ZABBIX3.0 monitors the Windows system security log to enable monitoring of users ' ability to log in to Windows and alarm

zabbix3.0 version comes with Eventlog[name,<regexp>,<severity>,<source>,<eventid>,<maxlines>, <mode>] Monitor the Windows system log (System, security, application) by adding this monitoring entry practice.

Here's how to add a monitoring entry:

650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M01/86/87/wKioL1fCt7WxbUdTAACKROeEYlI773.png-wh_500x0-wm_3 -wmp_4-s_2891268689.png "style=" Float:none; "title=" item1. PNG "alt=" Wkiol1fct7wxbudtaackroeeyli773.png-wh_50 "/>

Where: name refers to the names of the monitoring items, can be arbitrarily taken, it is best to see the name to know the meaning;

Type refers to the types of monitoring items, where the Zabbix agent (Active) type is selected;

Key refers to the monitoring item, the first parameter security is expressed as the system security log, the second parameter is a regular expression, which is not used here; the third parameter is "Success Audit" refers to the success of Windows authentication; The fourth parameter source means the login source, which is useless here. If need can write a need to monitor the source IP, the fifth parameter is EventID, here 540 is the Windows Server 2003 server, the different system version this ID may not be the same, the sixth parameter is the maximum number of lines monitored, here is empty, the seventh parameter refers to the monitoring mode, Skip indicates that the previous data is not duplicated for collection monitoring.

Type of information collects the types of data, select the log type;

Update interval (in SEC) data collection interval, here is 30s;

History storage period (in days) historical data retention time, here is 90 day;

Log Time Format Date Date: minutes: Seconds

New application Create an application set, item monitoring items preferably belong to an application set, easy to manage and maintain; The following application is the existing application set, you can choose one for the log monitoring item, or you can create a new application set here;

Description description of the monitoring item, can write not write;

Enabled whether or not to enable the monitoring item; it must be hooked, or why add it!

At the end of the Update button, a monitoring item is built.

The following are the add alarm entries:

650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M00/86/87/wKiom1fCt7XR6-2pAABtiCg1TWM736.png-wh_500x0-wm_3 -wmp_4-s_2309371962.png "style=" Float:none; "title=" Trigger1. PNG "alt=" Wkiom1fct7xr6-2paabticg1twm736.png-wh_50 "/>

Expressions inside expression indicates that the alarm is triggered whenever a administrator is detected in the monitoring item data, this is to monitor the administrator of this account, so administrator is written, if you need to monitor other accounts, It's better to switch to other keywords!

Due to my limited knowledge, if there are errors in the text, please also point out! Thank you!

This article is from the "Learning Notes" blog, so be sure to keep this source http://xiongy.blog.51cto.com/9675269/1843575

ZABBIX3.0 monitors the Windows system security log to enable monitoring of users ' ability to log in to Windows and alarm