├── .github └── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md ├── AD_DS_Health_and_Performance ├── 5.0 │ └── AD_DS_Health_and_Performance.xml ├── 6.0 │ └── AD_DS_Health_and_Performance.yaml ├── AD_DS_Health_and_Performance_ldap.png ├── AD_DS_Health_and_Performance_main.png ├── AD_DS_Health_and_Performance_netlogon.png └── README.md ├── AD_DS_Monitoring_Attack_Detection ├── 5.0 │ └── AD_DS_Monitoring_Attack.xml ├── 6.0 │ └── AD DS Monitoring and Attack Detection.yaml └── README.md ├── AD_DS_Security_Audit └── AD DS Security Audit.yaml ├── AD_СS_Health_and_Performance ├── AD_СS_Health_and_Performance.yaml └── README.md ├── LICENSE.md ├── Other Templates ├── Liebert CRV.xml ├── README.md ├── Template App MS SQL Multi Instance.xml ├── Template Windows 2012 R2 IIS Servers NODE.xml ├── Windows_template.xml └── get_sqldbs.ps1 ├── RDS ├── RDS Session Host.xml ├── README.md ├── Template Windows 2012 R2 RDS Gateway.xml ├── Template Windows RDS Broker.yml ├── Template Windows RDS Gateway.yml ├── Template Windows RDS Licensing.yml └── Template Windows RDS Session.yml ├── README.md ├── _includes └── head-custom.html └── icons ├── README.md ├── router_def.png ├── router_deg.png ├── router_disable.png ├── router_main.png ├── switch_def.png ├── switch_deg.png ├── switch_disable.png └── switch_main.png /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **To Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Desktop (please complete the following information):** 27 | - OS: [e.g. iOS] 28 | - Browser [e.g. chrome, safari] 29 | - Version [e.g. 22] 30 | 31 | **Smartphone (please complete the following information):** 32 | - Device: [e.g. iPhone6] 33 | - OS: [e.g. iOS8.1] 34 | - Browser [e.g. stock browser, safari] 35 | - Version [e.g. 22] 36 | 37 | **Additional context** 38 | Add any other context about the problem here. 39 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /AD_DS_Health_and_Performance/6.0/AD_DS_Health_and_Performance.yaml: -------------------------------------------------------------------------------- 1 | zabbix_export: 2 | version: '6.0' 3 | date: '2024-12-28T06:46:06Z' 4 | groups: 5 | - uuid: b9390195ecad4986968746a2a9b56354 6 | name: 'My Templates' 7 | templates: 8 | - uuid: 01548d1b601f4732b8b26c229305e5bf 9 | template: 'AD DS Health and Performance' 10 | name: 'AD DS Health and Performance' 11 | description: | 12 | Template tooling version used: 2.06 13 | 14 | https://github.com/NikonovAleksei/zabbix/ 15 | 16 | https://t.me/ad_zabbix_templates 17 | groups: 18 | - name: 'My Templates' 19 | items: 20 | - uuid: 510bed9780f54dbc94521c1afbd668b0 21 | name: 'Active Directory Web Services Events' 22 | type: ZABBIX_ACTIVE 23 | key: 'eventlog[Active Directory Web Services,,"Warning|Error|Critical"]' 24 | delay: 5m 25 | history: 1w 26 | trends: '0' 27 | value_type: LOG 28 | tags: 29 | - tag: Application 30 | value: 'AD DS Events' 31 | triggers: 32 | - uuid: 09121ac7fa8a4b64b8b6f45acdd64b4d 33 | expression: 'logseverity(/AD DS Health and Performance/eventlog[Active Directory Web Services,,"Warning|Error|Critical"])>1 and nodata(/AD DS Health and Performance/eventlog[Active Directory Web Services,,"Warning|Error|Critical"],1800s)=0' 34 | name: 'Active Directory Web Services Error on {HOST.NAME}' 35 | - uuid: 6e038f783e4b44dc81038d0e3c3c7baf 36 | name: 'DFS Replication Events' 37 | type: ZABBIX_ACTIVE 38 | key: 'eventlog[DFS Replication,,"Warning|Error|Critical"]' 39 | delay: 5m 40 | history: 1w 41 | trends: '0' 42 | value_type: LOG 43 | tags: 44 | - tag: Application 45 | value: 'AD DS Events' 46 | triggers: 47 | - uuid: bf64470533d0470895cdebd814a37dc2 48 | expression: 'logseverity(/AD DS Health and Performance/eventlog[DFS Replication,,"Warning|Error|Critical"])>1 and nodata(/AD DS Health and Performance/eventlog[DFS Replication,,"Warning|Error|Critical"],1800s)=0' 49 | name: 'DFS Replication Events Error on {HOST.NAME}' 50 | - uuid: 3bc63708ad4340b08d7d50f3d7af7129 51 | name: 'Directory Service Events' 52 | type: ZABBIX_ACTIVE 53 | key: 'eventlog[Directory Service,,"Warning|Error|Critical"]' 54 | delay: 5m 55 | history: 1w 56 | trends: '0' 57 | value_type: LOG 58 | tags: 59 | - tag: Application 60 | value: 'AD DS Events' 61 | triggers: 62 | - uuid: f9e5c67afe0f4aa880c6ca2e11fec90c 63 | expression: 'logseverity(/AD DS Health and Performance/eventlog[Directory Service,,"Warning|Error|Critical"])>1 and nodata(/AD DS Health and Performance/eventlog[Directory Service,,"Warning|Error|Critical"],1800s)=0 and logeventid(/AD DS Health and Performance/eventlog[Directory Service,,"Warning|Error|Critical"],,"467")=1' 64 | name: 'AD database corrupted on {HOST.NAME}' 65 | priority: AVERAGE 66 | - uuid: 79e002ed7b0c4bff92ca5461083c0ba0 67 | expression: 'logseverity(/AD DS Health and Performance/eventlog[Directory Service,,"Warning|Error|Critical"])>1 and nodata(/AD DS Health and Performance/eventlog[Directory Service,,"Warning|Error|Critical"],1800s)=0' 68 | name: 'Directory Service Events Error on {HOST.NAME}' 69 | - uuid: 2a91cf8e09c24cc1a5aea2d19bb1b85d 70 | expression: 'logseverity(/AD DS Health and Performance/eventlog[Directory Service,,"Warning|Error|Critical"])>1 and nodata(/AD DS Health and Performance/eventlog[Directory Service,,"Warning|Error|Critical"],1800s)=0 and logeventid(/AD DS Health and Performance/eventlog[Directory Service,,"Warning|Error|Critical"],,"2042")=1' 71 | recovery_mode: NONE 72 | name: 'It has been too long since {HOST.NAME} replicated' 73 | url: 'https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/active-directory-replication-event-id-2042' 74 | priority: HIGH 75 | description: 'If a domain controller has not replicated with its partner for longer than a tombstone lifetime, it is possible that a lingering object problem exists on one or both domain controllers. The tombstone lifetime in an Active Directory forest determines how long a deleted object (called a "tombstone") is retained in Active Directory Domain Services (AD DS). The tombstone lifetime is determined by the value of the tombstoneLifetime attribute on the Directory Service object in the configuration directory partition.' 76 | manual_close: 'YES' 77 | - uuid: b921f37a0fa94867a0be5f2761759ded 78 | expression: 'logseverity(/AD DS Health and Performance/eventlog[Directory Service,,"Warning|Error|Critical"])=4 and nodata(/AD DS Health and Performance/eventlog[Directory Service,,"Warning|Error|Critical"],1800s)=0 and logeventid(/AD DS Health and Performance/eventlog[Directory Service,,"Warning|Error|Critical"],,"2095")=1' 79 | recovery_mode: NONE 80 | name: 'The USN rollback on {HOST.NAME}' 81 | url: 'https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/detect-and-recover-from-usn-rollback' 82 | priority: DISASTER 83 | manual_close: 'YES' 84 | - uuid: 1a442151697b4f949135eb89e094b170 85 | expression: 'logseverity(/AD DS Health and Performance/eventlog[Directory Service,,"Warning|Error|Critical"])>1 and nodata(/AD DS Health and Performance/eventlog[Directory Service,,"Warning|Error|Critical"],1800s)=0 and logeventid(/AD DS Health and Performance/eventlog[Directory Service,,"Warning|Error|Critical"],,"2089")=1' 86 | name: 'This directory partition has not been backed up since at least the following number of days.' 87 | priority: WARNING 88 | - uuid: 318dcb7c692947e08f126e056f77827f 89 | name: 'DNS Server Events' 90 | type: ZABBIX_ACTIVE 91 | key: 'eventlog[DNS Server,,"Warning|Error|Critical"]' 92 | delay: 5m 93 | history: 1w 94 | trends: '0' 95 | value_type: LOG 96 | tags: 97 | - tag: Application 98 | value: 'AD DS Events' 99 | triggers: 100 | - uuid: a600b41075964c11a5ddccd0989e3192 101 | expression: 'logseverity(/AD DS Health and Performance/eventlog[DNS Server,,"Warning|Error|Critical"])>1 and nodata(/AD DS Health and Performance/eventlog[DNS Server,,"Warning|Error|Critical"],1800s)=0' 102 | name: 'DNS Server Events Error on {HOST.NAME}' 103 | - uuid: e565c96b940c4ef0bb7b4b500678a98b 104 | expression: 'logseverity(/AD DS Health and Performance/eventlog[DNS Server,,"Warning|Error|Critical"])=2 and nodata(/AD DS Health and Performance/eventlog[DNS Server,,"Warning|Error|Critical"],600s)=0 and logeventid(/AD DS Health and Performance/eventlog[DNS Server,,"Warning|Error|Critical"],,"4515")=0' 105 | name: 'Duplicate DNS zones were detected on {HOST.NAME}' 106 | url: 'https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735755(v=ws.10)?redirectedfrom=MSDN' 107 | priority: WARNING 108 | - uuid: 1de63c44a0be46ef92569993c7720515 109 | name: 'Backup Status Events' 110 | type: ZABBIX_ACTIVE 111 | key: 'eventlog[Microsoft-Windows-Backup,,"Information|Error",,^(4|5)$]' 112 | delay: 5m 113 | trends: '0' 114 | value_type: LOG 115 | tags: 116 | - tag: Application 117 | value: 'AD DS Events' 118 | triggers: 119 | - uuid: a06a5f794847445fbb107e3dd62d3950 120 | expression: 'logseverity(/AD DS Health and Performance/eventlog[Microsoft-Windows-Backup,,"Information|Error",,^(4|5)$])=4 and logeventid(/AD DS Health and Performance/eventlog[Microsoft-Windows-Backup,,"Information|Error",,^(4|5)$],,"5")=1' 121 | recovery_mode: NONE 122 | name: 'The backup operation has failed on {HOST.NAME}' 123 | priority: HIGH 124 | manual_close: 'YES' 125 | - uuid: d5af6011bbc545858e93c48aaff3d606 126 | expression: 'logseverity(/AD DS Health and Performance/eventlog[Microsoft-Windows-Backup,,"Information|Error",,^(4|5)$])=1 and nodata(/AD DS Health and Performance/eventlog[Microsoft-Windows-Backup,,"Information|Error",,^(4|5)$],600s)=0 and logeventid(/AD DS Health and Performance/eventlog[Microsoft-Windows-Backup,,"Information|Error",,^(4|5)$],,"4")=1' 127 | name: 'The backup operation has finished successfully on {HOST.NAME}' 128 | priority: INFO 129 | - uuid: a29d587fe5554b9cbb40f7e693dc44e4 130 | name: 'Windows Time Service Events' 131 | type: ZABBIX_ACTIVE 132 | key: 'eventlog[System,"Time-Service","Warning|Error|Critical"]' 133 | delay: 5m 134 | history: 1w 135 | trends: '0' 136 | value_type: LOG 137 | tags: 138 | - tag: Application 139 | value: 'AD DS Events' 140 | triggers: 141 | - uuid: b3c089301e1a423198960720d54efe55 142 | expression: 'logseverity(/AD DS Health and Performance/eventlog[System,"Time-Service","Warning|Error|Critical"])=2 and nodata(/AD DS Health and Performance/eventlog[System,"Time-Service","Warning|Error|Critical"],600s)=0 and logeventid(/AD DS Health and