Zabbix supports log file monitoring on Windows as well—the topics we discussed in Chapter 11, Advanced Item Monitoring still apply. But on Windows there is also a specialized logging subsystem, and Zabbix does offer built-in event log system support. Windows has various event log categories, and we could monitor the Security event log. Other common logs are System and Application, and there will be more logs in recent versions of Windows. For now, let's head to Configuration | Hosts, click on Items next to Windows host, and click on Create item. Fill in the following:
Windows $1 log
eventlog[Security,,,,,,skip]
1
That's six commas in the item key. When done, click on the Add button at the bottom. The last parameter we specified here, skip
, will prevent the agent from reading all of the security log—a pretty good idea for systems that have been around for some time. Visit Monitoring | Latest data and click on History for the Windows Security log item:
A few notable differences, compared to normal log file monitoring, include automatic data population in the LOCAL TIME column, as well as source, severity, and the event ID being stored. Actually, we can filter by some of these already at the agent level; we don't have to send all entries to the server. Let's discuss some of the item key parameters in a bit more detail. The general key syntax is this:
eventlog[name,<regexp>,<severity>,<source>,<eventid>,<maxlines>,<mode>]
The second parameter, regexp
, operates the same as in normal log file monitoring—it matches a regular expression against the log entry. The maxlines
and mode
parameters work the same as they do for log
and logrt
item keys. The severity, source
, and eventid
parameters are specific to the eventlog
key, and they are all regular expressions to be matched against the corresponding field. This way, we can filter the eventlog
quite extensively on the agent side, but people make a somewhat common mistake sometimes—they forget that these are regular expressions, not exact match strings. What does that mean? Well, the following item key would not only match events with the ID of 13
, as follows:
eventlog[Security,,,,13]
It would also match events with IDs of 133
, 1333
, and 913
. To match 13
, and 13
only, we'd have to anchor the regular expression:
eventlog[Security,,,,^13$]
3.149.214.37