ZABBX Monitoring alarm Windows user Login

First, the purpose

Objective: Zabbix monitor Local Users or MSTSC login Windows Server, avoid password leakage, malicious login, information leakage, timely notify the system administrator. Note: This document does not discuss Zabbix distributed, tuning, monitoring other services and other issues.

This experiment to do more than a day, more time-consuming, go a little detour, allow reprint, please reprint please specify the link:

Renzhiyuan.blog.51cto.com

Ii. Preparatory work:

2.1) Zabbix Service installation configuration (installation precautions not discussed)

2.2) Configure mail alarm (, QQ, SMS alarm not discussed)

2.3) Modify the alarm template (Default alarm configuration Poor visual sense, not discussed)

2.4) Client Installation configuration Zabbix_agent

2.4.1) Zabbix Client Configuration

"D:\zabbix-3.0.5\bin\win64\zabbix_agentd.exe"--config "D:\zabbix-3.0.5\bin\win64\zabbix_agentd.win.conf" # Register as System service: 2.4.2) configuration zabbix_agent:zabbix_agentd.win.conflogfile=d:\zabbix-3.0.5\bin\win64\zabbix_agentd.logserver= 192.168.1.244 #-zabbix Host # listenport=10050# listenip=0.0.0.0listenip=192.168.1.243 #-native ip#serveractive=127.0 .0.12.4.3) Firewall configuration: firewall.cpl# allow 10050 ports (default port)

2.4.4 ) Start zabbix_agent

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M01/8C/E3/wKiom1h8jI2TRwStAAAZX4N4-kw086.png-wh_500x0-wm_ 3-wmp_4-s_1535472861.png "title=" 4.png "alt=" Wkiom1h8ji2trwstaaazx4n4-kw086.png-wh_50 "/>

2.5 ) To learn about the Windows security log:

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M02/8C/E3/wKiom1h8jNfinyLlAAD15wGnFTI221.png-wh_500x0-wm_ 3-wmp_4-s_3264655873.png "title=" 1.png "alt=" Wkiom1h8jnfinyllaad15wgnfti221.png-wh_50 "/>

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M01/8C/E3/wKiom1h8jPPh73XdAACPUu3a_XY591.png-wh_500x0-wm_ 3-wmp_4-s_2033075900.png "title=" 2.png "alt=" Wkiom1h8jpph73xdaacpuu3a_xy591.png-wh_50 "/>

Audit failure: If someone maliciously loses the user name password access.

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M01/8C/E0/wKioL1h8jRmTHrpkAABOzIw0nCU877.png-wh_500x0-wm_ 3-wmp_4-s_3324523574.png "title=" 1.png "alt=" Wkiol1h8jrmthrpkaaboziw0ncu877.png-wh_50 "/>

Third, server configuration:

3.1) New action configuration:

3.2: Create a monitoring entry:

3.2.1) Account Login Success Monitoring entry:

New app set: Event Log

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M01/8C/E3/wKiom1h8jWPyhMjIAABpQuY0YD4677.png-wh_500x0-wm_ 3-wmp_4-s_3181244700.png "title=" 1.png "alt=" Wkiom1h8jwpyhmjiaabpquy0yd4677.png-wh_50 "/>

Name: Successful account Login

Type: Zabbix Client (Active)

Key value: Eventlog[security,, "Success Audit",, ^4624$,,skip]

Parameter one Security: The log name of the event.

parameter three "Success Audit": The severity of the event.

Parameter Five ^4624$: This is a regular expression that matches the log with Event ID equal to 4624.

parameter Seven skip: meaning is not to monitor the resulting history log, if omitted skip, will monitor the above conditions of the history log information.

Information Type: Log

Monitoring interval: 60s

7-day history retention period

3.2.2) Account Login Failure monitoring entry:

Eventlog[security,, "Failure Audit",, ^6281$,,skip]

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M02/8C/E3/wKiom1h8jYqyAC-ZAABtACYUEdY591.png-wh_500x0-wm_ 3-wmp_4-s_921395204.png "title=" 1.png "alt=" Wkiom1h8jyqyac-zaabtacyuedy591.png-wh_50 "/>

3.3) Create a trigger:

3.3.1) landing a successful trigger:

{Template Windows Event log:eventlog[security, "Success Audit", ^4624$,,skip].nodata}=0 and{template Windows Event log:eventlog[security,, "Success Audit",, ^4624$,,skip].str (ADVAPI)}=0

The meaning of the expression is: if the data is monitored within 60 seconds, and the monitoring content does not contain the string "ADVAPI" triggers the alarm, if there is no new data in 60 seconds, then the trigger recovery OK. Simply put, the trigger trigger will last for at least 60 seconds after the user logs in, and if the user continues to log on successfully for less than 60 seconds, the trigger is always in the problem state.

3.3.2) Account Login failed trigger:

{Template Windows Event log:eventlog[security, "Failure Audit", ^6281$,,skip].nodata (}=0) and {Template Windows Event log:eventlog[security,, "Failure Audit",, ^6281$,,skip].str (ADVAPI)}=0

The meaning of the expression is: if the data is monitored within 60 seconds and the monitoring content does not contain the string "Advapi", the alarm is triggered. If there is no new data after 60 seconds, the trigger resumes OK. If someone continues to maliciously crack the login password, you will find that the trigger problem status will persist.

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M00/8C/E3/wKiom1h8jb3zcV5_AABvwDp8Zv0522.png-wh_500x0-wm_ 3-wmp_4-s_1979259518.png "title=" 1.png "alt=" Wkiom1h8jb3zcv5_aabvwdp8zv0522.png-wh_50 "/>

Iv. triggering :

MSTSC or log on to the machine, check the mail:

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M02/8C/E0/wKioL1h8jeTSShkXAAErodtPnEs242.png-wh_500x0-wm_ 3-wmp_4-s_3968183915.png "title=" 1.png "alt=" Wkiol1h8jetsshkxaaerodtpnes242.png-wh_50 "/>

This article is from "Never give up!" Ningzhiyuan "blog, reprint please contact the author!

ZABBX Monitoring alarm Windows user Login