Great Falls, Montana

IT Great Falls - How to monitor and automate Windows Event Log tracking in Zabbix 7.0

Summary - You’ll learn to: Enable the Zabbix API and generate a token. Create Event Log items (full‑log, single Event ID, regex‑filtered) both at a host level and via reusable templates. Write trigger

 · 2 min read

1. Enable the Zabbix API

  1. Users → API tokens
  2. Click Create API token.
  3. Name: zabbix_api_token
  4. User: pick (or create) a service account with API access only.
  5. Save and copy the token.
  6. Test the endpoint

curl -s -X POST -H 'Content-Type: application/json' \

-d '{"jsonrpc":"2.0","method":"apiinfo.version","params":{},"id":1}' \

https://<ZABBIX_HOST>/zabbix/api_jsonrpc.php

A version response confirms the API is reachable.


2. Creating Items: Host‑Level vs Template‑Level

2.1 Host‑Level Items

  1. Go to Data Collection → Hosts, select your Windows host → Items → Create item.
  2. Entire Application Log:
  3. Name: Windows Application log (full)
  4. Type: Zabbix agent (active)
  5. Key: eventlog[Application,,,,,,skip]
  6. Type of information: Log
  7. Interval: 60s → Save.
  8. Single Event ID (4625):
  9. Key: eventlog[Security,,,,^4625$, ,skip] → Save.
  10. Regex‑Filtered Dependent (on the full‑log item):
  11. Dependent items → Create dependent item
  12. Key: same as parent
  13. PreprocessingDiscard if matching regular expression
  14. (?im)^((?!IgnoreThisError).)+$

Save.

2.2 Template‑Level Items

  1. Data Collection → Templates → Create template (or edit existing).
  2. Under Items → Create item, use exactly the same keys/settings as above.
  3. Under Triggers → Create trigger, use the same expressions (see next section).
  4. Link this template to any Windows host in Hosts → Templates.

Pros/Cons

  1. Host‑level is quick for one‑offs; template‑level gives consistency and easy mass updates.


3. Crafting Trigger Expressions

All on Data Collection → Hosts → Triggers or Templates → Triggers, no {} or line breaks.

  1. Event ID 4625 (5 min window):

eventlog[Security,,,,^4625$, ,skip].logeventid(300)=1 and eventlog[Security,,,,^4625$, ,skip].nodata(300)=0

  1. Missing Event 1234 (7 days):

eventlog[Application,,,,^1234$, ,skip].logeventid(7d)=0

  1. Exclude “Guest” (5 min, any Security entry without “Account Name: Guest”):

eventlog[Security,,,,,,skip].logregexp(300,"(?is)^(?!.*Account Name:\s*Guest)[\s\S]+$")=1


4. Defining the Inline Acknowledge Script

  1. Go to Alerts → Scripts → Create script.
  2. Name: acknowledge_event
  3. Type: Script | Execute on: Zabbix server | Scope: Action operation
  4. Commands: paste your entire script here:

#!/bin/sh


# ─── CONFIGURATION ────────────────────────────────────────────────────────────

ZBX_URL="https://<ZABBIX_HOST>/zabbix/api_jsonrpc.php"

API_TOKEN="YOUR_TOKEN"

# ─────────────────────────────────────────────────────────────────────────────


# Event and host details (macros will be replaced by Zabbix)

EVENT_ID="{EVENT.ID}"

HOSTNAME="{HOST.NAME}"


# Determine the acknowledgement comment

COMMENT="{USER.PARAM1}"

if [ -z "$COMMENT" ] || [ "$COMMENT" = "{USER.PARAM1}" ]; then

COMMENT="Acknowledged event ${EVENT_ID} on host ${HOSTNAME}"

fi


# Escape double quotes in comment to safely include in JSON

COMMENT_ESCAPED=$(echo "$COMMENT" | sed 's/\"/\\\"/g')


# Build the JSON payload for the API request (action 6 = acknowledge + add message)

payload=$(printf \

'{"jsonrpc":"2.0","method":"event.acknowledge","params":{"eventids":["%s"],"action":6,"message":"%s"},"auth":"%s","id":1}' \

"$EVENT_ID" "$COMMENT_ESCAPED" "$API_TOKEN")


# Send the API request to acknowledge the event

RESPONSE=$(curl -s --http1.1 -H 'Content-Type: application/json' --data "$payload" "$ZBX_URL")


echo "DEBUG: API response → $RESPONSE"


# Optionally, check for success in the response and output a confirmation

if echo "$RESPONSE" | grep -q "\"eventids\":"; then

echo ">> Acknowledged event ${EVENT_ID} on ${HOSTNAME}"

else

echo "ERROR: Failed to acknowledge event ${EVENT_ID}. Response: $RESPONSE"

fi

Make sure to change the ZBX_URL and API_TOKEN to match your environment

  1. Click Save.


5. Linking the Script in an Action

  1. Go to Alerts → Actions → Create action (or edit “Windows Event Log Alerts”).
  2. Name: Windows Event Log Alerts
  3. Conditions:
  4. Trigger name contains “Windows”
  5. Trigger severity ≥ Average
  6. Operations → Add:
  7. Operation: select acknowledge_event
  8. Step: 1
  9. Save the operation, then Save the action.


6. Verify End‑to‑End

  1. Generate a test event on the Windows host:

New-EventLog –LogName Application –Source "TestSource"

Write-EventLog –LogName Application –Source "TestSource" –EntryType Error –EventId 4625 –Message "Test 4625"

  1. Check
  2. Monitoring → Latest data (host or via template) shows the log entry.
  3. Monitoring → Problems shows the trigger firing.
  4. Monitoring → Events shows your acknowledge script running and marking the event as acknowledged.

With this, you have a complete, template‑aware Windows Event Log monitoring and auto‑acknowledge solution in Zabbix 7.0.16—everything defined inline under Alerts, with no external files.



No comments yet.

Add a comment
Ctrl+Enter to add comment