Performance/eventlog[System,"Time-Service","Warning|Error|Critical"],,"134")=1' 143 | recovery_mode: NONE 144 | name: 'NtpClient was unable to set a manual peer to use as a time source on {HOST.NAME}' 145 | priority: WARNING 146 | manual_close: 'YES' 147 | - uuid: 1bc801ab1b39417ea4bafcc00291991d 148 | name: 'NETLOGON Events' 149 | type: ZABBIX_ACTIVE 150 | key: 'eventlog[System,,"Error","NETLOGON",^5723$]' 151 | delay: 5m 152 | history: 1w 153 | trends: '0' 154 | value_type: LOG 155 | tags: 156 | - tag: Application 157 | value: 'AD DS Events' 158 | triggers: 159 | - uuid: 63a97106a4334ac4b4bbc99c86b1dea6 160 | expression: 'logseverity(/AD DS Health and Performance/eventlog[System,,"Error","NETLOGON",^5723$])>1 and nodata(/AD DS Health and Performance/eventlog[System,,"Error","NETLOGON",^5723$],1800s)=0' 161 | name: 'Netlogon Error on {HOST.NAME}' 162 | priority: WARNING 163 | - uuid: 24fd27b171794bc79fdad0e79109f335 164 | name: 'LogFile (Netlogon)' 165 | type: ZABBIX_ACTIVE 166 | key: 'log[c:\windows\debug\netlogon.log,"NO_CLIENT_SITE",,,skip,,,]' 167 | delay: 5m 168 | trends: '0' 169 | value_type: LOG 170 | logtimefmt: 'MM/ddphh:mm:ss' 171 | tags: 172 | - tag: Application 173 | value: 'AD DS Events' 174 | triggers: 175 | - uuid: 8362ec36534c4256a1b16f35e7bf62a3 176 | expression: 'nodata(/AD DS Health and Performance/log[c:\windows\debug\netlogon.log,"NO_CLIENT_SITE",,,skip,,,],3600)=0' 177 | name: 'Active Directory Missing IP Range < - > Site Allocations' 178 | priority: WARNING 179 | manual_close: 'YES' 180 | - uuid: 9a9fe288a0fc45f9aef947c52336bb08 181 | name: MaxConcurrentApi 182 | type: CALCULATED 183 | key: MaxConcurrentApi 184 | delay: 5m 185 | history: 1w 186 | value_type: FLOAT 187 | params: '(last(//perf_counter_en[\Netlogon(_Total)\Semaphore Acquires])+last(//perf_counter_en[\Netlogon(_Total)\Semaphore Timeouts]))*last(//perf_counter_en[\Netlogon(_Total)\Average Semaphore Hold Time])/90' 188 | description: 'https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/performance-tuning-ntlm-authentication-maxconcurrentapi' 189 | tags: 190 | - tag: Application 191 | value: 'AD DS Performance' 192 | - uuid: 91dc10e30b9244cc8584124a159d303c 193 | name: 'LDAP Port is running' 194 | type: SIMPLE 195 | key: 'net.tcp.service[ldap]' 196 | history: 1w 197 | valuemap: 198 | name: 'Service state' 199 | tags: 200 | - tag: Application 201 | value: 'AD DS Network ports' 202 | triggers: 203 | - uuid: 261faef601b54be4acc42985f5f3d88f 204 | expression: 'max(/AD DS Health and Performance/net.tcp.service[ldap],#3)=0' 205 | name: 'LDAP service is down on {HOST.NAME}' 206 | priority: AVERAGE 207 | - uuid: 9422a131df6d413dbbd41036ed51a0e6 208 | name: 'Database Cache % Hit' 209 | key: 'perf_counter_en[\Database(lsass)\Database Cache % Hit]' 210 | history: 1w 211 | value_type: FLOAT 212 | units: '%' 213 | description: | 214 | Database Cache % Hit of LSASS 215 | perf_counter_en[\Database(lsass)\Database Cache % Hit] 216 | tags: 217 | - tag: Application 218 | value: 'AD DS Performance' 219 | triggers: 220 | - uuid: cd80f7b81de4450aac5eaa7044625269 221 | expression: 'min(/AD DS Health and Performance/perf_counter_en[\Database(lsass)\Database Cache % Hit],5m)<90' 222 | name: 'Database Cache % Hit < 90 % on {HOST.NAME}' 223 | priority: WARNING 224 | - uuid: 3db6e037983940d9be2c778c5d4bfade 225 | name: 'I/O Database Reads/sec' 226 | key: 'perf_counter_en[\Database ==> Instances(lsass/NTDSA)\I/O Database Reads/sec]' 227 | history: 1w 228 | value_type: FLOAT 229 | units: /s 230 | description: 'perf_counter_en[\Database ==> Instances(lsass/NTDSA)\I/O Database Reads/sec]' 231 | tags: 232 | - tag: Application 233 | value: 'AD DS Performance' 234 | triggers: 235 | - uuid: 71807bb6e6d0416fbaa68fb74833be03 236 | expression: 'min(/AD DS Health and Performance/perf_counter_en[\Database ==> Instances(lsass/NTDSA)\I/O Database Reads/sec],5m)>10' 237 | name: 'I/O Database Reads/sec > 10 on {HOST.NAME}' 238 | priority: WARNING 239 | - uuid: 7c33e63e882a48148348477a866a7545 240 | name: 'I/O Database Reads Average Latency' 241 | key: 'perf_counter_en[\Database ==> Instances(lsass/NTDSA)\I/O Database Reads Average Latency]' 242 | history: 1w 243 | value_type: FLOAT 244 | units: ms 245 | description: 'perf_counter_en[\Database ==> Instances(lsass/NTDSA)\I/O Database Reads Average Latency]' 246 | tags: 247 | - tag: Application 248 | value: 'AD DS Performance' 249 | triggers: 250 | - uuid: 4ba50e9ab3c548ed9f7670aaf2d9fc64 251 | expression: 'min(/AD DS Health and Performance/perf_counter_en[\Database ==> Instances(lsass/NTDSA)\I/O Database Reads Average Latency],5m)>15' 252 | name: 'I/O Database Reads Average Latency > 15ms on {HOST.NAME}' 253 | priority: WARNING 254 | - uuid: a0714f8bb24a482481d5c84f77962b80 255 | name: 'I/O Log Writes/sec' 256 | key: 'perf_counter_en[\Database ==> Instances(lsass/NTDSA)\I/O Log Writes/sec]' 257 | history: 1w 258 | value_type: FLOAT 259 | units: /s 260 | description: 'perf_counter_en[\Database ==> Instances(lsass/NTDSA)\I/O Log Writes/sec]' 261 | tags: 262 | - tag: Application 263 | value: 'AD DS Performance' 264 | - uuid: e95e676378d24f9cb5cfe58da9e24218 265 | name: 'I/O Log Writes Average Latency' 266 | key: 'perf_counter_en[\Database ==> Instances(lsass/NTDSA)\I/O Log Writes Average Latency]' 267 | history: 1w 268 | value_type: FLOAT 269 | units: ms 270 | description: 'perf_counter_en[\Database ==> Instances(lsass/NTDSA)\I/O Log Writes Average Latency]' 271 | tags: 272 | - tag: Application 273 | value: 'AD DS Performance' 274 | triggers: 275 | - uuid: 611b5fa4963348ac8e79dae0bce0233f 276 | expression: 'min(/AD DS Health and Performance/perf_counter_en[\Database ==> Instances(lsass/NTDSA)\I/O Log Writes Average Latency],5m)>10' 277 | name: 'I/O Log Writes Average Latency > 10ms on {HOST.NAME}' 278 | priority: WARNING 279 | - uuid: ccb11bf658ec46b49f8e21d8c7d70862 280 | name: 'DFS Replicated Folders (Conflict Space In Use)' 281 | key: 'perf_counter_en[\DFS Replicated Folders(*)\Conflict Space In Use]' 282 | delay: 15m 283 | history: 1w 284 | value_type: FLOAT 285 | units: Bytes 286 | description: 'Monitoring the space utilization of the Conflict and Deleted area helps ensure that there is enough space to store replication conflicts and files deleted from replicated folders on the monitored computer. You can view a log of conflict files and their original file names by viewing the ConflictandDeletedManifest.xml file in the DfsrPrivate folder.' 287 | tags: 288 | - tag: Application 289 | value: 'AD DS Performance' 290 | - tag: test 291 | value: test 292 | - uuid: 166510803335410991d6ce07001613af 293 | name: 'DFS Replicated Folders (RDC Bytes Received)' 294 | key: 'perf_counter_en[\DFS Replicated Folders(*)\RDC Bytes Received]' 295 | delay: 5m 296 | history: 1w 297 | value_type: FLOAT 298 | tags: 299 | - tag: Application 300 | value: 'AD DS Performance' 301 | - tag: test 302 | value: test 303 | - uuid: 5830f88357dd402dbb0fc569c2583e89 304 | name: 'DFS Replicated Folders (Size of Files Received)' 305 | key: 'perf_counter_en[\DFS Replicated Folders(*)\Size of Files Received]' 306 | delay: 5m 307 | history: 1w 308 | value_type: FLOAT 309 | tags: 310 | - tag: Application 311 | value: 'AD DS Performance' 312 | - tag: test 313 | value: test 314 | - uuid: c0e15e6a5af64d7ba001eaa5b389cee9 315 | name: 'DFS Replicated Folders (Staging Space In Use)' 316 | key: 'perf_counter_en[\DFS Replicated Folders(*)\Staging Space In Use]' 317 | delay: 15m 318 | history: 1w 319 | value_type: FLOAT 320 | units: Bytes 321 | description: | 322 | This performance counter keeps track of the current disk space utilization for staging purposes, for each folder replicated by the monitored computer. Monitoring this performance counter enables administrators to understand the usage of each replicated folder’s staging area and figure out if the staging quotas need to be increased. 323 | (http://go.microsoft.com/fwlink/?LinkId=186944) 324 | tags: 325 | - tag: Application 326 | value: 'AD DS Performance' 327 | - tag: test 328 | value: test 329 | - uuid: 751a5e1b5a304c96a0061c6c7c6540b9 330 | name: 'DFS Replicated Folders (Total Files Received)' 331 | key: 'perf_counter_en[\DFS Replicated Folders(*)\Total Files Received]' 332 | delay: 5m 333 | history: 1w 334 | value_type: FLOAT 335 | tags: 336 | - tag: Application 337 | value: 'AD DS Performance' 338 | - tag: test 339 | value: test 340 | - uuid: 9017a9f8b3c04e1789e414fc25898476 341 | name: 'DFS Replication Connections (Bytes Received Per Second)' 342 | key: 'perf_counter_en[\DFS Replication Connections(*)\Bytes Received Per Second]' 343 | delay: 5m 344 | history: 1w 345 | value_type: FLOAT 346 | tags: 347 | - tag: Application 348 | value: 'AD DS Performance' 349 | - tag: test 350 | value: test 351 | - uuid: 94f2463710d3452395bb03bcc8d8f6b4 352 | name: 'LDAP Bind time' 353 | key: 'perf_counter_en[\DirectoryServices(NTDS)\LDAP Bind Time]' 354 | history: 1w 355 | value_type: FLOAT 356 | units: ms 357 | tags: 358 | - tag: Application 359 | value: 'AD DS Performance' 360 | triggers: 361 | - uuid: 7752639475134393b68b84abe8a63845 362 | expression: 'min(/AD DS Health and Performance/perf_counter_en[\DirectoryServices(NTDS)\LDAP Bind Time],5m)>20' 363 | name: 'LDAP Bind Time > 20ms on {HOST.NAME}' 364 | priority: WARNING 365 | - uuid: 721183e283f04b3185bc08dcaba5ffca 366 | expression: 'min(/AD DS Health and Performance/perf_counter_en[\DirectoryServices(NTDS)\LDAP Bind Time],5m)>30' 367 | name: 'LDAP Bind Time > 30ms on {HOST.NAME}' 368 | priority: AVERAGE 369 | - uuid: 32ecf8fa6fe84f3596e1eef6c996b33f 370 | name: 'Simple Binds/sec' 371 | key: 'perf_counter_en[\DirectoryServices(NTDS)\Simple Binds/sec]' 372 | history: 1w 373 | units: /s 374 | tags: 375 | - tag: Application 376 | value: 'AD DS Performance' 377 | - uuid: fd3c312d6c944f4c8455a258dbb0ecd5 378 | name: 'DNS Total Query Received/sec' 379 | key: 'perf_counter_en[\DNS\Total Query Received/sec]' 380 | history: 1w 381 | value_type: FLOAT 382 | tags: 383 | - tag: Application 384 | value: 'AD DS Performance' 385 | triggers: 386 | - uuid: 917b85b5c5434af8b566f192e919aa41 387 | expression: 'max(/AD DS Health and Performance/perf_counter_en[\DNS\Total Query Received/sec],#3)>5000' 388 | name: 'DNS Total Query Received/sec >5000' 389 | opdata: 'Current value: {ITEM.LASTVALUE1}' 390 | priority: AVERAGE 391 | - uuid: 26fe1eb903814ec7b226df239ee0f949 392 | expression: 'max(/AD DS Health and Performance/perf_counter_en[\DNS\Total Query Received/sec],#3)>{$DNS.TOTAL.RECEIVED.MAX.WARN}' 393 | name: 'DNS Total Query Received/sec is too high' 394 | opdata: 'Current value: {ITEM.LASTVALUE1}' 395 | priority: WARNING 396 | - uuid: ee208fb7ec8741a4a9ed0dda0c06759d 397 | name: 'DNS Total Response Sent/sec' 398 | key: 'perf_counter_en[\DNS\Total Response Sent/sec]' 399 | history: 1w 400 | value_type: FLOAT 401 | tags: 402 | - tag: Application 403 | value: 'AD DS Performance' 404 | - uuid: bc2630cd94024fefa3bfefc9b3050606 405 | name: 'DNS UDP Query Received/sec' 406 | key: 'perf_counter_en[\DNS\UDP Query Received/sec]' 407 | history: 1w 408 | value_type: FLOAT 409 | tags: 410 | - tag: Application 411 | value: 'AD DS Performance' 412 | - uuid: 7df8baf26b5448dd810f00bee13eebe0 413 | name: 'DNS UDP Response Sent/sec' 414 | key: 'perf_counter_en[\DNS\UDP Response Sent/sec]' 415 | history: 1w 416 | value_type: FLOAT 417 | tags: 418 | - tag: Application 419 | value: 'AD DS Performance' 420 | - uuid: eef53313a77a4640a2c6aca1d295ddc1 421 | name: 'Netlogon Average Semaphore Hold Time' 422 | key: 'perf_counter_en[\Netlogon(_Total)\Average Semaphore Hold Time]' 423 | history: 1w 424 | value_type: FLOAT 425 | units: s 426 | description: 'perf_counter_en[\Netlogon(*)\Average Semaphore Hold Time]' 427 | tags: 428 | - tag: Application 429 | value: 'AD DS Performance' 430 | triggers: 431 | - uuid: d1840f027bc44b2ab786f67dd25e81b5 432 | expression: 'min(/AD DS Health and Performance/perf_counter_en[\Netlogon(_Total)\Average Semaphore Hold Time],15m)>1' 433 | name: 'Average Semaphore Hold Time > 1s on {HOST.NAME}' 434 | priority: WARNING 435 | - uuid: 322ffe2dae1d4a7b8d0c96b435e332f4 436 | name: 'Netlogon Semaphore Acquires' 437 | key: 'perf_counter_en[\Netlogon(_Total)\Semaphore Acquires]' 438 | history: 1w 439 | value_type: FLOAT 440 | description: 'perf_counter_en[\Netlogon()\Semaphore Acquires]' 441 | tags: 442 | - tag: Application 443 | value: 'AD DS Performance' 444 | - uuid: 87fc179f037c4983a7e34f3c30d061d3 445 | name: 'Netlogon Semaphore Timeouts' 446 | key: 'perf_counter_en[\Netlogon(_Total)\Semaphore Timeouts]' 447 | history: 1w 448 | value_type: FLOAT 449 | description: 'perf_counter_en[\Netlogon()\Semaphore Timeouts]' 450 | tags: 451 | - tag: Application 452 | value: 'AD DS Performance' 453 | - uuid: e3063ed6bcb242d6ba43b4f3ca117ced 454 | name: 'DRA Inbound Bytes Total/sec' 455 | key: 'perf_counter_en[\NTDS\DRA Inbound Bytes Total/sec]' 456 | history: 1w 457 | value_type: FLOAT 458 | units: /s 459 | description: 'perf_counter_en[\NTDA\DRA Inbound Bytes Total/sec]' 460 | tags: 461 | - tag: Application 462 | value: 'AD DS Performance' 463 | - uuid: edd8fbbf1dd449d495c03a6c895cbdb9 464 | name: 'DRA Inbound Object Updates Remaining in Packet' 465 | key: 'perf_counter_en[\NTDS\DRA Inbound Object Updates Remaining in Packet]' 466 | history: 1w 467 | value_type: FLOAT 468 | description: 'perf_counter_en[\NTDA\DRA Inbound Object Updates Remaining in Packet]' 469 | tags: 470 | - tag: Application 471 | value: 'AD DS Performance' 472 | - uuid: c372fa1cf8404fff9ffcdf1c86497171 473 | name: 'DRA Outbound Bytes Total/sec' 474 | key: 'perf_counter_en[\NTDS\DRA Outbound Bytes Total/sec]' 475 | history: 1w 476 | value_type: FLOAT 477 | units: /s 478 | description: 'perf_counter_en[\NTDA\DRA Outbound Bytes Total/sec]' 479 | tags: 480 | - tag: Application 481 | value: 'AD DS Performance' 482 | - uuid: ec722579ddf44498ae228a54231f0c5f 483 | name: 'DRA Pending Replication Synchronizations' 484 | key: 'perf_counter_en[\NTDS\DRA Pending Replication Synchronizations]' 485 | history: 1w 486 | value_type: FLOAT 487 | description: 'perf_counter_en[\NTDA\DRA Pending Replication Synchronizations]' 488 | tags: 489 | - tag: Application 490 | value: 'AD DS Performance' 491 | - uuid: fe58cbd89ba94e34a70e09603bfda810 492 | name: 'LDAP Active Threads' 493 | key: 'perf_counter_en[\NTDS\LDAP Active Threads]' 494 | history: 1w 495 | value_type: FLOAT 496 | description: 'perf_counter_en[\NTDS\LDAP Active Threads]' 497 | tags: 498 | - tag: Application 499 | value: 'AD DS Performance' 500 | - uuid: 27650f6d58c64c0bb07354ec74d636e9 501 | name: 'LDAP Client Sessions' 502 | key: 'perf_counter_en[\NTDS\LDAP Client Sessions]' 503 | history: 1w 504 | value_type: FLOAT 505 | tags: 506 | - tag: Application 507 | value: 'AD DS Performance' 508 | triggers: 509 | - uuid: 4a768cc34fc84e1aba5f8c07c622550e 510 | expression: 'max(/AD DS Health and Performance/perf_counter_en[\NTDS\LDAP Client Sessions],#3)>{$LDAP.CLIENT.SESSIONS.WARN}' 511 | name: 'LDAP Client Sessions more {$LDAP.CLIENT.SESSIONS.WARN}' 512 | opdata: 'Current value: {ITEM.LASTVALUE1}' 513 | priority: AVERAGE 514 | - uuid: 6a7ff5ef860a490b8b1bfd4b3a4cc0a2 515 | name: 'LDAP New Connections/sec' 516 | key: 'perf_counter_en[\NTDS\LDAP New Connections/sec]' 517 | history: 1w 518 | value_type: FLOAT 519 | units: /s 520 | tags: 521 | - tag: Application 522 | value: 'AD DS Performance' 523 | - uuid: 2126892ecadd4995aef19854dec4a912 524 | name: 'LDAP New SSL Connections/sec' 525 | key: 'perf_counter_en[\NTDS\LDAP New SSL Connections/sec]' 526 | history: 1w 527 | value_type: FLOAT 528 | units: /s 529 | tags: 530 | - tag: Application 531 | value: 'AD DS Performance' 532 | - uuid: 0a0508bd91f146669482a2bdc45749a7 533 | name: 'LDAP Searches/sec' 534 | key: 'perf_counter_en[\NTDS\LDAP Searches/sec]' 535 | history: 1w 536 | value_type: FLOAT 537 | units: /s 538 | description: 'perf_counter_en[\NTDS\LDAP Searches/sec]' 539 | tags: 540 | - tag: Application 541 | value: 'AD DS Performance' 542 | - uuid: fb193d229d3b4757b289c8ad40f09b1a 543 | name: 'LDAP Writes/sec' 544 | key: 'perf_counter_en[\NTDS\LDAP Writes/sec]' 545 | history: 1w 546 | value_type: FLOAT 547 | units: /s 548 | tags: 549 | - tag: Application 550 | value: 'AD DS Performance' 551 | - uuid: 74f30bad16e44877a869105e6f8bcc52 552 | name: 'LSASS Processor Time' 553 | key: 'perf_counter_en[\Process(lsass)\% Processor Time]' 554 | history: 1w 555 | value_type: FLOAT 556 | units: '%' 557 | description: | 558 | Metric Process % Processor Time of LSASS 559 | perf_counter_en[\Process(lsass)\% Processor Time] 560 | tags: 561 | - tag: Application 562 | value: 'AD DS Performance' 563 | - uuid: 398955ae5e6745ba84b275862bca1031 564 | name: 'Kerberos Authentications' 565 | key: 'perf_counter_en[\Security system-wide statistics\Kerberos Authentications]' 566 | history: 1w 567 | value_type: FLOAT 568 | units: /s 569 | description: 'perf_counter[\Security system-wide statistics\Kerberos Authentications]' 570 | tags: 571 | - tag: Application 572 | value: 'AD DS Performance' 573 | - uuid: 23535be77abd4eb5a262f9953978cf80 574 | name: 'NTLM Authentications' 575 | key: 'perf_counter_en[\Security system-wide statistics\NTLM Authentications]' 576 | history: 1w 577 | value_type: FLOAT 578 | units: /s 579 | description: 'perf_counter_en[\Security system-wide statistics\NTLM Authentications]' 580 | tags: 581 | - tag: Application 582 | value: 'AD DS Performance' 583 | - uuid: e007b544233a44be9ed85e44dfac372e 584 | name: 'State of service "ADWS" (Active Directory Web Services)' 585 | key: 'service.info[ADWS,state]' 586 | history: 1d 587 | valuemap: 588 | name: 'Windows service state' 589 | tags: 590 | - tag: Application 591 | value: 'AD DS Services' 592 | triggers: 593 | - uuid: a8a2eee271e44c719df1c8d72cc134ca 594 | expression: 'min(/AD DS Health and Performance/service.info[ADWS,state],#3)<>0' 595 | name: '"ADWS" (Active Directory Web Services) is not running' 596 | priority: AVERAGE 597 | description: 'The service has a state other than "Running" for the last three times.' 598 | - uuid: f3ecb9e253c6461ea76380065038691a 599 | name: 'State of service "DFSR" (DFS Replication)' 600 | key: 'service.info[DFSR,state]' 601 | history: 1d 602 | valuemap: 603 | name: 'Windows service state' 604 | tags: 605 | - tag: Application 606 | value: 'AD DS Services' 607 | triggers: 608 | - uuid: 371ead681bae4929b73b4d65226bc082 609 | expression: 'min(/AD DS Health and Performance/service.info[DFSR,state],#3)<>0' 610 | name: '"DFSR" (DFS Replication) is not running' 611 | priority: AVERAGE 612 | description: 'The service has a state other than "Running" for the last three times.' 613 | - uuid: d24b0eacadee48d489d32a01f17dd08f 614 | name: 'State of service "DNS" (DNS Server)' 615 | key: 'service.info[DNS,state]' 616 | history: 1d 617 | valuemap: 618 | name: 'Windows service state' 619 | tags: 620 | - tag: Application 621 | value: 'AD DS Services' 622 | triggers: 623 | - uuid: 9097e62875fb45a7bf1b9f79d5156239 624 | expression: 'min(/AD DS Health and Performance/service.info[DNS,state],#3)<>0' 625 | name: '"DNS" (DNS Server) is not running' 626 | priority: AVERAGE 627 | description: 'The service has a state other than "Running" for the last three times.' 628 | - uuid: 4e64610f63084ea4848725a0dbad3e1c 629 | name: 'State of service "Dnscache" (DNS Client)' 630 | key: 'service.info[Dnscache,state]' 631 | history: 1d 632 | valuemap: 633 | name: 'Windows service state' 634 | tags: 635 | - tag: Application 636 | value: 'AD DS Services' 637 | triggers: 638 | - uuid: 5a10432749cd4a7ab6f8d192bb5bd222 639 | expression: 'min(/AD DS Health and Performance/service.info[Dnscache,state],#3)<>0' 640 | name: '"Dnscache" (DNS Client) is not running' 641 | priority: AVERAGE 642 | description: 'The service has a state other than "Running" for the last three times.' 643 | - uuid: 3b2c1878d0d0457cacd23e66bb03372f 644 | name: 'State of service "IsmServ" (Intersite Messaging)' 645 | key: 'service.info[IsmServ,state]' 646 | history: 1d 647 | valuemap: 648 | name: 'Windows service state' 649 | tags: 650 | - tag: Application 651 | value: 'AD DS Services' 652 | triggers: 653 | - uuid: ce2622fb36554d82b66e0c46c4b6fbd1 654 | expression: 'min(/AD DS Health and Performance/service.info[IsmServ,state],#3)<>0' 655 | name: '"IsmServ" (Intersite Messaging) is not running' 656 | priority: AVERAGE 657 | description: 'The service has a state other than "Running" for the last three times.' 