Monitoring specific event id in windows

Loonen · April 12, 2022, 2:46pm

Hi all,

I want to receive a critical message in check mk when event id 1102 occurs, this is an information event (so not a critical\warning one).
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1102

I can’t seem to find a rule to configure this with the builtin (logwatch plugin), this is for all errors\warnings and not when a specific event id occurs.
I found multiple topics on this forum but much have no answers or don’t seem to have the same question that I have.

Thanks in advance.

Jeroen.

mike1098 · April 13, 2022, 7:26am

Hello Jeroen,

Also not so experienced with Windows System Log, but as far as I understand the agent configuration you have to send all to the monitoring server, forward logwatch to event console with help of the rule "
Logwatch Event Console Forwarding "and then do the filtering in event console. Finally the alerting on the host is controlled with rule “Check event state in Event Console”.

logfile:
        # - 'EventLogName': <crit|warn|all|off> + [context|nocontext]
        # - 'Application': crit context # example
        # - 'System': warn nocontext    # another example
        # - 'YourOwn': all nocontext    # yet another example
        # - '*': warn nocontext         # This is default params for not missing entries

So I guess the entry for the logfile sections would be “Security: all context”.

I hope that helps

Michael

Loonen · May 31, 2022, 8:57am

Hi Mike,

It took some time but I succeeded with making a local check (powershell script), thanks for the tips.

For anyone else wondering, this is the script where I get a critical error in check mk went the event ID 1102 occurs in the Security log.

#save script on location C:\ProgramData\checkmk\agent\local
$eventid = 1102
$threshold_warning = 1
$threshold_critical = 1
$hours = 2
$time = [datetime]::Now.AddHours(-$hours)
$events = Get-WinEvent -FilterHashtable @{ LogName='Security'; ID=$eventid; StartTime=$time;} -ErrorAction SilentlyContinue
$eventmeasure = $events | measure
$eventcount = $eventmeasure.Count
$start = date
#output
$output = ""
$output += "<<<local>>>`n"
$valuedescription = "Security_event_log_cleared"
$output += "P $valuedescription ATTEMPTS=$eventcount;$threshold_warning;$threshold_critical"
echo $output
$end = date
$duration = $end - $start

And the script for the system log;

#save script on location C:\ProgramData\checkmk\agent\local
$eventid = 104
$threshold_warning = 1
$threshold_critical = 1
$hours = 2
$time = [datetime]::Now.AddHours(-$hours)
$events = Get-WinEvent -FilterHashtable @{ LogName='System'; ID=$eventid; StartTime=$time;} -ErrorAction SilentlyContinue
$eventmeasure = $events | measure
$eventcount = $eventmeasure.Count
$start = date
#output
$output = ""
$output += "<<<local>>>`n"
$valuedescription = "System_event_log_cleared"
$output += "P $valuedescription ATTEMPTS=$eventcount;$threshold_warning;$threshold_critical"
echo $output
$end = date
$duration = $end - $start

system · May 31, 2023, 8:57am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.