zabbix_export: version: '6.0' date: '2021-11-21T21:26:45Z' groups: - uuid: 957d6848a1ea45e0abd710a0e4873e71 name: 'Windows Event Log' templates: - uuid: 6f2eb975923a44deb0c2b5703800387d template: 'Event User Log' name: 'Event User Log' description: | ## Overview Check windows event log: 1. Create user account 2. User account on 3. User account off 4. User account password reset 5. Delete user account 6. Unlocked user account + changed domain policy and cleaned security log ## Author Andrew Herasym groups: - name: 'Windows Event Log' items: - uuid: 9641f4ec29494ff6a8a2fc9cb6433061 name: 'Cleaned Security Log' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,1102,,]' delay: '300' trends: '0' value_type: LOG description: 'Очищений журнал безпеки' tags: - tag: Application value: 'Security Logs' triggers: - uuid: c8ba1ebde675468bbff50bfa0b4c5db0 expression: 'logeventid(/Event User Log/eventlog[Security,,,,1102,,],,"4722")=1 and nodata(/Event User Log/eventlog[Security,,,,1102,,],5s)=0' name: 'Cleaned Security Log' priority: HIGH description: 'Очищений журнал безпеки' - uuid: d11c5a759a8f40c3a9f84c82e0f1a3e7 name: 'Create User' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,4720,,]' delay: '300' history: 45d trends: '0' value_type: LOG description: 'Обліковий запис користувача створено' tags: - tag: Application value: 'Users Logs' triggers: - uuid: 830ed8f012754c7b85a7a12d70db4850 expression: 'logeventid(/Event User Log/eventlog[Security,,,,4720,,],,"4720")=1 and nodata(/Event User Log/eventlog[Security,,,,4720,,],5s)=0' name: 'Create User' priority: INFO description: 'Обліковий запис користувача створено' - uuid: e489bb8be4564867b5b37fb9c23be01b name: 'User On' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,4722,,]' delay: '300' history: 45d trends: '0' value_type: LOG description: 'Обліковий запис користувача включено' tags: - tag: Application value: 'Users Logs' triggers: - uuid: 502bcf6f174e415aa55f86005447f241 expression: 'logeventid(/Event User Log/eventlog[Security,,,,4722,,],,"4722")=1 and nodata(/Event User Log/eventlog[Security,,,,4722,,],5s)=0' name: 'User On' priority: INFO description: 'Обліковий запис користувача включено' - uuid: 2c475fbaa3eb405caecd37304012e7e9 name: 'User Password Reset' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,4724,,]' delay: '300' history: 45d trends: '0' value_type: LOG description: 'Пароль користувача скинуто' tags: - tag: Application value: 'Users Logs' triggers: - uuid: 7ac5029b6a63497c94d3bffcb5e004b0 expression: 'logeventid(/Event User Log/eventlog[Security,,,,4724,,],,"4722")=1 and nodata(/Event User Log/eventlog[Security,,,,4724,,],5s)=0' name: 'User Password Reset' priority: INFO description: 'Пароль користувача скинуто' - uuid: 0c63c188e34546808302fe60c74a22cc name: 'User Off' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,4725,,]' delay: '300' history: 45d trends: '0' value_type: LOG description: 'Обліковий запис користувача виключено' tags: - tag: Application value: 'Users Logs' triggers: - uuid: f46e5321c3ec45df838c9a636edf6f89 expression: 'logeventid(/Event User Log/eventlog[Security,,,,4725,,],,"4725")=1 and nodata(/Event User Log/eventlog[Security,,,,4725,,],5s)=0' name: 'User Off' priority: INFO description: 'Обліковий запис користувача відключено' - uuid: 1d32950237924719b53fbfff947021ff name: 'Delete User' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,4726,,]' delay: '300' history: 45d trends: '0' value_type: LOG description: 'Обліковий запис користувача видалено' tags: - tag: Application value: 'Users Logs' triggers: - uuid: 3276f24cb85a4ebfba34b3ad1824d3ac expression: 'logeventid(/Event User Log/eventlog[Security,,,,4726,,],,"4726")=1 and nodata(/Event User Log/eventlog[Security,,,,4726,,],5s)=0' name: 'Delete User' priority: INFO description: 'Обліковий запис користувача видалено' - uuid: a35ab2b319074b9999a07a0ce747faee name: 'Changed domain policy' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,4739,,]' delay: '300' trends: '0' value_type: LOG description: 'Змінена політика домену' tags: - tag: Application value: 'GPO Logs' triggers: - uuid: 4ae8c40cb6ac443497bf38251219abfa expression: 'logeventid(/Event User Log/eventlog[Security,,,,4739,,],,"4739")=1 and nodata(/Event User Log/eventlog[Security,,,,4739,,],5s)=0' name: 'Changed domain policy' priority: AVERAGE description: 'Змінена політика домену' - uuid: b28e61a2781a471e94e92ca0ecd56406 name: 'Unlocked User' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,4767,,]' delay: '300' history: 45d trends: '0' value_type: LOG description: 'Обліковий запис користувача розблоковано' tags: - tag: Application value: 'Users Logs' triggers: - uuid: c5f41ed1d405458b9d47a71bb26dc0e9 expression: 'logeventid(/Event User Log/eventlog[Security,,,,4767,,],,"4767")=1 and nodata(/Event User Log/eventlog[Security,,,,4767,,],5s)=0' name: 'Unlocked User' priority: INFO description: 'Обліковий запис користувача розблоковано'