Reading Windows Event Logs

Video Lecture

Description

In this lecture we will create an item that reads Windows event logs and looks for a specific windows event ID 4625 which is also known as 'failed logon'.

The item type is Zabbix Agent (Active)

and the key is

eventlog[Security,,,,4625,,skip]

The type of information is Log

The duration to keep the data and the frequency of checking for the item is up to you.

I then try to log on to my Windows laptop and generate some failed logins.

I then see the failed login events on the Monitoring ⇾ Latest Data page.

It may be useful to set up a trigger for failed logons.

In the video, I create the trigger using the expression logeventid(/Windows Basic/eventlog[Security,,,,4625,,skip])=1 and also enable Allow manual close

Examples

You don't have to read only just the Security event logs. You can read most things from the Windows event viewer. Here are some more examples.

Read `Application` log for multiple IDs

Reading the Application event log for event IDs 330 or 326 or 105 or 302 or 301 or 102.

eventlog[Application,,,,330|326|105|302|301|102,,skip]

Read `Microsoft-Windows-TaskScheduler/Maintenance` log for ID 800

In the event viewer, folders can be traversed using the hypen (-) symbol.

eventlog[Microsoft-Windows-TaskScheduler/Maintenance,,,,800,,skip]

Catch all Event IDs in a folder

No event ID was designated in this query, so all events within this folder will be recorded in Zabbix.

eventlog[Microsoft-Windows-Windows Firewall With Advanced Security/Firewall,,,,,,skip]

Useful Links

Windows Specific Item Keys

Minimum permission level for Windows agent items

Design Patterns in Python
		Kindle Edition Paperback
Design Patterns in TypeScript
		Kindle Edition Paperback

Design Patterns in Python
		Kindle Edition Paperback
Design Patterns in TypeScript
		Kindle Edition Paperback