How to Use Zabbix to Monitor Windows Login Success and Failure Events

Purpose

Zabbix is used to monitor local Windows users or RDP logins to Windows servers, preventing password leaks, malicious logins, and information leakage, and to promptly notify system administrators.

Operating System

Windows Server 2012 with Zabbix 4.4. Two users: songhongpeng and administrator.

Windows Server Security Log

Open Windows Event Viewer and view successful login events and failed login events.

Zabbix Server Configuration

Create a template.

Create an application set.

Create monitoring items.

Create triggers.

Test alerts.

Create Monitoring Item for Successful Login

Use Zabbix built‑in key eventlog[Security,,"SuccessAudit",,^4624$, ,skip]. Parameters: Security is the log name; "Success Audit" indicates successful audit events; ^4624$ matches event ID 4624; skip ignores historical logs. Monitoring interval is 60 s, history retention 7 days.

eventlog[Security,,"SuccessAudit",,^4624$, ,skip]

Create Monitoring Item for Failed Login

eventlog[Security,,"FailureAudit",,^4625$, ,skip]

Create Triggers

Example trigger for successful login:

{VEEAMBACKUP-SER:eventlog[Security,,"SuccessAudit",,^4624$, ,skip].nodata(60)}=0 and {VEEAMBACKUP-SER:eventlog[Security,,"SuccessAudit",,^4624$, ,skip].regexp(songhongpeng)}=1

The expression means: if data is received within 60 seconds and the content contains the string "songhongpeng", an alarm is raised; if no new data appears for 60 seconds, the trigger returns to OK. Continuous successful logins keep the trigger in problem state.

Similar trigger for failed login:

{VEEAMBACKUP-SER:eventlog[Security,,"FailureAudit",,^4625$, ,skip].nodata(60)}=0 and {VEEAMBACKUP-SER:eventlog[Security,,"FailureAudit",,^4625$, ,skip].regexp(songhongpeng)}=1

This works the same way, useful for detecting brute‑force login attempts.

Trigger Alarm Test

Test by logging in via mstsc or locally and observe the generated alerts.