IT Great Falls - How to monitor and automate Windows Event Log tracking in Zabbix 7.0
Summary - You’ll learn to: Enable the Zabbix API and generate a token. Create Event Log items (full‑log, single Event ID, regex‑filtered) both at a host level and via reusable templates. Write trigger
1. Enable the Zabbix API
- Users → API tokens
- Click Create API token.
- Name: zabbix_api_token
- User: pick (or create) a service account with API access only.
- Save and copy the token.
- Test the endpoint
curl -s -X POST -H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","method":"apiinfo.version","params":{},"id":1}' \
https://<ZABBIX_HOST>/zabbix/api_jsonrpc.php
A version response confirms the API is reachable.
2. Creating Items: Host‑Level vs Template‑Level
2.1 Host‑Level Items
- Go to Data Collection → Hosts, select your Windows host → Items → Create item.
- Entire Application Log:
- Name: Windows Application log (full)
- Type: Zabbix agent (active)
- Key: eventlog[Application,,,,,,skip]
- Type of information: Log
- Interval: 60s → Save.
- Single Event ID (4625):
- Key: eventlog[Security,,,,^4625$, ,skip] → Save.
- Regex‑Filtered Dependent (on the full‑log item):
- Dependent items → Create dependent item
- Key: same as parent
- Preprocessing → Discard if matching regular expression
- (?im)^((?!IgnoreThisError).)+$
→ Save.
2.2 Template‑Level Items
- Data Collection → Templates → Create template (or edit existing).
- Under Items → Create item, use exactly the same keys/settings as above.
- Under Triggers → Create trigger, use the same expressions (see next section).
- Link this template to any Windows host in Hosts → Templates.
Pros/Cons
- Host‑level is quick for one‑offs; template‑level gives consistency and easy mass updates.
3. Crafting Trigger Expressions
All on Data Collection → Hosts → Triggers or Templates → Triggers, no {} or line breaks.
- Event ID 4625 (5 min window):
eventlog[Security,,,,^4625$, ,skip].logeventid(300)=1 and eventlog[Security,,,,^4625$, ,skip].nodata(300)=0
- Missing Event 1234 (7 days):
eventlog[Application,,,,^1234$, ,skip].logeventid(7d)=0
- Exclude “Guest” (5 min, any Security entry without “Account Name: Guest”):
eventlog[Security,,,,,,skip].logregexp(300,"(?is)^(?!.*Account Name:\s*Guest)[\s\S]+$")=1
4. Defining the Inline Acknowledge Script
- Go to Alerts → Scripts → Create script.
- Name: acknowledge_event
- Type: Script | Execute on: Zabbix server | Scope: Action operation
- Commands: paste your entire script here:
#!/bin/sh
# ─── CONFIGURATION ────────────────────────────────────────────────────────────
ZBX_URL="https://<ZABBIX_HOST>/zabbix/api_jsonrpc.php"
API_TOKEN="YOUR_TOKEN"
# ─────────────────────────────────────────────────────────────────────────────
# Event and host details (macros will be replaced by Zabbix)
EVENT_ID="{EVENT.ID}"
HOSTNAME="{HOST.NAME}"
# Determine the acknowledgement comment
COMMENT="{USER.PARAM1}"
if [ -z "$COMMENT" ] || [ "$COMMENT" = "{USER.PARAM1}" ]; then
COMMENT="Acknowledged event ${EVENT_ID} on host ${HOSTNAME}"
fi
# Escape double quotes in comment to safely include in JSON
COMMENT_ESCAPED=$(echo "$COMMENT" | sed 's/\"/\\\"/g')
# Build the JSON payload for the API request (action 6 = acknowledge + add message)
payload=$(printf \
'{"jsonrpc":"2.0","method":"event.acknowledge","params":{"eventids":["%s"],"action":6,"message":"%s"},"auth":"%s","id":1}' \
"$EVENT_ID" "$COMMENT_ESCAPED" "$API_TOKEN")
# Send the API request to acknowledge the event
RESPONSE=$(curl -s --http1.1 -H 'Content-Type: application/json' --data "$payload" "$ZBX_URL")
echo "DEBUG: API response → $RESPONSE"
# Optionally, check for success in the response and output a confirmation
if echo "$RESPONSE" | grep -q "\"eventids\":"; then
echo ">> Acknowledged event ${EVENT_ID} on ${HOSTNAME}"
else
echo "ERROR: Failed to acknowledge event ${EVENT_ID}. Response: $RESPONSE"
fi
Make sure to change the ZBX_URL and API_TOKEN to match your environment
- Click Save.
5. Linking the Script in an Action
- Go to Alerts → Actions → Create action (or edit “Windows Event Log Alerts”).
- Name: Windows Event Log Alerts
- Conditions:
- Trigger name contains “Windows”
- Trigger severity ≥ Average
- Operations → Add:
- Operation: select acknowledge_event
- Step: 1
- Save the operation, then Save the action.
6. Verify End‑to‑End
- Generate a test event on the Windows host:
New-EventLog –LogName Application –Source "TestSource"
Write-EventLog –LogName Application –Source "TestSource" –EntryType Error –EventId 4625 –Message "Test 4625"
- Check
- Monitoring → Latest data (host or via template) shows the log entry.
- Monitoring → Problems shows the trigger firing.
- Monitoring → Events shows your acknowledge script running and marking the event as acknowledged.
With this, you have a complete, template‑aware Windows Event Log monitoring and auto‑acknowledge solution in Zabbix 7.0.16—everything defined inline under Alerts, with no external files.
No comments yet. Login to start a new discussion Start a new discussion