How to Set Up Active Directory Monitoring in Zabbix

Setting up Active Directory event monitoring in Zabbix for Windows Server 2016 requires installing Zabbix Agent on the domain controller, enabling auditing in Windows, creating monitoring templates, and configuring collection of specific events through eventlog items. To track account actions, password changes, and failed login attempts, you need to configure monitoring of the corresponding Event IDs in Zabbix.

Table of Contents

• Zabbix Agent Installation and Configuration
• Windows Server 2016 Audit Configuration
• Creating Monitoring Templates in Zabbix
• Specific Event Collection Configuration
• Troubleshooting Common Problems
• Performance Optimization

Zabbix Agent Installation and Configuration

First, you need to install Zabbix Agent on the Windows Server 2016 domain controller. The agent will collect Windows event information and transmit it to the Zabbix server.

Installation Steps:

1. Download the latest version of Zabbix Agent for Windows from the official website
2. Run the installation with administrator privileges
3. During installation, specify your Zabbix server’s IP address in the Zabbix server field
4. After installation, open the configuration file zabbix_agentd.conf (by default located in C:\Program Files\Zabbix Agent\)

Agent Configuration:

Server=192.168.1.100  # Zabbix server IP address
ServerActive=192.168.1.100  # Zabbix server IP address for active checks
Hostname=DC-01  # Domain controller name
LogFileSize=1    # Log file size in MB

Important: Ensure that the Hostname parameter in the agent configuration exactly matches the hostname that will be created in the Zabbix interface.

Agent Verification:

After installation and configuration, verify the agent’s operation using the command:

netstat -an | findstr 10050

TCP port 10050 should be open to receive data from the Zabbix server.

Windows Server 2016 Audit Configuration

To monitor Active Directory events, you need to enable the appropriate audit policies in Windows Server 2016.

Enabling Security Auditing:

1. Open Group Policy Editor (gpedit.msc)
2. Navigate to: Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy → Audit Policy
3. Enable the following audit policies:
   • Audit Credential Validation
   • Audit Account Logon
   • Audit Account Management

Configuring Specific Events:

To monitor specific actions, configure detailed auditing:

User Accounts:

• ID 4720: User account created
• ID 4722: User account enabled
• ID 4725: User account disabled
• ID 4738: User account changed
• ID 4740: User account locked out

Passwords:

• ID 4724: Attempt to reset password
• ID 4723: Password change
• ID 4767: Password reset

Failed Logins:

• ID 4625: Failed logon attempt
• ID 4634: Logoff
• ID 4647: Initiated logoff

Command Line for Enabling Auditing:

You can use PowerShell for quick audit configuration:

# Enable failed logon auditing
auditpol /set /subcategory:"Logon" /success:enable /failure:enable

# Enable account management auditing
auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable

Creating Monitoring Templates in Zabbix

Zabbix provides ready-made templates for Active Directory monitoring that can be imported into the system.

Official Templates:

1. Template App Active Directory: Template for basic AD monitoring
2. Template Windows by Zabbix agent active: Standard template for Windows systems

Template Import:

1. Download templates from the official Zabbix website or repositories
2. In the Zabbix interface, go to: Configuration → Templates → Import
3. Select the XML template file and import it

Custom Template Configuration:

For specific needs, you can create your own template:

1. In Zabbix, create a new template: Configuration → Templates → Create template
2. Add data items for event monitoring:
   eventlog[Security,,,,4625,,skip]  - Failed logons
   eventlog[Security,,,,4720,,skip]  - User account creation
   eventlog[Security,,,,4725,,skip]  - User account disabling
   eventlog[Security,,,,4738,,skip]  - User account changes
   

Example Item Configuration:

• Name: Security - Failed logon attempts
• Type: Zabbix agent
• Key: eventlog[Security,4625,skip]
• Update interval: 1m
• History storage period: 30d

Specific Event Collection Configuration

To collect specific Active Directory events, use special data item keys in Zabbix.

