Hi,
I need to monitor AD activities, like if an user account is created, activated and so on.
So I have the agent running which gives me information from event log, and I set up the forwarding to event console.
Problem is, I only get warnings and criticals. But event IDs like 4720, 4722 and so on are only informational.
How can I get those IDs into the event console?
Any idea?
Thanks for any useful hint,
Rene
Hi Rene,
you can configure the checkmk agent to also fetch informational messages.
In the enterprise and above versions there is a ruleset in the bakery that is called “Finetune Windows EventLog Monitoring”.
There you can add
Event Log - Security - ALL
Then you can forward the messages in the event console with the event console forwarding rule and create corresponding rules for your IDs there.
A good starting point is the article in the KB :
https://checkmk.atlassian.net/wiki/spaces/KB/pages/9473844/Monitoring+Windows+security+log+with+the+CMK+Event+Console+rule+logwatch