by Lars Getwan
Checkmk Rules needed
Configuring the Checkmk Agent
There's a bakery rule "Finetune Windows Eventlog monitoring", that should be used to define which Eventlogs should be considered, and how.
...
After saving this rule, activate the changes and bake & sign your agents.
Configuring the Event Console Forwarding
If you would discover the services of your affected Windows hosts now, you would get the old-school Checkmk Services "Log Security" with the "Open Log" in their context menus.
...
After saving this rule, do a service discovery on the affected hosts and activate the changes.
Checking the Event Archive
From now on, the events from the Windows Eventlog on your hosts will be translated to Checkmk Event Console events and put into the event archive (if not matching any EC Rule, yet):
...
To categorize and classify the incoming events, we will create some EC Rules in the next paragraph. Using the message texts from the Event History, you can define the needed Regex patterns for that.
Creating the Event Console Rules
Basic Rules
First, create a Rulepack with a suitable name:
...
There, create a rule to handle all events that are not matching any other rules, yet:
General properties
Matching Criteria
Here, we need two regular expressions:
...
- The first one is applied to the message text and defines three matching groups using the brackets:
.{3} [0-9]+ [0-9:]{8} [0-9]+\.([0-9]{4}) ([^ ]+) (.*)The website https://regex101.com helps you to understand how the regex matches the message text and which groups are created:
These groups can later be accessed using the placeholders \1, \2 and \3 in the message text rewriting. They might also become important when automatic duplicate detection is used. We'll come to that later on. - The second regular expression "^(.*)$" simply matches on any Application text (in our case, it's always "Security", though), and puts it into a matching group. Later, we can access this group using the macro "$MATCH_GROUPS_SYSLOG_APPLICATION_1$".
Counting & Timing
The "Outcome & Action" section can remain unchanged, but in the Counting & Timing, we have two definitions:
...
As the events that match this rule will be categorized as "unknown", we will only keep them for 4 hours to keep our Event view as small and clean as possible.
Rewriting
In the Rewriting section, we can adjust the message text, application and other variables that will be shown in the event views:
...
WinEvtLog_Unknown_Security_4799
Conclusion
Using this "unknown" rule, we will catch all so-far not categorized events, adjust their message text and application, and then aggregate ("count") them based on the hostname and that modified application.
Specific Rules
Based on the events that are now catched by the "unknown" rule, we can pick single Event IDs and create rules for them to handle them separately. Let's chose this event in the first step:
Unknown Security event with ID 4720: A user account was created. Subject: Security ID: S-1-12-1-123456789012-123456789012-123456789012-123456789012 Account Name: LarsGetwan Account Domain: AzureAD Logon ID: 0x83d81 New Account: Security ID: S-1-5-21-123456789012-123456789012-123456789012-1001 Account Name: eric.clapton Account Domain: DESKTOP-DLP6NNN Attributes: SAM Account Name: eric.clapton Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: %%2080 %%2082 %%2084 User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges -
General properties
Clone the "unknown" rule and modify the following fields:
The Regex
Using the long message text, we pick out the important information (colored) and create a regular expression pattern, starting with the one we already used in the "unknown" rule:
...
Fill in the new pattern in the "Text to match" field:
Counting & Timing
The counting and timing also will be changed a bit:
...
Also, we don't want to archive these events after few hours, but after 3 days ( => keep over the weekend).
Rewriting
In the rewriting section, the texts are also adjusted to the newly defined event:
Further Rules and Performance Considerations
We have to create further specific rules as done in the last steps. Here are some things you have to take care of:
...
- create a view that filters out all events coming from the Rule with the ID "WinEvtLog_unknown", or
- disable the rule "WinEvtLog_unknown", so those events will be dropped (or archived).
Related articles
| Filter by label (Content by label) | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...