IT Great Falls - How to monitor and automate Windows Event Log tracking in Zabbix 7.0

1. Enable the Zabbix API

1. Users → API tokens
2. Click Create API token.
3. Name: zabbix_api_token
4. User: pick (or create) a service account with API access only.
5. Save and copy the token.
6. Test the endpoint

curl -s -X POST -H 'Content-Type: application/json' \

-d '{"jsonrpc":"2.0","method":"apiinfo.version","params":{},"id":1}' \

https://<ZABBIX_HOST>/zabbix/api_jsonrpc.php

A version response confirms the API is reachable.

2. Creating Items: Host‑Level vs Template‑Level

2.1 Host‑Level Items

1. Go to Data Collection → Hosts, select your Windows host → Items → Create item.
2. Entire Application Log:
3. Name: Windows Application log (full)
4. Type: Zabbix agent (active)
5. Key: eventlog[Application,,,,,,skip]
6. Type of information: Log
7. Interval: 60s → Save.
8. Single Event ID (4625):
9. Key: eventlog[Security,,,,^4625$, ,skip] → Save.
10. Regex‑Filtered Dependent (on the full‑log item):
11. Dependent items → Create dependent item
12. Key: same as parent
13. Preprocessing → Discard if matching regular expression
14. (?im)^((?!IgnoreThisError).)+$

→ Save.

2.2 Template‑Level Items

1. Data Collection → Templates → Create template (or edit existing).
2. Under Items → Create item, use exactly the same keys/settings as above.
3. Under Triggers → Create trigger, use the same expressions (see next section).
4. Link this template to any Windows host in Hosts → Templates.

Pros/Cons

1. Host‑level is quick for one‑offs; template‑level gives consistency and easy mass updates.

3. Crafting Trigger Expressions

All on Data Collection → Hosts → Triggers or Templates → Triggers, no {} or line breaks.

1. Event ID 4625 (5 min window):

eventlog[Security,,,,^4625$, ,skip].logeventid(300)=1 and eventlog[Security,,,,^4625$, ,skip].nodata(300)=0

1. Missing Event 1234 (7 days):

eventlog[Application,,,,^1234$, ,skip].logeventid(7d)=0

1. Exclude “Guest” (5 min, any Security entry without “Account Name: Guest”):

eventlog[Security,,,,,,skip].logregexp(300,"(?is)^(?!.*Account Name:\s*Guest)[\s\S]+$")=1

4. Defining the Inline Acknowledge Script

1. Go to Alerts → Scripts → Create script.
2. Name: acknowledge_event
3. Type: Script | Execute on: Zabbix server | Scope: Action operation
4. Commands: paste your entire script here:

#!/bin/sh

# ─── CONFIGURATION ────────────────────────────────────────────────────────────

ZBX_URL="https://<ZABBIX_HOST>/zabbix/api_jsonrpc.php"

API_TOKEN="YOUR_TOKEN"

# ─────────────────────────────────────────────────────────────────────────────

# Event and host details (macros will be replaced by Zabbix)

EVENT_ID="{EVENT.ID}"

HOSTNAME="{HOST.NAME}"

# Determine the acknowledgement comment

COMMENT="{USER.PARAM1}"

if [ -z "$COMMENT" ] || [ "$COMMENT" = "{USER.PARAM1}" ]; then

COMMENT="Acknowledged event ${EVENT_ID} on host ${HOSTNAME}"

fi

# Escape double quotes in comment to safely include in JSON

COMMENT_ESCAPED=$(echo "$COMMENT" | sed 's/\"/\\\"/g')

# Build the JSON payload for the API request (action 6 = acknowledge + add message)

payload=$(printf \

'{"jsonrpc":"2.0","method":"event.acknowledge","params":{"eventids":["%s"],"action":6,"message":"%s"},"auth":"%s","id":1}' \

"$EVENT_ID" "$COMMENT_ESCAPED" "$API_TOKEN")

# Send the API request to acknowledge the event

RESPONSE=$(curl -s --http1.1 -H 'Content-Type: application/json' --data "$payload" "$ZBX_URL")

echo "DEBUG: API response → $RESPONSE"

# Optionally, check for success in the response and output a confirmation

if echo "$RESPONSE" | grep -q "\"eventids\":"; then

echo ">> Acknowledged event ${EVENT_ID} on ${HOSTNAME}"

else

echo "ERROR: Failed to acknowledge event ${EVENT_ID}. Response: $RESPONSE"

fi

Make sure to change the ZBX_URL and API_TOKEN to match your environment

1. Click Save.

5. Linking the Script in an Action

1. Go to Alerts → Actions → Create action (or edit “Windows Event Log Alerts”).
2. Name: Windows Event Log Alerts
3. Conditions:
4. Trigger name contains “Windows”
5. Trigger severity ≥ Average
6. Operations → Add:
7. Operation: select acknowledge_event
8. Step: 1
9. Save the operation, then Save the action.

6. Verify End‑to‑End

1. Generate a test event on the Windows host:

New-EventLog –LogName Application –Source "TestSource"

Write-EventLog –LogName Application –Source "TestSource" –EntryType Error –EventId 4625 –Message "Test 4625"

1. Check
2. Monitoring → Latest data (host or via template) shows the log entry.
3. Monitoring → Problems shows the trigger firing.
4. Monitoring → Events shows your acknowledge script running and marking the event as acknowledged.

With this, you have a complete, template‑aware Windows Event Log monitoring and auto‑acknowledge solution in Zabbix 7.0.16—everything defined inline under Alerts, with no external files.