AD Auditing with raw edition


we are in a transition process to switch from zabbix 5.0.8 to checkmk 2.2.0p4 (raw). I want to audit the security event log on the domain controllers. Especially certain Event IDs like 4720, 4738, 4625 and so on. When an event log has a new entry with event ID 4720 I want a message on the website.

At the moment we don’t have the agent bakery so I’m using the config-files. Can somebody give a hint, how do I solve this case? Do I have to use the context parameter?

Best wishes from germany.

Hi @CRT , welcome to the forum.

Try to read this :

The Event Console - Processing logs and SNMP traps#logwatch



Hi @CRT,

and welcome to the community! :v:

You can use the event console to forward your logs and filter them with event console rule packs or you just use logwatch. Another way is to build something on your own or use this localcheck from the community to get the desired result.

To do the finetuning for the logwatch you can write your own finetune config. Here is the example config:

Hope this helps.



Thank you for your replies.

I got the event console working. The rules for auto-close some event IDs are working properly. But the event IDs I want to monitor aren’t going to work. I can’t see anything in the event console when an user account was changed for example. The corresponding event ID 4738 isn’t visible in event console. In event viewer on the domain controller I can see the entry, but not on checkmk.

In the check_mk.user-file my entry looks like this:

- 'Security': all nocontext

That should be fine in my opionion. The connection to the agent is also working properly.

I keep the power shell script in mind. I think the better way of understanding checkmk is to use the out-of-the-box tools.