We created a local powershell check which (better) monitors the windows event ID’s better then the default options in check mk.
We have about ~1400 hosts in our check mk enviorment and the check_mk.user.yml doesn’t meet out expectations and neither does the default windows event rules.
This is the powershell script and you need to place it inside the folder; C:\ProgramData\checkmk\agent\local
Function GetEvents {
param(
[Parameter(Mandatory)]
[string]$logname,
[Parameter(Mandatory)]
[int]$eventid,
[Parameter(Mandatory)]
[int]$lookuphours,
[Parameter(Mandatory)]
[string]$servicename,
[Parameter(Mandatory)]
[int]$threshold_warning,
[Parameter(Mandatory)]
[int]$threshold_critical,
[Parameter()]
[string]$description
)
$time = [datetime]::Now.AddHours(-$lookuphours)
$events = Get-WinEvent -FilterHashtable @{ LogName=$logname; ID=$eventid; StartTime=$time;} -ErrorAction SilentlyContinue
$eventmeasure = $events | measure
$eventcount = $eventmeasure.Count
return "P $servicename count=$eventcount;$threshold_warning;$threshold_critical $description"
}
"<<<local>>>"
#add services below
GetEvents -logname "System" -eventid 5838 -lookuphours 24 -servicename "CVE-2022-38023_5838" -threshold_warning 1 -threshold_critical 2 -description "The Netlogon service encountered a client using RPC signing instead of RPC sealing"
GetEvents -logname "System" -eventid 5839 -lookuphours 24 -servicename "CVE-2022-38023_5839" -threshold_warning 1 -threshold_critical 2 -description "The Netlogon service encountered a trust using RPC signing instead of RPC sealing"
GetEvents -logname "System" -eventid 5840 -lookuphours 24 -servicename "CVE-2022-38023_5840" -threshold_warning 1 -threshold_critical 2 -description "The Netlogon service created a secure channel with a client with RC4"
GetEvents -logname "System" -eventid 5841 -lookuphours 24 -servicename "CVE-2022-38023_5841" -threshold_warning 1 -threshold_critical 2 -description "The Netlogon service denied a client using RC4 due to the RejectMd5Clients setting"
GetEvents -logname "System" -eventid 43 -lookuphours 24 -servicename "CVE-2022-37967-43" -threshold_warning 1 -threshold_critical 2 -description "The Key Distribution Center (KDC) encountered a ticket that it could not validate the full PAC Signature"
GetEvents -logname "System" -eventid 44 -lookuphours 24 -servicename "CVE-2022-37967-44" -threshold_warning 1 -threshold_critical 2 -description "The Key Distribution Center (KDC) encountered a ticket that did not contained the full PAC Signature"
Interesting, reminds me a little of how check_logfiles did it in the past, but I think there are certainly use cases where this is a much easier solution than going through the Checkmk Event console - thanks for sharing!
I would argue that once log forwarding to the event console is properly set up it is much easier to define new rules there (and more flexible) than to modify a local check that has to be distributed to 1400 hosts.
Thanks, Norm for your response. No, I was unable to get it to work.
All wanted is for check_mk to show a CRT message when event ID 4720 is triggered in the domain controller.
Powershell script to send email alert works.
That will be great if you could put together a simple script to do this job.
Hi Norm, it works, thank you. But I have not been able to figure out how to confirm without suppressing the next trigger.
When I confirm the service, I don’t get a new message when a new user is created on the domain controller.
Can you or anyone help me?
Hello, I have found a solution to this problem. I went a different way to get what we needed. I decided to monitor the email notification from newly created users in AD, which is sorted in a sub-folder.
When the email arrives in the subfolder, it triggers a check_mk warning. I acknowledge this warning by moving the notification email to another folder.
This looks awesome. So are there other settings that need to be enabled in either Checkmk or in the check_mk.user.yml of the host or can you simply use this script with your desired events. I am not experienced with checkmk but we have it and i am trying to learn more and get some notifications set up for certain Windows events. Any other information or potential gotchas are really appreciated!
The powershell script, that you place in the local check folder, will add checks to the host in check mk. It will use the default settings you set in check mk for notifications etc.
You can change the name of the check and the event id’s in the script to your own wishes.
I have set it up and it appears to be working. The next portion will be setting up the alerts. I really appreciate your response and graciously sharing your script. I am going to try and leverage it to create notifications for account lockouts and adding or deleting user accounts etc… Anything i learn that could benefit someone else i will share as well. Thanks again!
