Get the Zabbix Agent up and running on an endpoint. Once you have the agent installed on the host, add it into your Zabbix server. You can specify the type of log you want to have tracked, and can get granular with it. You want to add an item to your new host, similar to:
1
eventlog[System,,"Warning|Error|Failure",,,,]
Copied!
This is a good start to monitor errors, but I also like to parse events on domain controllers with the following item:
1
eventlog[Security,,,,,,]
Copied!
Keep in mind that the larger your domain is, the more events that will be hitting your DC constantly. In this item, we have specifically said to read in all events. Properly set the history storage for these items with this in mind.
We can now use triggers to alarm for us based on specific event ID's. For example, the following expression for a trigger will tell use when a new user is created:
I also have one that will tell me when passwords are reset and other concerning domain activity. You can get an idea of how powerful this can be, and using this setup has proven to be flexible and important in my daily routine.
Now that the item and triggers are set up, all that is left is linking your triggers to actions and send alarms based on the triggers to get the jump on your users / adversaries.
SELINUX - audit.log
A More Readable Form:
Prevent headaches - parse safely:
1
cat /var/log/audit/audit.log | audit2why
Copied!
Denied:
Look for denied events: cat /var/log/audit/audit.log | grep denied
And it makes it easy to generate allow policies: cat /var/log/audit/audit.log | grep <service> | grep denied | audit2allow -M <service>