658 | - uuid: 471d8f66c77440c688130a9bdda37237 659 | name: 'State of service "Kdc" (Kerberos Key Distribution Center)' 660 | key: 'service.info[Kdc,state]' 661 | history: 1d 662 | valuemap: 663 | name: 'Windows service state' 664 | tags: 665 | - tag: Application 666 | value: 'AD DS Services' 667 | triggers: 668 | - uuid: 895be104e2f14c9e98c6690a751de807 669 | expression: 'min(/AD DS Health and Performance/service.info[Kdc,state],#3)<>0' 670 | name: '"Kdc" (Kerberos Key Distribution Center) is not running' 671 | priority: AVERAGE 672 | description: 'The service has a state other than "Running" for the last three times.' 673 | - uuid: abe4419278df46919650a2c7fb2529dc 674 | name: 'State of service "LanmanServer" (Server)' 675 | key: 'service.info[LanmanServer,state]' 676 | history: 1d 677 | valuemap: 678 | name: 'Windows service state' 679 | tags: 680 | - tag: Application 681 | value: 'AD DS Services' 682 | triggers: 683 | - uuid: 0afc16b4bfed4c4ebb2aa6834b531c41 684 | expression: 'min(/AD DS Health and Performance/service.info[LanmanServer,state],#3)<>0' 685 | name: '"LanmanServer" (Server) is not running' 686 | priority: AVERAGE 687 | description: 'The service has a state other than "Running" for the last three times.' 688 | - uuid: d7703e9177ed4bb3b39a26ffd4a05d01 689 | name: 'State of service "LanmanWorkstation" (Workstation)' 690 | key: 'service.info[LanmanWorkstation,state]' 691 | history: 1d 692 | valuemap: 693 | name: 'Windows service state' 694 | tags: 695 | - tag: Application 696 | value: 'AD DS Services' 697 | triggers: 698 | - uuid: bb91058e225146e9a9e4e9766c5b1b06 699 | expression: 'min(/AD DS Health and Performance/service.info[LanmanWorkstation,state],#3)<>0' 700 | name: '"LanmanWorkstation" (Workstation) is not running' 701 | priority: AVERAGE 702 | description: 'The service has a state other than "Running" for the last three times.' 703 | - uuid: b4211d9f04584ecd82347bd0d6b2f8a2 704 | name: 'State of service "Netlogon" (Netlogon)' 705 | key: 'service.info[Netlogon,state]' 706 | history: 1d 707 | valuemap: 708 | name: 'Windows service state' 709 | tags: 710 | - tag: Application 711 | value: 'AD DS Services' 712 | triggers: 713 | - uuid: f1895bf3a38e4c048b80ebdd913f4770 714 | expression: 'min(/AD DS Health and Performance/service.info[Netlogon,state],#3)<>0' 715 | name: '"Netlogon" (Netlogon) is not running' 716 | priority: AVERAGE 717 | description: 'The service has a state other than "Running" for the last three times.' 718 | - uuid: 0fcaf720a8db467192cbec1f5563ed58 719 | name: 'State of service "NTDS" (Active Directory Domain Services)' 720 | key: 'service.info[NTDS,state]' 721 | history: 1d 722 | valuemap: 723 | name: 'Windows service state' 724 | tags: 725 | - tag: Application 726 | value: 'AD DS Services' 727 | triggers: 728 | - uuid: b42db952b21e4019a09f5fca8d6be49d 729 | expression: 'min(/AD DS Health and Performance/service.info[NTDS,state],#3)<>0' 730 | name: '"NTDS" (Active Directory Domain Services) is not running' 731 | priority: AVERAGE 732 | description: 'The service has a state other than "Running" for the last three times.' 733 | - uuid: 8117eba15a204854b3ac605add3ee3ec 734 | name: 'State of service "RpcSs" (Remote Procedure Call (RPC))' 735 | key: 'service.info[RpcSs,state]' 736 | history: 1d 737 | valuemap: 738 | name: 'Windows service state' 739 | tags: 740 | - tag: Application 741 | value: 'AD DS Services' 742 | triggers: 743 | - uuid: db76b01249334eb4911984f9ae4c52dc 744 | expression: 'min(/AD DS Health and Performance/service.info[RpcSs,state],#3)<>0' 745 | name: '"RpcSs" (Remote Procedure Call (RPC)) is not running' 746 | priority: AVERAGE 747 | description: 'The service has a state other than "Running" for the last three times.' 748 | - uuid: 05f4a569578c407cb0b23e52eba2f866 749 | name: 'State of service "SamSs" (Security Accounts Manager)' 750 | key: 'service.info[SamSs,state]' 751 | history: 1d 752 | valuemap: 753 | name: 'Windows service state' 754 | tags: 755 | - tag: Application 756 | value: 'AD DS Services' 757 | triggers: 758 | - uuid: 82bbbb1b26ae43a1b5e26d5d0079c7b1 759 | expression: 'min(/AD DS Health and Performance/service.info[SamSs,state],#3)<>0' 760 | name: '"SamSs" (Security Accounts Manager) is not running' 761 | priority: AVERAGE 762 | description: 'The service has a state other than "Running" for the last three times.' 763 | - uuid: bd16befae95d43e88908648d833e1b83 764 | name: 'State of service "W32Time" (Windows Time)' 765 | key: 'service.info[W32Time,state]' 766 | history: 1d 767 | valuemap: 768 | name: 'Windows service state' 769 | tags: 770 | - tag: Application 771 | value: 'AD DS Services' 772 | triggers: 773 | - uuid: cde0194677d94601a9a15d7bf5a62cb4 774 | expression: 'min(/AD DS Health and Performance/service.info[W32Time,state],#3)<>0' 775 | name: '"W32Time" (Windows Time) is not running' 776 | priority: AVERAGE 777 | description: 'The service has a state other than "Running" for the last three times.' 778 | - uuid: 470f2bbce13b45bba53e816e843af348 779 | name: 'SYSVOL Size' 780 | key: 'vfs.dir.size["{$ADSYSVOL_PATH}"]' 781 | delay: 12h 782 | history: 1w 783 | units: Bytes 784 | tags: 785 | - tag: Application 786 | value: 'AD DS Storage' 787 | - uuid: ba3ea33ddbe0483aa1dd88c68b1e517b 788 | name: 'Database Size' 789 | key: 'vfs.file.size["{$ADDB_PATH}"]' 790 | delay: 1h 791 | history: 1w 792 | units: Bytes 793 | tags: 794 | - tag: Application 795 | value: 'AD DS Storage' 796 | - uuid: dc3cc0c66aa145c1bceab822e32c6556 797 | name: 'Log File Size' 798 | key: 'vfs.file.size["{$ADLOG_PATH}"]' 799 | delay: 1h 800 | history: 1w 801 | units: Bytes 802 | tags: 803 | - tag: Application 804 | value: 'AD DS Storage' 805 | macros: 806 | - macro: '{$ADDB_PATH}' 807 | value: 'c:\windows\ntds\ntds.dit' 808 | - macro: '{$ADLOG_PATH}' 809 | value: 'c:\windows\ntds\edb.log' 810 | - macro: '{$ADSYSVOL_PATH}' 811 | value: 'c:\windows\SYSVOL' 812 | - macro: '{$DNS.TOTAL.RECEIVED.MAX.WARN}' 813 | value: '500' 814 | description: 'Baseline for DNS.TOTAL.RECEIVED' 815 | - macro: '{$LDAP.CLIENT.SESSIONS.WARN}' 816 | value: '1000' 817 | description: 'Baseline for LDAP.CLIENT.SESSIONS' 818 | dashboards: 819 | - uuid: 4a4228994faa45e986d06e13aa970d5d 820 | name: 'AD DS Health and Performance' 821 | pages: 822 | - name: Main 823 | widgets: 824 | - type: GRAPH_CLASSIC 825 | width: '12' 826 | height: '5' 827 | fields: 828 | - type: GRAPH 829 | name: graphid 830 | value: 831 | host: 'AD DS Health and Performance' 832 | name: 'AD DS DB and Log Size' 833 | - type: GRAPH_CLASSIC 834 | 'y': '5' 835 | width: '12' 836 | height: '5' 837 | fields: 838 | - type: GRAPH 839 | name: graphid 840 | value: 841 | host: 'AD DS Health and Performance' 842 | name: 'AD DS Authentications' 843 | - type: GRAPH_CLASSIC 844 | 'y': '10' 845 | width: '12' 846 | height: '5' 847 | fields: 848 | - type: GRAPH 849 | name: graphid 850 | value: 851 | host: 'AD DS Health and Performance' 852 | name: 'DNS Statistics' 853 | - type: GRAPH_CLASSIC 854 | 'y': '15' 855 | width: '12' 856 | height: '5' 857 | fields: 858 | - type: GRAPH 859 | name: graphid 860 | value: 861 | host: 'AD DS Health and Performance' 862 | name: 'Database ==> Instances Statistics' 863 | - type: GRAPH_CLASSIC 864 | x: '12' 865 | width: '12' 866 | height: '5' 867 | fields: 868 | - type: GRAPH 869 | name: graphid 870 | value: 871 | host: 'AD DS Health and Performance' 872 | name: 'LSASS Processor Time' 873 | - type: GRAPH_CLASSIC 874 | x: '12' 875 | 'y': '5' 876 | width: '12' 877 | height: '5' 878 | fields: 879 | - type: GRAPH 880 | name: graphid 881 | value: 882 | host: 'AD DS Health and Performance' 883 | name: 'LDAP Statistics' 884 | - type: GRAPH_CLASSIC 885 | x: '12' 886 | 'y': '10' 887 | width: '12' 888 | height: '5' 889 | fields: 890 | - type: GRAPH 891 | name: graphid 892 | value: 893 | host: 'AD DS Health and Performance' 894 | name: 'DRA Statistics' 895 | - name: 'LDAP Statistics' 896 | display_period: '60' 897 | widgets: 898 | - type: GRAPH_CLASSIC 899 | width: '12' 900 | height: '5' 901 | fields: 902 | - type: GRAPH 903 | name: graphid 904 | value: 905 | host: 'AD DS Health and Performance' 906 | name: 'LDAP Statistics' 907 | - type: GRAPH_CLASSIC 908 | name: 'LDAP Bind Time' 909 | 'y': '5' 910 | width: '12' 911 | height: '5' 912 | fields: 913 | - type: GRAPH 914 | name: graphid 915 | value: 916 | host: 'AD DS Health and Performance' 917 | name: 'LDAP Bind Time' 918 | - type: GRAPH_CLASSIC 919 | x: '12' 920 | width: '12' 921 | height: '5' 922 | fields: 923 | - type: GRAPH 924 | name: graphid 925 | value: 926 | host: 'AD DS Health and Performance' 927 | name: 'LDAP Statistics of Connections Type' 928 | - type: GRAPH_CLASSIC 929 | name: 'Simple Binds/sec' 930 | x: '12' 931 | 'y': '5' 932 | width: '12' 933 | height: '5' 934 | fields: 935 | - type: GRAPH 936 | name: graphid 937 | value: 938 | host: 'AD DS Health and Performance' 939 | name: 'Simple Binds' 940 | - name: NetLogon 941 | widgets: 942 | - type: GRAPH_CLASSIC 943 | width: '12' 944 | height: '5' 945 | fields: 946 | - type: GRAPH 947 | name: graphid 948 | value: 949 | host: 'AD DS Health and Performance' 950 | name: NetLogon 951 | - type: GRAPH_CLASSIC 952 | x: '12' 953 | width: '12' 954 | height: '5' 955 | fields: 956 | - type: GRAPH 957 | name: graphid 958 | value: 959 | host: 'AD DS Health and Performance' 960 | name: 'AD DS Authentications' 961 | - name: DFSR 962 | widgets: 963 | - type: GRAPH_CLASSIC 964 | name: 'SYSVOL size' 965 | width: '12' 966 | height: '5' 967 | fields: 968 | - type: ITEM 969 | name: itemid 970 | value: 971 | host: 'AD DS Health and Performance' 972 | key: 'vfs.dir.size["{$ADSYSVOL_PATH}"]' 973 | - type: INTEGER 974 | name: show_legend 975 | value: '0' 976 | - type: INTEGER 977 | name: source_type 978 | value: '1' 979 | - type: GRAPH_CLASSIC 980 | x: '12' 981 | width: '12' 982 | height: '5' 983 | fields: 984 | - type: GRAPH 985 | name: graphid 986 | value: 987 | host: 'AD DS Health and Performance' 988 | name: 'Bandwidth usage (SYSVOL)' 989 | - type: GRAPH_CLASSIC 990 | x: '12' 991 | 'y': '5' 992 | width: '12' 993 | height: '5' 994 | fields: 995 | - type: GRAPH 996 | name: graphid 997 | value: 998 | host: 'AD DS Health and Performance' 999 | name: 'DFS Replicated Folders (Space In Use)' 1000 | valuemaps: 1001 | - uuid: 7d7a9ff770b0415781bbc49c400a60ed 1002 | name: 'Service state' 1003 | mappings: 1004 | - value: '0' 1005 | newvalue: Down 1006 | - value: '1' 1007 | newvalue: Up 1008 | - uuid: 533232df55a847d4861fd1dd95d73baa 1009 | name: 'Windows service state' 1010 | mappings: 1011 | - value: '0' 1012 | newvalue: Running 