Parsing windows event logs and generating alarms

Started by Egert143, February 16, 2024, 09:19:15 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Egert143

February 16, 2024, 09:19:15 AM
Hello

I am experimenting with logging and alerting on windows event logs. Logging part works, i would like to get little example on event 4625 (Failed account log on), how to generate alarm that contains user and source ip that tried to log in.

Egert

Filipp Sudanov

#1
February 16, 2024, 12:18:52 PM
As I remember, this information might be present in parameters of that event. If you open Event Log in NetXMS, find such event there and double-click it, a window should open with event details. Please share it here

Egert143

#2
February 16, 2024, 12:39:05 PM
So far i have the following:











Filipp Sudanov

#3
February 16, 2024, 08:49:20 PM
Right, looks like you are using Windows Event Log synchronization.

But how do details of NetXMS event "Win Event - Failed account log on" look in NetXMS event log?

Egert143

#4
February 19, 2024, 09:23:03 AM
I added image how event log displays it.


Also i am thinking it needs to be parsed similarly to syslog but since windows event logs are so big, surely there is better way then to include entire log in one line and add "(.)" where required info is.

Filipp Sudanov

#5
March 07, 2024, 12:15:42 PM
On your screenshot it's Event Monitor (which is updated in real-time). If you find this event in Event Log and double-click on it, you should have something like this:


Egert143

#6
March 07, 2024, 12:39:02 PM
Under Logs -> Events i found the event, but its missing alot of info:

Filipp Sudanov

#7
March 07, 2024, 12:52:32 PM
In my example event was generated by Event Log Parser on agent, by adding a Log Parser Policy. In case of Win Event Sync there's less information available.

Egert143

#8
March 08, 2024, 01:10:04 PM
Could i get litle demo how to achive the same alerting with Log parser policy? :)

Filipp Sudanov

#9
March 08, 2024, 05:14:24 PM
Sure, here's a couple of screenshots. First is log parser policy, file name is *Security which means that it's reading Security windows event log. It's picking only records with ID = 4624. Matching regular expression is .*, we can also use capture groups here, at maximum we can just put (.*), but this will pick the whole multi-line event description. Capture groups, if any, will also go as NetXMS event parameters.

On second screenshot we have event template. Message field describes which event parameters we use to compose the message - it's better to use parameter names instead of %1, %2, as number of parameters may change, e.g. if we add a new capture group, but names will stay the same.

Remember, that you need to apply the template to a node for this to start working.

Egert143

#10
March 18, 2024, 09:02:21 AM
Do i still need to update Agent Conf file also ?, Currently i dont see any events with dooing just the above steps.

Filipp Sudanov

#11
March 18, 2024, 09:54:05 AM 
SubAgent = logwatch

is needed in agent config
Print
Go Up Pages1
User actions