[comment]: # aside:12

[comment]: # ({1f4286c6-e03ef403})
# Monitor Windows event log using active checks

[comment]: # ({/1f4286c6-e03ef403})

[comment]: # ({8db5cba7-9c880c53})
#### Introduction

This guide explains how to monitor Windows event logs with Zabbix using active checks. With Zabbix Windows-specific item keys, you can collect and analyze critical events (such as failed logon attempts, system errors, etc.) in real time.

**Who this guide is for**

This guide is designed for new Zabbix users and network administrators who want to monitor Windows event logs. For advanced configuration options, refer to the [Windows-specific item keys](/manual/config/items/itemtypes/zabbix_agent/win_keys#windows-specific-items) documentation.

**Prerequisites**

Before proceeding with this guide, you need to [download and install](https://www.zabbix.com/download) Zabbix server and Zabbix frontend according to the instructions for your OS. You also need Zabbix agent [downloaded and installed](https://www.zabbix.com/download_agents) on the Windows machine you want to monitor.

[comment]: # ({/8db5cba7-9c880c53})

[comment]: # ({369d3299-320398a9})
#### Configure Zabbix agent for Windows event log monitoring

1\. Open `zabbix_agentd.conf` (default path `C:\Program Files\Zabbix Agent\zabbix_agentd.conf`) on your Windows host and ensure that the [ServerActive](/manual/appendix/config/zabbix_agentd_win#serveractive) parameter is set to the IP address of your Zabbix server, and the [Hostname](/manual/appendix/config/zabbix_agentd_win#hostname) parameter matches the host name that will be defined in [Zabbix frontend](#configure-zabbix-frontend). This enables the agent to request active checks for its host and from the specified Zabbix server. For example:
   
```ini
ServerActive=192.0.2.0
Hostname=MyWindowsHost
```

2\. Restart Zabbix agent service to apply the changes:

```bash
net stop "Zabbix Agent" && net start "Zabbix Agent"
```

3\. Check that the Windows host is running:

-   Ensure Zabbix agent service is running on the Windows host.
-   Check that the Windows host can connect to Zabbix server on port 10051. To test connectivity from the Windows host, open PowerShell and run the following command:

```powershell
Test-NetConnection -ComputerName <Zabbix-server-IP> -Port 10051
```

[comment]: # ({/369d3299-320398a9})

[comment]: # ({f513db56-25228513})
#### Configure Zabbix frontend

1\. Navigate to *Data collection > Hosts* and [create a host](/manual/config/hosts/host):

-   In the *Host name* field, enter a host name (e.g., "MyWindowsHost").
-   In the *Host groups* field, type or select a host group (e.g., "Event log Monitoring").
-   Press *Add* to save the configured host.

::: noteclassic
In the *Templates* field you may add the "Windows by Zabbix agent active" template to help you troubleshoot by observing whether other active items on the same host are updating.
:::

![](../../../assets/en/manual/guides/eventlog_host.png){width="600"}

2\. Create a new item with the following parameters:

-  In the *Name* field, enter a descriptive item name (e.g., "Security log: failed logon events").
-  In the *Type* drop-down, select "Zabbix agent (active)" (required for Event log monitoring).
-  In the *Key* field, use the [eventlog](/manual/config/items/itemtypes/zabbix_agent/win_keys#eventlog) item key. For example, to monitor failed logon attempts (Event ID: 4625) in the Security log and to ignore entries older than the item's last check (using the `skip` parameter), enter the following item key: `eventlog[Security,,,,4625,,skip]`
-  In the *Type of information* drop-down, select "Log".

![](../../../assets/en/manual/guides/eventlog_item.png){width="600"}

3\. Click *Add* to save the item.

[comment]: # ({/f513db56-25228513})

[comment]: # ({dd0a5b78-a35d4c3a})
#### Test and view collected metrics

Congratulations! Zabbix is now set up to collect your Windows event logs.
To verify that event logs are being collected, you can test the "Security log: failed logon events" item by logging out of your Windows account and attempting to log in using incorrect credentials.

Then, view the collected logs in Zabbix frontend:

1\. Navigate to *Monitoring > Latest data* in Zabbix frontend.

![](../../../assets/en/manual/guides/eventlog_latestdata.png){width="600"}

2\. Filter by your "MyWindowsHost" host in the *Name* field.

3\. Click *History* to view recorded log values. 

![](../../../assets/en/manual/guides/eventlog_history.png){width="600"}

4\. If log values are absent, proceed to the [Troubleshooting](#troubleshooting) section of the guide.

[comment]: # ({/dd0a5b78-a35d4c3a})

[comment]: # ({6d51ace0-c98bb7b1})
#### Set up problem alerts

This guide provides basic configuration steps for sending email alerts.

1\. Navigate to Data collection > Hosts to [define a trigger](/manual/quickstart/basic_config/trigger#adding-trigger) that fires when your event log item records the pattern you care about. For example, to catch failed logon attempts in the Security log, use the [find()](/manual/appendix/functions/history#find) function:

   find(/MyWindowsHost/eventlog[Security,,,,4625,,skip],10m,"like","Logon failed")

2\. Navigate to [*User settings > Profile*](/manual/web_interface/user_profile), switch to the *Media* tab and [add your email](/manual/quickstart/basic_config/login#adding-user).

![](../../../assets/en/manual/quickstart/new_media.png){width="600"}

3\. Follow the guide for [Receiving a problem notification](/manual/quickstart/basic_config/notification).

Next time, when Zabbix detects a problem, you should receive an alert via email.

[comment]: # ({/6d51ace0-c98bb7b1})

[comment]: # ({e3501cd1-d7537870})
#### Troubleshooting

If you encounter issues with collecting or viewing Windows event logs, use the tips below to identify and resolve common problems:

1\. On Zabbix server (Linux) list your iptables rules with the following command:

```bash
sudo iptables -L -n
```

and verify there's an ACCEPT rule for TCP port 10051.

2\. Make sure your `eventlog[...]` key uses the exact log name (case-sensitive), event ID, mode (e.g. skip) and other parameters exactly as shown in the [Windows-specific item keys](/manual/config/items/itemtypes/zabbix_agent/win_keys#windows-specific-items).

[comment]: # ({/e3501cd1-d7537870})

[comment]: # ({37ab71ac-aeb05d60})

**See also:**

- [Creating an item](/manual/config/items/item) - learn how to add additional metrics.
- [Zabbix agent on Microsoft Windows](/manual/appendix/install/windows_agent) - detailed installation instructions.
- [Monitor Windows with Zabbix agent](/manual/quickstart/monitor_windows) - a comprehensive guide on setting up basic monitoring for Windows machines using Zabbix agent.
- [Windows-specific item keys](/manual/config/items/itemtypes/zabbix_agent/win_keys) - detailed information on Windows-specific item keys supported by Zabbix agents, including those for event log monitoring.
- [Log file monitoring](/manual/config/items/itemtypes/log_items) - instructions on configuring Zabbix for centralized monitoring and analysis of log files, applicable to Windows event logs.

[comment]: # ({/37ab71ac-aeb05d60})