1013 | - value: '1' 1014 | newvalue: Paused 1015 | - value: '2' 1016 | newvalue: 'Start pending' 1017 | - value: '3' 1018 | newvalue: 'Pause pending' 1019 | - value: '4' 1020 | newvalue: 'Continue pending' 1021 | - value: '5' 1022 | newvalue: 'Stop pending' 1023 | - value: '6' 1024 | newvalue: Stopped 1025 | - value: '7' 1026 | newvalue: Unknown 1027 | - value: '255' 1028 | newvalue: 'No such service' 1029 | graphs: 1030 | - uuid: e0e4a9ff9ece4fa6b353ea55412f6763 1031 | name: 'AD DS Authentications' 1032 | ymin_type_1: FIXED 1033 | graph_items: 1034 | - color: 1A7C11 1035 | item: 1036 | host: 'AD DS Health and Performance' 1037 | key: 'perf_counter_en[\Security system-wide statistics\Kerberos Authentications]' 1038 | - sortorder: '1' 1039 | color: F63100 1040 | item: 1041 | host: 'AD DS Health and Performance' 1042 | key: 'perf_counter_en[\Security system-wide statistics\NTLM Authentications]' 1043 | - uuid: bc99aef7310540cfa51279096b10d1ec 1044 | name: 'AD DS DB and Log Size' 1045 | ymin_type_1: FIXED 1046 | graph_items: 1047 | - color: 1A7C11 1048 | item: 1049 | host: 'AD DS Health and Performance' 1050 | key: 'vfs.file.size["{$ADDB_PATH}"]' 1051 | - sortorder: '1' 1052 | color: F63100 1053 | item: 1054 | host: 'AD DS Health and Performance' 1055 | key: 'vfs.file.size["{$ADLOG_PATH}"]' 1056 | - uuid: 0344f169f0c84af2be15aa0ef5f2609a 1057 | name: 'Bandwidth usage (SYSVOL)' 1058 | ymin_type_1: FIXED 1059 | graph_items: 1060 | - color: 199C0D 1061 | calc_fnc: ALL 1062 | item: 1063 | host: 'AD DS Health and Performance' 1064 | key: 'perf_counter_en[\DFS Replication Connections(*)\Bytes Received Per Second]' 1065 | - uuid: d2bf271b0e4d4a33af6ffb19f8e289f2 1066 | name: 'Database ==> Instances Statistics' 1067 | ymin_type_1: FIXED 1068 | graph_items: 1069 | - color: 1A7C11 1070 | yaxisside: RIGHT 1071 | item: 1072 | host: 'AD DS Health and Performance' 1073 | key: 'perf_counter_en[\Database ==> Instances(lsass/NTDSA)\I/O Database Reads/sec]' 1074 | - sortorder: '1' 1075 | color: F63100 1076 | item: 1077 | host: 'AD DS Health and Performance' 1078 | key: 'perf_counter_en[\Database ==> Instances(lsass/NTDSA)\I/O Database Reads Average Latency]' 1079 | - sortorder: '2' 1080 | color: 2774A4 1081 | yaxisside: RIGHT 1082 | item: 1083 | host: 'AD DS Health and Performance' 1084 | key: 'perf_counter_en[\Database ==> Instances(lsass/NTDSA)\I/O Log Writes/sec]' 1085 | - sortorder: '3' 1086 | color: A54F10 1087 | item: 1088 | host: 'AD DS Health and Performance' 1089 | key: 'perf_counter_en[\Database ==> Instances(lsass/NTDSA)\I/O Log Writes Average Latency]' 1090 | - uuid: 5974bc3d6bad4d50add4e160a324f396 1091 | name: 'DFS Replicated Folders (Space In Use)' 1092 | show_triggers: 'NO' 1093 | ymin_type_1: FIXED 1094 | graph_items: 1095 | - color: 199C0D 1096 | calc_fnc: ALL 1097 | item: 1098 | host: 'AD DS Health and Performance' 1099 | key: 'perf_counter_en[\DFS Replicated Folders(*)\Staging Space In Use]' 1100 | - sortorder: '1' 1101 | color: F63100 1102 | calc_fnc: ALL 1103 | item: 1104 | host: 'AD DS Health and Performance' 1105 | key: 'perf_counter_en[\DFS Replicated Folders(*)\Conflict Space In Use]' 1106 | - uuid: c82983dceaa142ba9a9307cd0963f2ce 1107 | name: 'DNS Statistics' 1108 | ymin_type_1: FIXED 1109 | graph_items: 1110 | - color: 00FF00 1111 | calc_fnc: ALL 1112 | item: 1113 | host: 'AD DS Health and Performance' 1114 | key: 'perf_counter_en[\DNS\Total Query Received/sec]' 1115 | - sortorder: '1' 1116 | color: FF4000 1117 | calc_fnc: ALL 1118 | item: 1119 | host: 'AD DS Health and Performance' 1120 | key: 'perf_counter_en[\DNS\Total Response Sent/sec]' 1121 | - sortorder: '2' 1122 | color: 81C784 1123 | calc_fnc: ALL 1124 | item: 1125 | host: 'AD DS Health and Performance' 1126 | key: 'perf_counter_en[\DNS\UDP Query Received/sec]' 1127 | - sortorder: '3' 1128 | color: FFAB91 1129 | calc_fnc: ALL 1130 | item: 1131 | host: 'AD DS Health and Performance' 1132 | key: 'perf_counter_en[\DNS\UDP Response Sent/sec]' 1133 | - uuid: 8abeb5f241e14635a3ba13d12fed6b07 1134 | name: 'DRA Statistics' 1135 | ymin_type_1: FIXED 1136 | graph_items: 1137 | - color: 1A7C11 1138 | item: 1139 | host: 'AD DS Health and Performance' 1140 | key: 'perf_counter_en[\NTDS\DRA Inbound Object Updates Remaining in Packet]' 1141 | - sortorder: '1' 1142 | color: F63100 1143 | item: 1144 | host: 'AD DS Health and Performance' 1145 | key: 'perf_counter_en[\NTDS\DRA Pending Replication Synchronizations]' 1146 | - sortorder: '2' 1147 | color: 2774A4 1148 | yaxisside: RIGHT 1149 | item: 1150 | host: 'AD DS Health and Performance' 1151 | key: 'perf_counter_en[\NTDS\DRA Inbound Bytes Total/sec]' 1152 | - sortorder: '3' 1153 | color: A54F10 1154 | yaxisside: RIGHT 1155 | item: 1156 | host: 'AD DS Health and Performance' 1157 | key: 'perf_counter_en[\NTDS\DRA Outbound Bytes Total/sec]' 1158 | - uuid: 64ee2922612e465d9e17b9dd52ef9833 1159 | name: 'LDAP Bind Time' 1160 | ymin_type_1: FIXED 1161 | graph_items: 1162 | - color: 199C0D 1163 | calc_fnc: ALL 1164 | item: 1165 | host: 'AD DS Health and Performance' 1166 | key: 'perf_counter_en[\DirectoryServices(NTDS)\LDAP Bind Time]' 1167 | - uuid: 2833f9419ee542f794a3d78a22761661 1168 | name: 'LDAP Statistics' 1169 | ymin_type_1: FIXED 1170 | graph_items: 1171 | - color: 1A7C11 1172 | calc_fnc: ALL 1173 | item: 1174 | host: 'AD DS Health and Performance' 1175 | key: 'perf_counter_en[\NTDS\LDAP Client Sessions]' 1176 | - sortorder: '1' 1177 | color: F63100 1178 | calc_fnc: ALL 1179 | item: 1180 | host: 'AD DS Health and Performance' 1181 | key: 'perf_counter_en[\NTDS\LDAP Searches/sec]' 1182 | - sortorder: '2' 1183 | color: 2774A4 1184 | calc_fnc: ALL 1185 | item: 1186 | host: 'AD DS Health and Performance' 1187 | key: 'perf_counter_en[\NTDS\LDAP Writes/sec]' 1188 | - uuid: 91df9727746a42ec867177f5314aabf5 1189 | name: 'LDAP Statistics of Connections Type' 1190 | ymin_type_1: FIXED 1191 | graph_items: 1192 | - color: FF0000 1193 | calc_fnc: ALL 1194 | item: 1195 | host: 'AD DS Health and Performance' 1196 | key: 'perf_counter_en[\NTDS\LDAP New Connections/sec]' 1197 | - sortorder: '1' 1198 | color: 00FF00 1199 | calc_fnc: ALL 1200 | item: 1201 | host: 'AD DS Health and Performance' 1202 | key: 'perf_counter_en[\NTDS\LDAP New SSL Connections/sec]' 1203 | - uuid: 884320ad4d09490bafa58242da0fdc9a 1204 | name: 'LSASS Processor Time' 1205 | show_work_period: 'NO' 1206 | show_triggers: 'NO' 1207 | show_legend: 'NO' 1208 | ymin_type_1: FIXED 1209 | ymax_type_1: FIXED 1210 | graph_items: 1211 | - drawtype: FILLED_REGION 1212 | color: 1A7C11 1213 | item: 1214 | host: 'AD DS Health and Performance' 1215 | key: 'perf_counter_en[\Process(lsass)\% Processor Time]' 1216 | - uuid: e18badff90144a639a25836bfa0f78d2 1217 | name: NetLogon 1218 | ymin_type_1: FIXED 1219 | graph_items: 1220 | - color: 199C0D 1221 | calc_fnc: ALL 1222 | item: 1223 | host: 'AD DS Health and Performance' 1224 | key: 'perf_counter_en[\Netlogon(_Total)\Average Semaphore Hold Time]' 1225 | - sortorder: '1' 1226 | color: F63100 1227 | calc_fnc: ALL 1228 | item: 1229 | host: 'AD DS Health and Performance' 1230 | key: 'perf_counter_en[\Netlogon(_Total)\Semaphore Acquires]' 1231 | - sortorder: '2' 1232 | color: 2774A4 1233 | yaxisside: RIGHT 1234 | calc_fnc: ALL 1235 | item: 1236 | host: 'AD DS Health and Performance' 1237 | key: 'perf_counter_en[\Netlogon(_Total)\Semaphore Timeouts]' 1238 | - uuid: 211e8e78c01d4c56b92b42b0928c0fa5 1239 | name: 'Simple Binds' 1240 | ymin_type_1: FIXED 1241 | graph_items: 1242 | - color: 199C0D 1243 | calc_fnc: ALL 1244 | item: 1245 | host: 'AD DS Health and Performance' 1246 | key: 'perf_counter_en[\DirectoryServices(NTDS)\Simple Binds/sec]' 1247 | -------------------------------------------------------------------------------- /AD_DS_Health_and_Performance/AD_DS_Health_and_Performance_ldap.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NikonovAleksei/zabbix/165fa9ac15c298718946a37d82f4a56e1301de45/AD_DS_Health_and_Performance/AD_DS_Health_and_Performance_ldap.png -------------------------------------------------------------------------------- /AD_DS_Health_and_Performance/AD_DS_Health_and_Performance_main.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NikonovAleksei/zabbix/165fa9ac15c298718946a37d82f4a56e1301de45/AD_DS_Health_and_Performance/AD_DS_Health_and_Performance_main.png -------------------------------------------------------------------------------- /AD_DS_Health_and_Performance/AD_DS_Health_and_Performance_netlogon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NikonovAleksei/zabbix/165fa9ac15c298718946a37d82f4a56e1301de45/AD_DS_Health_and_Performance/AD_DS_Health_and_Performance_netlogon.png -------------------------------------------------------------------------------- /AD_DS_Health_and_Performance/README.md: -------------------------------------------------------------------------------- 1 | ##changelog 2 | -------------------------------------------------------------------------------- /AD_DS_Monitoring_Attack_Detection/6.0/AD DS Monitoring and Attack Detection.yaml: -------------------------------------------------------------------------------- 1 | zabbix_export: 2 | version: '6.0' 3 | date: '2023-12-08T06:05:49Z' 4 | groups: 5 | - uuid: b9390195ecad4986968746a2a9b56354 6 | name: 'My Templates' 7 | templates: 8 | - uuid: 89ce3597149b4bd986a3ae02fc862070 9 | template: 'AD DS Monitoring and Attack Detection' 10 | name: 'AD DS Monitoring and Attack Detection' 11 | description: | 12 | Template tooling version used: 2.00 13 | 14 | https://github.com/NikonovAleksei/zabbix/ 15 | 16 | https://t.me/ad_zabbix_templates 17 | groups: 18 | - name: 'My Templates' 19 | items: 20 | - uuid: 33573c0f8f204c769e4f76df36c5a193 21 | name: 'Windows Security (ID1102)' 22 | type: ZABBIX_ACTIVE 23 | key: 'eventlog[Security,,,,^1102$]' 24 | delay: 5m 25 | history: 1w 26 | trends: '0' 27 | value_type: LOG 28 | description: 'The audit log was cleared.' 29 | tags: 30 | - tag: Application 31 | value: 'Security events' 32 | triggers: 33 | - uuid: 185aea205c1d44a59319d0c1782b0830 34 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^1102$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^1102$],600s)=0' 35 | name: 'The audit log was cleared.' 36 | priority: HIGH 37 | description: 'The audit log was cleared.' 