Hello
I am experimenting with logging and alerting on windows event logs. Logging part works, i would like to get little example on event 4625 (Failed account log on), how to generate alarm that contains user and source ip that tried to log in.
Egert
As I remember, this information might be present in parameters of that event. If you open Event Log in NetXMS, find such event there and double-click it, a window should open with event details. Please share it here
So far i have the following:
(https://i.postimg.cc/XBShgBfb/1.png) (https://postimg.cc/XBShgBfb)
(https://i.postimg.cc/BXCyx6tr/2.png) (https://postimg.cc/BXCyx6tr)
(https://i.postimg.cc/VJLh48Cd/3.png) (https://postimg.cc/VJLh48Cd)
(https://i.postimg.cc/PvW7Vfy8/4.png) (https://postimg.cc/PvW7Vfy8)
(https://i.postimg.cc/xqMB1gQT/5.png) (https://postimg.cc/xqMB1gQT)
(https://i.postimg.cc/VdwprMs9/6.png) (https://postimg.cc/VdwprMs9)
Right, looks like you are using Windows Event Log synchronization.
But how do details of NetXMS event "Win Event - Failed account log on" look in NetXMS event log?
I added image how event log displays it.
(https://i.postimg.cc/rD38FJcG/7.png) (https://postimg.cc/rD38FJcG)
Also i am thinking it needs to be parsed similarly to syslog but since windows event logs are so big, surely there is better way then to include entire log in one line and add "(.)" where required info is.
(https://i.postimg.cc/yJR7JZYM/8.png) (https://postimg.cc/yJR7JZYM)
On your screenshot it's Event Monitor (which is updated in real-time). If you find this event in Event Log and double-click on it, you should have something like this:
Under Logs -> Events i found the event, but its missing alot of info:
(https://i.postimg.cc/dZ8TJ4GQ/event.png) (https://postimg.cc/dZ8TJ4GQ)
In my example event was generated by Event Log Parser on agent, by adding a Log Parser Policy. In case of Win Event Sync there's less information available.
Could i get litle demo how to achive the same alerting with Log parser policy? :)
Sure, here's a couple of screenshots. First is log parser policy, file name is *Security which means that it's reading Security windows event log. It's picking only records with ID = 4624. Matching regular expression is .*, we can also use capture groups here, at maximum we can just put (.*), but this will pick the whole multi-line event description. Capture groups, if any, will also go as NetXMS event parameters.
On second screenshot we have event template. Message field describes which event parameters we use to compose the message - it's better to use parameter names instead of %1, %2, as number of parameters may change, e.g. if we add a new capture group, but names will stay the same.
Remember, that you need to apply the template to a node for this to start working.
Do i still need to update Agent Conf file also ?, Currently i dont see any events with dooing just the above steps.
SubAgent = logwatch
is needed in agent config