Hi
We are trying to monitor the EventID 4648 -- which is for user logon. But we are not getting the current results using check_nrpe. Below are the details. Though we have the events under Security.evtx.
[nagios@lxaxxxxrd003 ~]$ /usr/local/nagios/libexec/check_nrpe -H 172.26.xxx.53 -u -t 100 -c check_eventlog -a file=System "critical=count = 1" "filter=provider = 'Microsoft-Windows-Security-Auditing' and id = 4648"
OK: No entries found|'count'=0;0;1 'problem_count'=0;0;0
4624 events are already available but its not working.
https://docs.nsclient.org/reference/win ... kEventLog/ -- we used this method.
EventID monitoring using check_nrpe
EventID monitoring using check_nrpe
Last edited by deek on Wed Dec 18, 2019 7:30 am, edited 1 time in total.
-
scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: EventID monitoring using check_nrpe
You are looking in the System log file=System instead of the Security log file=Security
What do you get with this?
What do you get with this?
Code: Select all
/usr/local/nagios/libexec/check_nrpe -H 172.26.xxx.53 -u -t 100 -c check_eventlog -a file=Security "critical=count = 1" "filter=provider = 'Microsoft-Windows-Security-Auditing' and id = 4624"Re: EventID monitoring using check_nrpe
Scott
Thanks, it worked.
Also We wanted to filter more on this. Attached the screenshot for reference.
We wanted to match event id 4648 and targetservename = localhost and check for the last 15 mins.
Because it is trying to capture all the events with id 4648
CRITICAL: 268 message(s) Security Microsoft-Windows-Security-Auditing (A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: MSAPPxxxxxx$ Account Domain: LOWES Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: MSAPPxxxx$ Account Domain: LOWES.COM Logon GUID: {E63EDDFD-B9CC-D13D-3E34-EAC9A79A4C39} Target Server: Target Server Name: msappxxx$ Additional Information: msappxxxx$ Process Information: Process ID: 0x19fc Process Name: C:\Windows\System32\taskhost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account
Thanks, it worked.
Also We wanted to filter more on this. Attached the screenshot for reference.
We wanted to match event id 4648 and targetservename = localhost and check for the last 15 mins.
Because it is trying to capture all the events with id 4648
CRITICAL: 268 message(s) Security Microsoft-Windows-Security-Auditing (A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: MSAPPxxxxxx$ Account Domain: LOWES Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: MSAPPxxxx$ Account Domain: LOWES.COM Logon GUID: {E63EDDFD-B9CC-D13D-3E34-EAC9A79A4C39} Target Server: Target Server Name: msappxxx$ Additional Information: msappxxxx$ Process Information: Process ID: 0x19fc Process Name: C:\Windows\System32\taskhost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account
You do not have the required permissions to view the files attached to this post.
-
scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: EventID monitoring using check_nrpe
Based on the NSClient++ filter keywords here, I am guessing you would use computer but am not 100% sure as we do not maintain this project.
https://docs.nsclient.org/reference/win ... r-keywords
https://docs.nsclient.org/reference/win ... r-keywords
Re: EventID monitoring using check_nrpe
Thanks Scott.