38 | - uuid: d16269d4fd1643a3a757cbdce60dd465 39 | name: 'Windows Security (ID4618)' 40 | type: ZABBIX_ACTIVE 41 | key: 'eventlog[Security,,,,^4618$]' 42 | delay: 5m 43 | history: 1w 44 | trends: '0' 45 | value_type: LOG 46 | description: 'A monitored security event pattern has occurred.' 47 | tags: 48 | - tag: Application 49 | value: 'Security events' 50 | triggers: 51 | - uuid: f408b5f6ec734930922184e8e0c99cd8 52 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4618$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4618$],600s)=0' 53 | name: 'A monitored security event pattern has occurred.' 54 | priority: HIGH 55 | description: 'A monitored security event pattern has occurred.' 56 | - uuid: 046a62e2ca024291b8d9f67693394c48 57 | name: 'Windows Security (ID4621)' 58 | type: ZABBIX_ACTIVE 59 | key: 'eventlog[Security,,,,^4621$]' 60 | delay: 5m 61 | history: 1w 62 | trends: '0' 63 | value_type: LOG 64 | description: 'Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.' 65 | tags: 66 | - tag: Application 67 | value: 'Security events' 68 | triggers: 69 | - uuid: b6d72d415ab44860bd270e33a87573bf 70 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4621$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4621$],600s)=0' 71 | name: 'Administrator recovered system from CrashOnAuditFail.' 72 | priority: AVERAGE 73 | description: 'Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.' 74 | - uuid: ed687d6177da4b20b9743058b18c9386 75 | name: 'Windows Security (ID4649)' 76 | type: ZABBIX_ACTIVE 77 | key: 'eventlog[Security,,,,^4649$]' 78 | delay: 5m 79 | history: 1w 80 | trends: '0' 81 | value_type: LOG 82 | description: 'A replay attack was detected. May be a harmless false positive due to misconfiguration error.' 83 | tags: 84 | - tag: Application 85 | value: 'Security events' 86 | triggers: 87 | - uuid: 6da449d5ad134d858af9ddd7471949e7 88 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4649$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4649$],600s)=0' 89 | name: 'A replay attack was detected. May be a harmless false positive due to misconfiguration error.' 90 | priority: HIGH 91 | description: 'A replay attack was detected. May be a harmless false positive due to misconfiguration error.' 92 | - uuid: 1810b6b6320240d383d501ca61cf275b 93 | name: 'Windows Security (ID4675)' 94 | type: ZABBIX_ACTIVE 95 | key: 'eventlog[Security,,,,^4675$]' 96 | delay: 5m 97 | history: 1w 98 | trends: '0' 99 | value_type: LOG 100 | description: 'SIDs were filtered.' 101 | tags: 102 | - tag: Application 103 | value: 'Security events' 104 | triggers: 105 | - uuid: eb45923767fe450aa47dcfe3eb2213bf 106 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4675$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4675$],600s)=0' 107 | name: 'SIDs were filtered.' 108 | priority: AVERAGE 109 | description: 'SIDs were filtered.' 110 | - uuid: e7a7d48236c847dca4032645268abf8f 111 | name: 'Windows Security (ID4692)' 112 | type: ZABBIX_ACTIVE 113 | key: 'eventlog[Security,,,,^4692$]' 114 | delay: 5m 115 | history: 1w 116 | trends: '0' 117 | value_type: LOG 118 | description: 'Backup of data protection master key was attempted.' 119 | tags: 120 | - tag: Application 121 | value: 'Security events' 122 | triggers: 123 | - uuid: eeaade36a89c47bfbbd92ee2ad4e71f5 124 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4692$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4692$],600s)=0' 125 | name: 'Backup of data protection master key was attempted.' 126 | priority: AVERAGE 127 | description: 'Backup of data protection master key was attempted.' 128 | - uuid: a21ab5f1630145f19b87e78a531ca074 129 | name: 'Windows Security (ID4693)' 130 | type: ZABBIX_ACTIVE 131 | key: 'eventlog[Security,,,,^4693$]' 132 | delay: 5m 133 | history: 1w 134 | trends: '0' 135 | value_type: LOG 136 | description: 'Recovery of data protection master key was attempted.' 137 | tags: 138 | - tag: Application 139 | value: 'Security events' 140 | triggers: 141 | - uuid: 3d8744411ebb41ea9c305b732e3fd9f2 142 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4693$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4693$],600s)=0' 143 | name: 'Recovery of data protection master key was attempted.' 144 | priority: AVERAGE 145 | description: 'Backup of data protection master key was attempted.' 146 | - uuid: 0983d27e871145fe9f7e4d0e391de4a7 147 | name: 'Windows Security (ID4706)' 148 | type: ZABBIX_ACTIVE 149 | key: 'eventlog[Security,,,,^4706$]' 150 | delay: 5m 151 | history: 1w 152 | trends: '0' 153 | value_type: LOG 154 | description: 'A new trust was created to a domain.' 155 | tags: 156 | - tag: Application 157 | value: 'Security events' 158 | triggers: 159 | - uuid: d32365ca7f514bcba4fd7e2bb958a975 160 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4706$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4706$],600s)=0' 161 | name: 'A new trust was created to a domain.' 162 | priority: AVERAGE 163 | description: 'A new trust was created to a domain.' 164 | - uuid: ac64ad065d3d43618232465f997326d0 165 | name: 'Windows Security (ID4713)' 166 | type: ZABBIX_ACTIVE 167 | key: 'eventlog[Security,,,,^4713$]' 168 | delay: 5m 169 | history: 1w 170 | trends: '0' 171 | value_type: LOG 172 | description: 'Kerberos policy was changed.' 173 | tags: 174 | - tag: Application 175 | value: 'Security events' 176 | triggers: 177 | - uuid: 13a6953f2a7646bda6f639d7c3f66096 178 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4713$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4713$],600s)=0' 179 | name: 'Kerberos policy was changed.' 180 | priority: AVERAGE 181 | description: 'Kerberos policy was changed.' 182 | - uuid: a6ff13b0a71e496392347c07b842b3d9 183 | name: 'Windows Security (ID4714)' 184 | type: ZABBIX_ACTIVE 185 | key: 'eventlog[Security,,,,^4714$]' 186 | delay: 5m 187 | history: 1w 188 | trends: '0' 189 | value_type: LOG 190 | description: 'Encrypted data recovery policy was changed.' 191 | tags: 192 | - tag: Application 193 | value: 'Security events' 194 | triggers: 195 | - uuid: b41f1b71f7184efabd8bc6856651e485 196 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4714$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4714$],600s)=0' 197 | name: 'Encrypted data recovery policy was changed.' 198 | priority: AVERAGE 199 | description: 'Encrypted data recovery policy was changed.' 200 | - uuid: 0e21e50c3897472f9e6fa3d9c2ccc016 201 | name: 'Windows Security (ID4715)' 202 | type: ZABBIX_ACTIVE 203 | key: 'eventlog[Security,,,,^4715$]' 204 | delay: 5m 205 | history: 1w 206 | trends: '0' 207 | value_type: LOG 208 | description: 'The audit policy (SACL) on an object was changed.' 209 | tags: 210 | - tag: Application 211 | value: 'Security events' 212 | triggers: 213 | - uuid: 7915f689be6d47ac8f2e6490b43840b7 214 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4715$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4715$],600s)=0' 215 | name: 'The audit policy (SACL) on an object was changed.' 216 | priority: AVERAGE 217 | description: 'The audit policy (SACL) on an object was changed.' 218 | - uuid: 1ac54e2aa17545a085a6a16c47968402 219 | name: 'Windows Security (ID4716)' 220 | type: ZABBIX_ACTIVE 221 | key: 'eventlog[Security,,,,^4716$]' 222 | delay: 5m 223 | history: 1w 224 | trends: '0' 225 | value_type: LOG 226 | description: 'Trusted domain information was modified.' 227 | tags: 228 | - tag: Application 229 | value: 'Security events' 230 | triggers: 231 | - uuid: b7541e370e6f4b9da560e06689b1277e 232 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4716$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4716$],600s)=0' 233 | name: 'Trusted domain information was modified.' 234 | priority: AVERAGE 235 | description: 'Trusted domain information was modified.' 236 | - uuid: d85961cb2a6243d8b37ae5637b119913 237 | name: 'Windows Security (ID4719)' 238 | type: ZABBIX_ACTIVE 239 | key: 'eventlog[Security,,,,^4719$]' 240 | delay: 5m 241 | history: 1w 242 | trends: '0' 243 | value_type: LOG 244 | description: 'System audit policy was changed.' 245 | tags: 246 | - tag: Application 247 | value: 'Security events' 248 | triggers: 249 | - uuid: 2c0f82f99d354dadbe78baaec144ca83 250 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4719$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4719$],600s)=0' 251 | name: 'System audit policy was changed.' 252 | priority: HIGH 253 | description: 'System audit policy was changed.' 254 | - uuid: 29299534c2444fcaa9f567d187a9cee8 255 | name: 'Windows Security (ID4724)' 256 | type: ZABBIX_ACTIVE 257 | key: 'eventlog[Security,,,,^4724$]' 258 | delay: 5m 259 | history: 1w 260 | trends: '0' 261 | value_type: LOG 262 | description: 'An attempt was made to reset an account''s password.' 263 | tags: 264 | - tag: Application 265 | value: 'Security events' 266 | triggers: 267 | - uuid: ce5de5a6079445a1b84671c0604d7bb4 268 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4724$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4724$],600s)=0' 269 | name: 'An attempt was made to reset an account’s password.' 270 | priority: AVERAGE 271 | description: 'An attempt was made to reset an account’s password.' 272 | - uuid: 888989378cb24d5890f679167c01cb7e 273 | name: 'Windows Security (ID4727)' 274 | type: ZABBIX_ACTIVE 275 | key: 'eventlog[Security,,,,^4727$]' 276 | delay: 5m 277 | history: 1w 278 | trends: '0' 279 | value_type: LOG 280 | description: 'A security-enabled global group was created.' 281 | tags: 282 | - tag: Application 283 | value: 'Security events' 284 | triggers: 285 | - uuid: 55e575f09d2b41c6b48285287215521b 286 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4727$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4727$],600s)=0' 287 | name: 'A security-enabled global group was created.' 288 | priority: AVERAGE 289 | description: 'A security-enabled global group was created.' 290 | - uuid: 9010d6b1d525451fa2f481ecb17026ae 291 | name: 'Windows Security (ID4735)' 292 | type: ZABBIX_ACTIVE 293 | key: 'eventlog[Security,,,,^4735$]' 294 | delay: 5m 295 | history: 1w 296 | trends: '0' 297 | value_type: LOG 298 | description: 'A security-enabled local group was changed.' 299 | tags: 300 | - tag: Application 301 | value: 'Security events' 302 | triggers: 303 | - uuid: 7ecae7f1befa4076a1c5b8c9a10109b0 304 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4735$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4735$],600s)=0' 305 | name: 'A security-enabled local group was changed.' 