Zabbix : Reading Windows Event Logs in Zabbix
Вставка
- Опубліковано 22 сер 2020
- Documentation : sbcode.net/zabbix/items-windo...
Coupons : sbcode.net/coupons
In this example I create an advanced item that reads the windows event logs and looks for the a specific windows event id 4625 which is also known as 'failed logon'.
The item type is Zabbix Agent (Active)
and the key is
"eventlog[Security,,,,4625,,skip]"
The type of information is Log
The duration to keep the data and the frequency of checking for the item is up to you.
I then log onto my windows VM and generate some failed logins.
I then see the failed login events in the Latest Data screen.
#zabbix
#zabbix5
#zabbixCourse
#zabbixTutorial
Hello Sean, Thank you for this great video. How can ı create a trigger for this item? Thank you.
sbcode.net/zabbix/host-triggers/ actually, search for trigger in the search field on that website.
Hi Sean thanks for the video I have created item and with it I have created trigger using iregexp so if any event is created in logs I am trying to give a problem
Alert but I am not able to get it back to recovery once problem is created
it sounds like your trigger expression is always triggering.
@@sbcode ok can you suggest a expression which can help me out with recovery (exiting expression i am using is iregexp with a string)
I could do with someone offering me a job using Zabbix. I am still unemployed after 3 years, yet every body who has a job using Zabbix is asking me for answers?
@@sachinvgaikwad639(I know this is old - but really answering for the next person looking for answers) If you create a template that monitors for windows events (like 4725 = disabled users), and want a trigger that fires a problem that automatically closes after an amount of seconds (i.e. 300 = 5mins) then this is the expression: nodata(/Monitor AD Events/eventlog[Security,,,,4725,,],300)=0 Note1: "Monitor AD Events" is the name of my template - referenced in the expression. Note2: There is no need for a recovery expression (i.e. 'OK event generation' should be set to 'Expression'). Zabbix will find data for wherever the template is applied and raise a problem - and after 5 minutes close it because it no longer matches the expression parameters. Note3. Make sure you set the severity of your trigger to match the notification action you are chasing. i.e. I user Average and above for email notification, otherwise it just appears in the Monitoring Global Dashboard. -I hope this helps the next guy - I had to figure this out myself, and came to this video hoping to find this answer...
red mark messages "zbx_notsupported: accessible only as active check" how to solve this
when you create your item, the type needs to be "Zabbix agent (active)"
@@sbcode yes i did.. even test checking via command in centOS, zabbix_get -s -k eventlog[Application,,,,1008,,] the result ZBX_NOTSUPPORTED: Accessible only as active check.. please help
zabbix_get doesn't work with active checks. zabbix_get is the same as doing a passive check
Teach us to create an alert trigger, I don't get it xD
ua-cam.com/video/l0ZaUmevKIM/v-deo.html