyone please help me achieve this please as i cant find any documents on how to do this

Thanks in advance

Hi guys.

Ok can someone please help me with this and check if it is right.

Created an Item

Type: ZABBIX agent (active)
Key: eventlog[Security]
Type of information: Log

Created the Trigger

({Template_WITHERS_DomainControllers_Servers:event log[Security].logsource(Security)}=1)&({Template_WITHERS_Domain Controllers_Servers:eventlog[Security].str(Security Enabled Global Group Member Removed)}=1)&({Template_WITHERS_DomainControllers_ Servers:eventlog[Security].nodata(30)}#1)

Any ideas as to where i am going wrong. If i make changes to security groups then none of it is being picked up by Zabbix

Thanks for any help you can give.

Craig

Guys.

I just cant see why this is not working.

Can anyone who monitors the event viewer please help me.

Many thanks

Craig

Guys.

I am pulling out what very little hair i have right now with this and could really do with some help.

Ok the event i am trying to monitor and alert on is this

Source: Security

Category: Account Management

Event ID: 633

Type Success Audit

I would then like the alert to email me the description of the alert from the event in Windows.

I have tried every possible way and have been over every single post on this site and in the documentation but i can not get this to work.

I dont know if it is my trigger that is wrong or something else is up but i could do with someone who has these tyoes of alerts working to help me get this working. I am on the verge of walking away from Zabbix but i really dont want to.

Craig

Have you tried entering in the complete string from the event log message portion to see if the "str" function is doing an "equals" vs. a "contains"\"starts with"\"ends with"?

Hi mate and thanks very much for the reply.

No i have not done that. Could you please let me know how i could do it and i will give it a go and post back the results

Thanks again

Craig

just copy the entire contents of an event that you can reproduce (or happens often) and put in the str argument. Then try and reproduce the event (opr wait for it to happen) and see iof the trigger fires. I would remove the other two conditions for now just to see if the str function works or not.

Guys,

i have created a new item as follows

Type: Zabbix Agent (Active)

Key: eventlog[Security,Success Audit]

Type of Information: Log

Now i have assigned the item to one of my servers which is fine. When i look on the latest data tab i see a new node

NTLogFile

If i expand this node i see

Eventlog Security Success Audit 24 Sep 16:52:18 Accessible only as a Active Agent

Any ideas what is going on?

Cheers

Craig

Guys.

I seem to be getting some where very very slowly with this. If i have the code below as my trigger (keep an eye on the .str)

({LNDC02:eventlog[Security].str(Successful Network Logon}=1)

Then i get a s*it load of emails coming through to my inbox, so i can now see that Zabbix is looking at the event logs and it is picking up what i have in my .str so all good there.

However:

If i have my .str value as (again notice the .str)

({LNDC02:eventlog[Security].str(Security Enabled Global Group Member Added: Member Name}=1)

Then nothing is returned.

If i look in the latest data i just dont see the items i am expecting. In fact i have only seen it once and that was before i put the trigger in

I am expecting to see loads of these

Security Enabled Global Group Member Added: Member Name: etc etc etc

It just seems Zabbix is not picking up all the items in the Security Event Log or that it seems up to an hour behind.

Can anyone please help. I have got to grips with the email alerts. I am ok with setting up items and triggers (almost) but if we can get this working i will be a very very happy man. we had an instance of a security group changing and if i can prove to my company zabbix could have caught it i will have some power to pay for a support contract and all will be good

Anything you can do to help me get this working will be a bonus

Cheers

Craig

Edit:

Just a thought, could this be any kind of permissions thing on the Windows server? What account \ permissions does the zabbix_agentd.exe have on the server?

Guys.

This issue i am having is down to Zabbix not getting all the data from the Security logs in Windows. My triggers are working on everything else.


Can anyone please please please please help me work this out.

Craig