Zabbix Monitoring of log monitoring Windows user Login

Zabbix Monitoring Windows user logins is achieved through monitoring of Windows logs. An alarm is issued when the login audit fails or the login succeeds.

Example of a warning message:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/22/wKioL1X2ad7TyQEtAAME4MUVyiU263.jpg "title=" 9.png " alt= "Wkiol1x2ad7tyqetaame4muvyiu263.jpg"/>

Here are the monitoring ideas and steps:

I. Analyzing log logs

Open Event Viewer, select Windows Log, and then click Security.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/20/wKioL1X2QX2iorSqAALZSL-V-Vk795.jpg "title=" 1.png " alt= "Wkiol1x2qx2iorsqaalzsl-v-vk795.jpg"/>

1. Log in successfully log in

There are usually four logs for a successful login:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/21/wKioL1X2VlLhk1kDAACcUUvYkaw227.jpg "title=" 4.png " alt= "Wkiol1x2vllhk1kdaaccuuvykaw227.jpg"/>

The log with Event ID 4624 contains the login account name, login source IP, port, and so on.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/26/wKiom1X2dkGwlcaWAAGv4Sfs-ik870.jpg "title=" 3.png " alt= "Wkiom1x2dkgwlcawaagv4sfs-ik870.jpg"/>

2. Log of account login failure

An account login failure results in a log with an event ID of 4625 , which also contains the login account name, login source IP, and port:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/26/wKiom1X2drjSkyKGAAGhdic1ebI729.jpg "title=" 2.png " alt= "Wkiom1x2drjskykgaaghdic1ebi729.jpg"/>

So, for "login Success" We only monitor the log with Event ID 4624, and for "Login failed" monitor the log with Event ID 4625.

Second, create the monitoring item

1. Noboribetsu record the successful monitoring item

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/21/wKioL1X2WV_DbIS9AAFnmhqwGSg243.jpg "title=" 5.png " alt= "Wkiol1x2wv_dbis9aafnmhqwgsg243.jpg"/>

Monitoring Item Name: Account Login Successful

The monitoring key is filled in as follows:

Eventlog[security,, "Success Audit",, ^4624$,,skip]

Note: Monitor item type Select Zabbix agent (active); data type select Log; monitor interval 60 seconds.

Where the parameters of the monitoring key are wrapped in curly braces, separated by commas, the meanings of each parameter are explained below:

Parameter one Security: The log name of the event.

Parameter three "Success Audit": The severity of the event.

Parameter five ^4624$: This is a regular expression that matches the log with Event ID equal to 4624.

Parameter Seven skip: Meaning is not to monitor the resulting history of the log, if omitted skip, will be monitored to meet the above conditions of historical log information.

2. Monitoring items for Account login failures

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/24/wKiom1X2WPawAlHkAAFyJdS4SfA728.jpg "title=" 6.png " alt= "Wkiom1x2wpawalhkaafyjds4sfa728.jpg"/>

Monitoring entry Name: Logon audit failure

The monitoring key is filled in as follows:

Eventlog[security,, "Failure Audit",, ^4625$,,skip]

Iii. Creating triggers

1. Noboribetsu successfully recorded trigger.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/24/wKiom1X2XSjTftLOAAHnt42-1BY469.jpg "title=" 7.png " alt= "Wkiom1x2xsjtftloaahnt42-1by469.jpg"/>

The expression for the trigger is as follows:

{Template Windows Event log:eventlog[security, "Success Audit", ^4624$,,skip].nodata}=0 & {Template windows Event log:eventlog[security,, "Success Audit",, ^4624$,,skip].str (ADVAPI)}=0

The meaning of the expression is: if the data is monitored within 60 seconds, and the monitoring content does not contain the string "ADVAPI" triggers the alarm, if there is no new data in 60 seconds, then the trigger recovery OK. Simply put, the trigger trigger will last for at least 60 seconds after the user logs in, and if the user continues to log on successfully for less than 60 seconds, the trigger is always in the problem state.

2. Trigger for Account login failure

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/22/wKioL1X2ZbfC-E3qAAD870y1NkE176.jpg "title=" 8.png " alt= "Wkiol1x2zbfc-e3qaad870y1nke176.jpg"/>

The expression for the trigger is as follows:

{Template Windows Event log:eventlog[security, "Failure Audit", ^4625$,,skip].nodata}=0 & {Template windows Event log:eventlog[security,, "Failure Audit",, ^4625$,,skip].str (ADVAPI)}=0

The meaning of the expression is: if the data is monitored within 60 seconds and the monitoring content does not contain the string "Advapi", the alarm is triggered. If there is no new data after 60 seconds, the trigger resumes OK.

If someone continues to maliciously crack the login password, you will find that the trigger problem status will persist.

Monitoring items and triggers are described in this, the template in the attachment, after downloading the file name template Windows Event log.xml.

Zabbix monitoring the Windows log monitoring disk bad block: http://qicheng0211.blog.51cto.com/3958621/1436344

Zabbix monitoring the Linux log exception login alarm: http://qicheng0211.blog.51cto.com/3958621/1624155

This article is from the "Start Linux blog" blog, make sure to keep this source http://qicheng0211.blog.51cto.com/3958621/1694583

Zabbix Monitoring of log monitoring Windows user Login