[Zabbix]追蹤Windows登入紀錄
- 環境參數
- 作業系統
- Windows 2012 R2
- Zabbix Agent
- 3.2.x
- 作業系統
- 配置Zabbix Server template for Login History
- Configuration >> Templates >> Create template
- Template name:Template OS Windows Login History
- Groups:Template
- Add
- Template name:Template OS Windows Login History
- Configuration >> Templates >> Template OS Windows Login History
- Applications >> Create application
- Name:Login History
- Add
- Applications >> Create application
- Items >> Create item 1
- Name:登入成功
- Type:Zabbix agent(active)
- Key:eventlog[Security,,"Success Audit",,^4624$,,skip]
- Type of information:Log
- Update interval (in sec):60
- History storage period (in days):7
- Applications:Login History
- Add
- Name:登入成功
- Items >> Create item 2
- Name:登入失敗
- Type:Zabbix agent(active)
- Key:eventlog[Security,,"Failure Audit",,^4625$,,skip]
- Type of information:Log
- Update interval (in sec):60
- History storage period (in days):7
- Applications:Login History
- Add
- Name:登入失敗
- Items >> Create item 3
- Name:清除事件(Security)
- Type:Zabbix agent(active)
- Key:eventlog[Security,,"Success Audit",,^1102$,,skip]
- Type of information:Log
- Update interval (in sec):60
- History storage period (in days):7
- Applications:Login History
- Add
- Name:清除事件(Security)
- Triggers >> Create trigger1
- Name:登入成功 on {HOST.NAME}
- Severity:Information
- Expression:{Template OS Windows Login History:eventlog[Security,,"Success Audit",,^4624$,,skip].nodata(60)}=0 and {Template OS Windows Login History:eventlog[Security,,"Success Audit",,^4624$,,skip].str(Advapi)}=0
- Add
- Name:登入成功 on {HOST.NAME}
- Triggers >> Create trigger2
- Name:登入失敗 on {HOST.NAME}
- Severity:High
- Expression:{Template OS Windows Login History:eventlog[Security,,"Failure Audit",,^4625$,,skip].nodata(60)}=0 and {Template OS Windows Login History:eventlog[Security,,"Failure Audit",,^4625$,,skip].str(Advapi)}=0
- Add
- Name:登入失敗 on {HOST.NAME}
- Triggers >> Create trigger3
- Name:清除事件(Security) on {HOST.NAME}
- Severity:Information
- Expression:{Template OS Windows Login History:eventlog[Security,,"Success Audit",,^1102$,,skip].nodata(60)}=0 and {Template OS Windows Login History:eventlog[Security,,"Success Audit",,^1102$,,skip].str(Advapi)}=0
- Add
- Name:清除事件(Security) on {HOST.NAME}
- 套用至對應監控主機
- Configuration >> Templates >> Template OS Windows Login History
- Hosts / templates
- Windows-V01
- Add
- Configuration >> Templates >> Template OS Windows Login History
- Configuration >> Templates >> Create template
- 配置Zabbix Server template for Login Realtime
- Configuration >> Templates >> Template OS Windows Login History
- Applications >> Create application
- Name:Login Realtime
- Add
- Items >> Create item 3
- Name:Active Sessions
- Type:Zabbix agent(active)
- Key:perf_counter["\Terminal Services\Active Sessions"]
- Type of information:Numeric(unsigned)
- Data type:Decimal
- Update interval (in sec):60
- History storage period (in days):7
- Trend storage period (in days):30
- Applications:Login Realtime
- Add
- Name:Active Sessions
- Items >> Create item 4
- Name:Inactive Sessions
- Type:Zabbix agent(active)
- Key:perf_counter["\Terminal Services\Inactive Sessions"]
- Type of information:Numeric(unsigned)
- Data type:Decimal
- Update interval (in sec):60
- History storage period (in days):7
- Trend storage period (in days):30
- Applications:Login Realtime
- Add
- Name:Inactive Sessions
- Graphs >> Create graph 1
- Name:Active Sessions
- Items >> Add >> Template OS Windows Login History: Active Sessions
- Select
- Add
- Name:Active Sessions
- Graphs >> Create graph 2
- Name:Inactive Sessions
- Items >> Add >> Template OS Windows Login History: Inactive Sessions
- Select
- Add
- Name:Inactive Sessions
- Applications >> Create application
- Configuration >> Templates >> Template OS Windows Login History
- 確認資料
- Monitoring >> Latest data
- Hosts >> Windows-V01
- Application >> Login History
- Apply
- Monitoring >> Latest data
- 參考資料
- https://blog.51cto.com/qicheng0211/1694583
文章標籤
全站熱搜