306 | priority: AVERAGE 307 | description: 'A security-enabled local group was changed.' 308 | - uuid: a7227ba4238440798b7bbf24d07034d3 309 | name: 'Windows Security (ID4737)' 310 | type: ZABBIX_ACTIVE 311 | key: 'eventlog[Security,,,,^4737$]' 312 | delay: 5m 313 | history: 1w 314 | trends: '0' 315 | value_type: LOG 316 | description: 'A security-enabled global group was changed.' 317 | tags: 318 | - tag: Application 319 | value: 'Security events' 320 | triggers: 321 | - uuid: e416a4fb830641d487a9c75813a08ffc 322 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4737$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4737$],600s)=0' 323 | name: 'A security-enabled global group was changed.' 324 | priority: AVERAGE 325 | description: 'A security-enabled global group was changed.' 326 | - uuid: 2e9eba1d6d154d92ba94550a7990aee8 327 | name: 'Windows Security (ID4739)' 328 | type: ZABBIX_ACTIVE 329 | key: 'eventlog[Security,,,,^4739$]' 330 | delay: 5m 331 | history: 1w 332 | trends: '0' 333 | value_type: LOG 334 | description: 'Domain Policy was changed.' 335 | tags: 336 | - tag: Application 337 | value: 'Security events' 338 | triggers: 339 | - uuid: be69fa4f340541308bdd03b60a294458 340 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4739$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4739$],600s)=0' 341 | name: 'Domain Policy was changed.' 342 | priority: AVERAGE 343 | description: 'Domain Policy was changed.' 344 | - uuid: cd172c5b37094626bfe55b8b739c5ee7 345 | name: 'Windows Security (ID4754)' 346 | type: ZABBIX_ACTIVE 347 | key: 'eventlog[Security,,,,^4754$]' 348 | delay: 5m 349 | history: 1w 350 | trends: '0' 351 | value_type: LOG 352 | description: 'A security-enabled universal group was created.' 353 | tags: 354 | - tag: Application 355 | value: 'Security events' 356 | triggers: 357 | - uuid: c2b837f8d5d64e7bb97f67fbcdc878a9 358 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4754$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4754$],600s)=0' 359 | name: 'A security-enabled universal group was created.' 360 | priority: AVERAGE 361 | description: 'A security-enabled universal group was created.' 362 | - uuid: 79dcd738573b4ce1b9a5e9197b45b6a9 363 | name: 'Windows Security (ID4755)' 364 | type: ZABBIX_ACTIVE 365 | key: 'eventlog[Security,,,,^4755$]' 366 | delay: 5m 367 | history: 1w 368 | trends: '0' 369 | value_type: LOG 370 | description: 'A security-enabled universal group was changed.' 371 | tags: 372 | - tag: Application 373 | value: 'Security events' 374 | triggers: 375 | - uuid: f7946447597c40b390599570782fbf62 376 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4755$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4755$],600s)=0' 377 | name: 'A security-enabled universal group was changed.' 378 | priority: AVERAGE 379 | description: 'A security-enabled universal group was changed.' 380 | - uuid: 2860fd1a38654234845483fc03dd2f59 381 | name: 'Windows Security (ID4764)' 382 | type: ZABBIX_ACTIVE 383 | key: 'eventlog[Security,,,,^4764$]' 384 | delay: 5m 385 | history: 1w 386 | trends: '0' 387 | value_type: LOG 388 | description: | 389 | A security-disabled group was deleted. 390 | A group's type was changed. 391 | tags: 392 | - tag: Application 393 | value: 'Security events' 394 | triggers: 395 | - uuid: aba1aac2b531420da90fc8ed2d371d6a 396 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4764$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4764$],600s)=0' 397 | name: 'A security-disabled group was deleted' 398 | priority: AVERAGE 399 | description: 'A security-disabled group was deleted' 400 | - uuid: 5ee1feecddba4a6091b33bb87ac303e7 401 | name: 'Windows Security (ID4765)' 402 | type: ZABBIX_ACTIVE 403 | key: 'eventlog[Security,,,,^4765$]' 404 | delay: 5m 405 | history: 1w 406 | trends: '0' 407 | value_type: LOG 408 | description: 'SID History was added to an account.' 409 | tags: 410 | - tag: Application 411 | value: 'Security events' 412 | triggers: 413 | - uuid: a487677ce69a4413ac546d1833f51fab 414 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4765$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4765$],600s)=0' 415 | name: 'SID History was added to an account.' 416 | priority: HIGH 417 | description: 'SID History was added to an account.' 418 | - uuid: 1d834f4c207b4475b757614288034d12 419 | name: 'Windows Security (ID4766)' 420 | type: ZABBIX_ACTIVE 421 | key: 'eventlog[Security,,,,^4766$]' 422 | delay: 5m 423 | history: 1w 424 | trends: '0' 425 | value_type: LOG 426 | description: 'An attempt to add SID History to an account failed.' 427 | tags: 428 | - tag: Application 429 | value: 'Security events' 430 | triggers: 431 | - uuid: c94eebe949af4d709ac3af264620ded8 432 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4766$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4766$],600s)=0' 433 | name: 'An attempt to add SID History to an account failed.' 434 | priority: HIGH 435 | description: 'An attempt to add SID History to an account failed.' 436 | - uuid: 0519894159694b168bb285c0bb32ebc0 437 | name: 'Windows Security (ID4780)' 438 | type: ZABBIX_ACTIVE 439 | key: 'eventlog[Security,,,,^4780$]' 440 | delay: 5m 441 | history: 1w 442 | trends: '0' 443 | value_type: LOG 444 | description: 'The ACL was set on accounts which are members of administrators groups.' 445 | tags: 446 | - tag: Application 447 | value: 'Security events' 448 | triggers: 449 | - uuid: 2ea99dffd2354e4cb5595826d6eef9cf 450 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4780$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4780$],600s)=0' 451 | name: 'The ACL was set on accounts which are members of administrators groups.' 452 | priority: AVERAGE 453 | description: 'The ACL was set on accounts which are members of administrators groups.' 454 | - uuid: ebe785f574c34355a804fde24f0696c5 455 | name: 'Windows Security (ID4794)' 456 | type: ZABBIX_ACTIVE 457 | key: 'eventlog[Security,,,,^4794$]' 458 | delay: 5m 459 | history: 1w 460 | trends: '0' 461 | value_type: LOG 462 | description: 'An attempt was made to set the Directory Services Restore Mode.' 463 | tags: 464 | - tag: Application 465 | value: 'Security events' 466 | triggers: 467 | - uuid: a0ea0b45172349098afd703272107c7c 468 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4794$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4794$],600s)=0' 469 | name: 'An attempt was made to set the Directory Services Restore Mode.' 470 | priority: HIGH 471 | description: 'An attempt was made to set the Directory Services Restore Mode.' 472 | - uuid: 6f58a9b0d487435dab819d01079c8d7e 473 | name: 'Windows Security (ID4816)' 474 | type: ZABBIX_ACTIVE 475 | key: 'eventlog[Security,,,,^4816$]' 476 | delay: 5m 477 | history: 1w 478 | trends: '0' 479 | value_type: LOG 480 | description: 'RPC detected an integrity violation while decrypting an incoming message.' 481 | tags: 482 | - tag: Application 483 | value: 'Security events' 484 | triggers: 485 | - uuid: 925dc3c036344d0c8287d460cda7c7e1 486 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4816$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4816$],600s)=0' 487 | name: 'RPC detected an integrity violation while decrypting an incoming message.' 488 | priority: AVERAGE 489 | description: 'RPC detected an integrity violation while decrypting an incoming message.' 490 | - uuid: 7ea26f5a5920447e8e871af5a51e73da 491 | name: 'Windows Security (ID4865)' 492 | type: ZABBIX_ACTIVE 493 | key: 'eventlog[Security,,,,^4865$]' 494 | delay: 5m 495 | history: 1w 496 | trends: '0' 497 | value_type: LOG 498 | description: 'A trusted forest information entry was added.' 499 | tags: 500 | - tag: Application 501 | value: 'Security events' 502 | triggers: 503 | - uuid: 95d55d62c1284f98b8778a7f2bded96a 504 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4865$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4865$],600s)=0' 505 | name: 'A trusted forest information entry was added.' 506 | priority: AVERAGE 507 | description: 'A trusted forest information entry was added.' 508 | - uuid: b496fd64a11e41f9a28c9e98fcd94e7f 509 | name: 'Windows Security (ID4866)' 510 | type: ZABBIX_ACTIVE 511 | key: 'eventlog[Security,,,,^4866$]' 512 | delay: 5m 513 | history: 1w 514 | trends: '0' 515 | value_type: LOG 516 | description: 'A trusted forest information entry was removed.' 517 | tags: 518 | - tag: Application 519 | value: 'Security events' 520 | triggers: 521 | - uuid: 00b67d9831d846b2a4480fb0bcab88d8 522 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4866$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4866$],600s)=0' 523 | name: 'A trusted forest information entry was removed.' 524 | priority: AVERAGE 525 | description: 'A trusted forest information entry was removed.' 526 | - uuid: e68ed46d785343c9bcd99cdb3683506d 527 | name: 'Windows Security (ID4867)' 528 | type: ZABBIX_ACTIVE 529 | key: 'eventlog[Security,,,,^4867$]' 530 | delay: 5m 531 | history: 1w 532 | trends: '0' 533 | value_type: LOG 534 | description: 'A trusted forest information entry was modified.' 535 | tags: 536 | - tag: Application 537 | value: 'Security events' 538 | triggers: 539 | - uuid: 93fcc320402742f985d25958a82c59e7 540 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4867$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4867$],600s)=0' 541 | name: 'A trusted forest information entry was modified.' 542 | priority: AVERAGE 543 | description: 'A trusted forest information entry was modified.' 544 | - uuid: fb338de56acc4806b36e83b784e40fd6 545 | name: 'Windows Security (ID4897)' 546 | type: ZABBIX_ACTIVE 547 | key: 'eventlog[Security,,,,^4897$]' 548 | delay: 5m 549 | history: 1w 550 | trends: '0' 551 | value_type: LOG 552 | description: 'Role separation enabled.' 553 | tags: 554 | - tag: Application 555 | value: 'Security events' 556 | triggers: 557 | - uuid: f52470d0cd5a4d9bba7b75aa0b463fa6 558 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4897$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4897$],600s)=0' 559 | name: 'Role separation enabled.' 560 | priority: HIGH 561 | description: 'Role separation enabled.' 