Event ID-based Collection Setup:

Main keys for event monitoring:

Trigger Configuration:

For automatic response to events, create triggers:

Example Trigger for Account Lockouts:

• Name: AD User account locked out
• Expression: {DC-01:eventlog[Security,,,,4740,,skip].count()}>0
• Severity: High
• Description: User account has been locked out

Example Trigger for Failed Logins:

• Name: AD Multiple failed logon attempts
• Expression: {DC-01:eventlog[Security,,,,4625,,skip].count()}>10
• Severity: Warning
• Description: More than 10 failed logon attempts detected

Action Configuration:

For automatic notification about critical events, create actions:

1. Configuration → Actions → Create action
2. Configure trigger conditions
3. Configure operations (email sending, script execution)

Troubleshooting Common Problems

Various problems may arise when setting up Active Directory monitoring.

Problem 1: Events are not being collected

Cause: Missing access to event logs or incorrectly configured agent.

Solution:

1. Check access rights to event logs
2. Ensure Zabbix Agent is running under an account with sufficient privileges
3. Check the zabbix_agentd.conf configuration
4. Verify port 10050 availability

Problem 2: High load on the domain controller

Cause: Frequent event log checks create system load.

Solution:

1. Increase data item update intervals
2. Use the skip parameter to exclude old events
3. Configure event filtering by specific Event ID

Problem 3: No data in Zabbix

Cause: Hostname mismatch or configuration issues.

Solution:

1. Ensure that Hostname in zabbix_agentd.conf matches the name in Zabbix
2. Check connection to the Zabbix server
3. Check Zabbix Agent logs for errors

Problem 4: Incorrect events are being collected

Cause: Event filters are too broad.

Solution:

1. Use more specific Event IDs in data item keys
2. Add additional filtering parameters to keys
3. Configure detailed audit policies

Performance Optimization

For efficient Active Directory monitoring without impacting domain controller performance, configure optimization.

Event Collection Optimization:

1. Use the skip parameter: eventlog[Security,,,,4625,,skip] - excludes events older than the last check time
2. Increase update interval: For less critical events, use 5-10 minute intervals
3. Filter by source: Use additional filtering parameters in data item keys

Example Optimized Keys:

# For critical events - frequent checking
eventlog[Security,,,,4740,,skip]    # Account lockouts - 1 minute

# For less critical - rare checking  
eventlog[Security,,,,4720,,skip]    # User account creation - 5 minutes

Using LLD (Low Level Discovery):

For automatic discovery and monitoring of a large number of events, use LLD:

1. Create a data item prototype with a regular expression for Event ID
2. Configure triggers based on prototypes
3. Use macros for flexible configuration

Example LLD for Security Events:

{
    "discoveryRule": {
        "key": "security.event.discovery",
        "name": "Security events discovery",
        "type": "Zabbix agent",
        "updateInterval": 1h
    },
    "itemPrototypes": [
        {
            "key": "eventlog[Security,,,,{#EVENTID},,skip]",
            "name": "Security event {#EVENTID}",
            "type": "Zabbix agent"
        }
    ]
}

Active Directory Replication Monitoring:

For complete AD monitoring, also configure replication tracking:

1. Install the PowerShell module for Active Directory
2. Create a script for replication checking
3. Add a data item for script execution
4. Configure triggers for replication errors

# Example script for replication checking
Get-ADReplicationFailure -ErrorAction SilentlyContinue | 
Where-Object {$_.LastFailureTime -gt (Get-Date).AddHours(-1)} |
Select-Object LastFailureTime, Partner, FailureCount

Sources

1. Official Zabbix Documentation - Windows Event Log Monitoring
2. Zabbix Integration - Active Directory monitoring
3. GitHub repository of templates for Active Directory
4. Zabbix Agent Configuration for Windows
5. Examples of Active Directory triggers and events
6. Zabbix Performance Optimization
7. Troubleshooting Zabbix AD Monitoring Issues

Conclusion

Setting up Active Directory event monitoring in Zabbix for Windows Server 2016 is a complex task that requires coordination of several components: Zabbix Agent, Windows audit policies, and Zabbix template configuration. The main steps include installing and configuring the agent, enabling appropriate audit policies, creating monitoring templates, and configuring collection of specific events.

For successful implementation, it’s recommended to start with basic monitoring configuration for critical events (account lockouts, failed logins) and gradually expand coverage to less critical events. It’s important to optimize performance by using the skip parameter and adjusting update intervals.

When problems arise, you should check the agent configuration, access rights to event logs, and hostname matching. For complex scenarios, you can use ready-made templates from GitHub or official Zabbix sources.

For further study of this topic, it’s recommended to review the Zabbix documentation and experiment with various triggers and actions for automating response to Active Directory events.