Nagios Support Forum

Hi

We are trying to monitor the EventID 4648 -- which is for user logon. But we are not getting the current results using check_nrpe. Below are the details. Though we have the events under Security.evtx.

[nagios@lxaxxxxrd003 ~]$ /usr/local/nagios/libexec/check_nrpe -H 172.26.xxx.53 -u -t 100 -c check_eventlog -a file=System "critical=count = 1" "filter=provider = 'Microsoft-Windows-Security-Auditing' and id = 4648"
OK: No entries found|'count'=0;0;1 'problem_count'=0;0;0

4624 events are already available but its not working.
https://docs.nsclient.org/reference/win ... kEventLog/ -- we used this method.

You are looking in the System log file=System instead of the Security log file=Security

What do you get with this?

Scott

Thanks, it worked.

Also We wanted to filter more on this. Attached the screenshot for reference.
We wanted to match event id 4648 and targetservename = localhost and check for the last 15 mins.

Because it is trying to capture all the events with id 4648
CRITICAL: 268 message(s) Security Microsoft-Windows-Security-Auditing (A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: MSAPPxxxxxx$ Account Domain: LOWES Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: MSAPPxxxx$ Account Domain: LOWES.COM Logon GUID: {E63EDDFD-B9CC-D13D-3E34-EAC9A79A4C39} Target Server: Target Server Name: msappxxx$ Additional Information: msappxxxx$ Process Information: Process ID: 0x19fc Process Name: C:\Windows\System32\taskhost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account

Based on the NSClient++ filter keywords here, I am guessing you would use computer but am not 100% sure as we do not maintain this project.
https://docs.nsclient.org/reference/win ... r-keywords

Thanks Scott.