Shulou(Shulou.com)06/02 Report--

I. purpose

Objective: zabbix monitors local users or mstsc to log on to the windows server to avoid password disclosure, malicious login, information disclosure and timely notification to the system administrator. Note: this document does not discuss zabbix distribution, tuning, monitoring other services, and so on.

This experiment is a little time-consuming, take some detours, reprint is allowed, please reprint please indicate the link:

Renzhiyuan.blog.51cto.com

2. Preparatory work:

2.1) zabbix service installation configuration (installation considerations are not discussed)

2.2) configure email alarm (Wechat, QQ, SMS alarm is not discussed)

2.3) modify the alarm template (the visual perception of the default alarm configuration is poor, not discussed)

2.4) client installation configuration zabbix_agent

2.4.1) zabbix client configuration

"D:\ zabbix-3.0.5\ bin\ win64\ zabbix_agentd.exe"-- config "D:\ zabbix-3.0.5\ bin\ win64\ zabbix_agentd.win.conf"

# registering as a system service:

2.4.2) configure zabbix_agent:zabbix_agentd.win.conf

LogFile=D:\ zabbix-3.0.5\ bin\ win64\ zabbix_agentd.logServer=192.168.1.244 #-zabbix Host # ListenPort=10050# ListenIP=0.0.0.0ListenIP=192.168.1.243 #-Native ip#ServerActive=127.0.0.1

2.4.3) Firewall configuration: firewall.cpl

# allow port 10050 (default port)

2.4.4) start zabbix_agent

2.5) learn about the windows security log:

Audit failed: if someone maliciously typed the wrong username and password to access.

3. Server configuration:

3.1) add action configuration:

3.2: create a monitoring item:

3.2.1) Monitoring items for successful login of the account:

Create a new application set: Event Log

Name: account login successful

Type: zabbix client (active)

Key value: eventlog [Security, "Success Audit", ^ 4624 $, skip]

Parameter-Security: the log name of the event.

Parameter three "Success Audit": the severity of the event.

Parameter five ^ 4624 $: this is a regular expression that matches the log where the event ID equals 4624.

Parameter 7 skip: it means that the generated history log is not monitored. If skip is omitted, the history log information that meets the above conditions will be monitored.

Information type: log

Monitoring interval: 60s

The history is preserved for 7 days.

3.2.2) Monitoring items of account login failure:

Eventlog [Security, "Failure Audit", ^ 6281 $, skip]

3.3) create a trigger:

3.3.1) trigger for successful login:

{Template Windows Event Log:eventlog [Security, "Success Audit", ^ 4624 $, skip] .nodata (60)} = 0 and {Template Windows Event Log:eventlog [Security, "Success Audit", ^ 4624 $, skip] .str (Advapi)} = 0

The expression means: if the data is monitored within 60 seconds and the monitoring content does not contain the string "Advapi", the alarm will be triggered, and if there is no new data within 60 seconds, the trigger will resume OK. To put it simply, the trigger lasts at least 60 seconds after the user logs in, and if the user continues to log in successfully with an interval of less than 60 seconds, the trigger is always in problem state.

3.3.2) account login failure trigger:

{Template Windows Event Log:eventlog [Security, "Failure Audit", ^ 6281 $, skip] .nodata (60)} = 0 and {Template Windows Event Log:eventlog [Security, "Failure Audit", ^ 6281 $, skip] .str (Advapi)} = 0

The expression means: if the data is monitored within 60 seconds and the monitoring content does not contain the string "Advapi", an alarm will be triggered. If there is no new data after 60 seconds, the trigger resumes OK. If someone keeps maliciously cracking the login password, you will find that the trigger problem status will always be there.

4. Trigger:

Mstsc or log in to this machine to check your email:

Note: there is a response from bloggers on related posts, and one of this article is very similar: http://qicheng0211.blog.51cto.com/3958621/1694583

Although the basic ideas here are the same, there are also some differences. Bloggers did refer to this article before, but the process, ideas and monitoring failure items are also different, and I also checked the official website. Note the link to this post here to avoid unnecessary misunderstandings.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.