News:

We really need your input in this questionnaire

Main Menu

Create Event from User Session

Started by Spheron, July 19, 2024, 12:21:12 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Spheron

July 19, 2024, 12:21:12 PM

Hello @all,

i want to create an event from every user session (showed in NetXMS register "User Sessions") so that i get every user logon/logoff in the NetXMS event log from every node.

Is there a chance to create those infos in the NetXMS event log?

I would appreciate any help/tips.

Greetings
Marco

Tatjana Dubrovica

#1
July 22, 2024, 04:27:39 PM
If we are talking about Windows servers, then I would advice to use Windows Event log monitoring: https://www.netxms.org/documentation/adminguide/windows-event-log-synchronization.html
Agent config should contain something like:
SubAgent=wineventsync.nsm

[WinEventSync]
EventLog=Security
[WinEventSync/Security]
IncludeEvent=4624-4625
IncludeEvent=4634
IncludeEvent=4779

You will be able to see login and logout operations in Windows Event Log of this node. When it's done you should add rules to create events on login and log out Windows Events in Configuration->Windows Events Log parser.

Spheron

#2
July 29, 2024, 02:05:38 PM

Hi Tatjana,

thanks for your post.

I've tried these and it works so far...  Now, i'd like to migrate my previous config to get Windows Eventlog to the wineventsync.nsm subagent.

Therefore i created the following config:

Code Select
SubAgent=wineventsync.nsm

[WinEventSync]
EventLog=Application
EventLog=Security
EventLog=System

[WinEventSync/Security]
IncludeEvent=4624
IncludeEvent=4634
IncludeEvent=4647
ExcludeEvent=0-65535

[WinEventSync/System]
SeverityFilter = Error,Critical

[WinEventSync/Application]
SeverityFilter = Error,Critical

All of it works, except the SeverityFilter of the System Eventlog. I tested this with 

Code Select
eventcreate /T ERROR /ID 1000 /L SYSTEM /D "TestError"
but i dont see any entrys in the NetXMS WindowsEvents...


If i do so with the Application Log 


Code Select
eventcreate /T ERROR /ID 1000 /L APPLICATION /D "TestError"
the Windows Event Entry in the NetXMS WindowsEvents is created...


Is there a wrong entry in my config (please see above...)


Greetings
Marco



Filipp Sudanov

#3
July 31, 2024, 04:23:20 PM
Historically there are two approaches to WIndows Event Log - Log Synchronization mentioned by Tatjana and Log File Monitoring. First one has the benefit that whole text of events is stored on the server. Second approach does not require to modify agent configuration file - configuration is uploaded via policy, events are generated by agent. Let me describe it in more details:

Under "Templates" create a new template. Third tab in the template - "Agent Policies". Create a new "Log Parser" policy, give it some name. In the policy click "Add file" and put
*Security
into File path field. This means that Windows security log will be parsed. Add a new rule. You can filter by Level, ID and Source as well as by log entry text ("Matching regular expression" field, it parses all lines of the entry as one long string). 

For testing you can use (.*) as the regex - it will capture whole message as parameter of the generated event - if you double-click an entry en event log, you'll see all the information.

I am not sure about correct event ID, but it seems that 4624 is capturing logon events, so regex .* and ID 4624 will capture these events. You need to specify an event in the rule.

Create event template, this defines what parameters are included into message field. E.g. the following in the message field:
User %<variable6> was successfully logged on (Event ID: %<eventId>, Severity: %<severity>, Network Address: %<variable19>)
Print
Go Up Pages1
User actions