562 | - uuid: 00a047b52a6041b49ba1ded40233656b 563 | name: 'Windows Security (ID4906)' 564 | type: ZABBIX_ACTIVE 565 | key: 'eventlog[Security,,,,^4906$]' 566 | delay: 5m 567 | history: 1w 568 | trends: '0' 569 | value_type: LOG 570 | description: 'The CrashOnAuditFail value has changed.' 571 | tags: 572 | - tag: Application 573 | value: 'Security events' 574 | triggers: 575 | - uuid: 5c4d43cb81f44b349ef119f2687de579 576 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4906$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4906$],600s)=0' 577 | name: 'The CrashOnAuditFail value has changed.' 578 | priority: AVERAGE 579 | description: 'The CrashOnAuditFail value has changed.' 580 | - uuid: 26dd9ceb68954da1a445daf9fd741c99 581 | name: 'Windows Security (ID4907)' 582 | type: ZABBIX_ACTIVE 583 | key: 'eventlog[Security,,,,^4907$]' 584 | delay: 5m 585 | history: 1w 586 | trends: '0' 587 | value_type: LOG 588 | description: 'Auditing settings on object were changed.' 589 | tags: 590 | - tag: Application 591 | value: 'Security events' 592 | triggers: 593 | - uuid: 5e4a00c4848a4bc6b5d9fc6780f57d48 594 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4907$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4907$],600s)=0' 595 | name: 'Auditing settings on object were changed.' 596 | priority: AVERAGE 597 | description: 'Auditing settings on object were changed.' 598 | - uuid: 7a5b2e1b0187461788864ecc079405f1 599 | name: 'Windows Security (ID4908)' 600 | type: ZABBIX_ACTIVE 601 | key: 'eventlog[Security,,,,^4908$]' 602 | delay: 5m 603 | history: 1w 604 | trends: '0' 605 | value_type: LOG 606 | description: 'Special Groups Logon table modified.' 607 | tags: 608 | - tag: Application 609 | value: 'Security events' 610 | triggers: 611 | - uuid: b3a9571145a94ee6af272f11d93e4dbe 612 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4908$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4908$],600s)=0' 613 | name: 'Special Groups Logon table modified.' 614 | priority: AVERAGE 615 | description: 'Special Groups Logon table modified.' 616 | - uuid: d248b62a41654b05ba6decf0d3c4cd1b 617 | name: 'Windows Security (ID4912)' 618 | type: ZABBIX_ACTIVE 619 | key: 'eventlog[Security,,,,^4912$]' 620 | delay: 5m 621 | history: 1w 622 | trends: '0' 623 | value_type: LOG 624 | description: 'Per User Audit Policy was changed.' 625 | tags: 626 | - tag: Application 627 | value: 'Security events' 628 | triggers: 629 | - uuid: dfa0c3014a414e9f8444a229d9a6cda9 630 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4912$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4912$],600s)=0' 631 | name: 'Per User Audit Policy was changed.' 632 | priority: AVERAGE 633 | description: 'Per User Audit Policy was changed.' 634 | - uuid: ffafab1a7bbc431dad40bc8e0c6c8615 635 | name: 'Windows Security (ID4964)' 636 | type: ZABBIX_ACTIVE 637 | key: 'eventlog[Security,,,,^4964$]' 638 | delay: 5m 639 | history: 1w 640 | trends: '0' 641 | value_type: LOG 642 | description: 'Special groups have been assigned to a new logon.' 643 | tags: 644 | - tag: Application 645 | value: 'Security events' 646 | triggers: 647 | - uuid: 90304dde61524c9bbbc947e2f7dc1c2d 648 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4964$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4964$],600s)=0' 649 | name: 'Special groups have been assigned to a new logon.' 650 | priority: HIGH 651 | description: 'Special groups have been assigned to a new logon.' 652 | - uuid: 41d68b542e6e4806ab6a5ba768e6481c 653 | name: 'Windows Security (ID5027)' 654 | type: ZABBIX_ACTIVE 655 | key: 'eventlog[Security,,,,^5027$]' 656 | delay: 5m 657 | history: 1w 658 | trends: '0' 659 | value_type: LOG 660 | description: 'The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.' 661 | tags: 662 | - tag: Application 663 | value: 'Security events' 664 | triggers: 665 | - uuid: bac38986492d4d818bfd6fbca3233862 666 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^5027$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^5027$],600s)=0' 667 | name: 'The Windows Firewall Service was unable to retrieve the security policy from the local storage.' 668 | priority: AVERAGE 669 | description: 'The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.' 670 | - uuid: 81df333fb0c24fecbee203fcb752a0bd 671 | name: 'Windows Security (ID5028)' 672 | type: ZABBIX_ACTIVE 673 | key: 'eventlog[Security,,,,^5028$]' 674 | delay: 5m 675 | history: 1w 676 | trends: '0' 677 | value_type: LOG 678 | description: 'The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.' 679 | tags: 680 | - tag: Application 681 | value: 'Security events' 682 | triggers: 683 | - uuid: d9695630aae74a36b0d205b12aa87922 684 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^5028$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^5028$],600s)=0' 685 | name: 'The Windows Firewall Service was unable to parse the new security policy.' 686 | priority: AVERAGE 687 | description: 'The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.' 688 | - uuid: fa1d90b1387f4faeabbb1087bdaae03c 689 | name: 'Windows Security (ID5029)' 690 | type: ZABBIX_ACTIVE 691 | key: 'eventlog[Security,,,,^5029$]' 692 | delay: 5m 693 | history: 1w 694 | trends: '0' 695 | value_type: LOG 696 | description: 'The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.' 697 | tags: 698 | - tag: Application 699 | value: 'Security events' 700 | triggers: 701 | - uuid: 9b2dc6fda626475bb3fff7663aee1b4a 702 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^5029$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^5029$],600s)=0' 703 | name: 'The Windows Firewall Service failed to initialize the driver.' 704 | priority: AVERAGE 705 | description: 'The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.' 706 | - uuid: c0456e685470400eb9930e3a45059f41 707 | name: 'Windows Security (ID5030)' 708 | type: ZABBIX_ACTIVE 709 | key: 'eventlog[Security,,,,^5030$]' 710 | delay: 5m 711 | history: 1w 712 | trends: '0' 713 | value_type: LOG 714 | description: 'The Windows Firewall Service failed to start.' 715 | tags: 716 | - tag: Application 717 | value: 'Security events' 718 | triggers: 719 | - uuid: 0c75f7566f8c4be3b9b808b59ef0aa18 720 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^5030$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^5030$],600s)=0' 721 | name: 'The Windows Firewall Service failed to start.' 722 | priority: AVERAGE 723 | description: 'The Windows Firewall Service failed to start.' 724 | - uuid: 7e5672bb3e804e5289642c5f95dacc28 725 | name: 'Windows Security (ID5035)' 726 | type: ZABBIX_ACTIVE 727 | key: 'eventlog[Security,,,,^5035$]' 728 | delay: 5m 729 | history: 1w 730 | trends: '0' 731 | value_type: LOG 732 | description: 'The Windows Firewall Driver failed to start.' 733 | tags: 734 | - tag: Application 735 | value: 'Security events' 736 | triggers: 737 | - uuid: a20e81d178b841899d2ed345c929061e 738 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^5035$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^5035$],600s)=0' 739 | name: 'The Windows Firewall Driver failed to start.' 740 | priority: AVERAGE 741 | description: 'The Windows Firewall Driver failed to start.' 742 | - uuid: c5fe9a718443427a9d23c295c24b335d 743 | name: 'Windows Security (ID5037)' 744 | type: ZABBIX_ACTIVE 745 | key: 'eventlog[Security,,,,^5037$]' 746 | delay: 5m 747 | history: 1w 748 | trends: '0' 749 | value_type: LOG 750 | description: 'The Windows Firewall Driver detected critical runtime error. Terminating.' 751 | tags: 752 | - tag: Application 753 | value: 'Security events' 754 | triggers: 755 | - uuid: cd47c32b73e640cbaf5f27f624155950 756 | expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^5037$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^5037$],600s)=0' 757 | name: 'The Windows Firewall Driver detected critical runtime error. Terminating.' 758 | priority: AVERAGE 759 | description: 'The Windows Firewall Driver detected critical runtime error. Terminating.' 760 | -------------------------------------------------------------------------------- /AD_DS_Monitoring_Attack_Detection/README.md: -------------------------------------------------------------------------------- 1 | ##changelog 2 | -------------------------------------------------------------------------------- /AD_DS_Security_Audit/AD DS Security Audit.yaml: -------------------------------------------------------------------------------- 1 | zabbix_export: 2 | version: '6.0' 3 | date: '2023-04-18T05:55:32Z' 4 | groups: 5 | - 6 | uuid: b9390195ecad4986968746a2a9b56354 7 | name: 'My Templates' 8 | templates: 9 | - 10 | uuid: a0bde2ef5ef14b3da5315124c4ad58c2 11 | template: 'AD DS Security Audit' 12 | name: 'AD DS Security Audit' 13 | description: | 14 | Template tooling version used: 1.00 15 | 16 | https://github.com/NikonovAleksei/zabbix/ 17 | 18 | https://t.me/ad_zabbix_templates 19 | groups: 20 | - 21 | name: 'My Templates' 22 | items: 23 | - 24 | uuid: d51ab16dcb4b475e8c34d7fab9dd1786 25 | name: 'Windows Security (ID4720)' 26 | type: ZABBIX_ACTIVE 27 | key: 'eventlog[Security,,,,^4720$]' 28 | delay: 5m 29 | history: 1w 30 | trends: '0' 31 | value_type: LOG 32 | tags: 33 | - 34 | tag: Application 35 | value: 'Security events' 36 | triggers: 37 | - 38 | uuid: 1c520af3153e492aa59aa81e82df288c 39 | expression: 'logseverity(/AD DS Security Audit/eventlog[Security,,,,^4720$])>1 and nodata(/AD DS Security Audit/eventlog[Security,,,,^4720$],600s)=0' 40 | name: 'A user account was created.' 41 | priority: INFO 42 | - 43 | uuid: 012215e9936f4e40aab3e8abf8d9ad8a 44 | name: 'Windows Security (ID4722)' 45 | type: ZABBIX_ACTIVE 46 | key: 'eventlog[Security,,,,^4722$]' 47 | delay: 5m 48 | history: 1w 49 | trends: '0' 50 | value_type: LOG 51 | tags: 52 | - 53 | tag: Application 54 | value: 'Security events' 55 | triggers: 56 | - 57 | uuid: 98cfb6218b2f4b52806c8b59287066cb 58 | expression: 'logseverity(/AD DS Security Audit/eventlog[Security,,,,^4722$])>1 and nodata(/AD DS Security Audit/eventlog[Security,,,,^4722$],600s)=0' 59 | name: 'A user account was enabled.' 60 | - 61 | uuid: 24ad0fcac3ad41aba6db9250bec15ffc 62 | name: 'Windows Security (ID4723)' 63 | type: ZABBIX_ACTIVE 64 | key: 'eventlog[Security,,,,^4723$]' 65 | delay: 5m 66 | history: 1w 67 | trends: '0' 68 | value_type: LOG 69 | tags: 70 | - 71 | tag: Application 72 | value: 'Security events' 73 | triggers: 74 | - 75 | uuid: 7921bd0d421946f9ad5b5810fd195f7b 76 | expression: 'logseverity(/AD DS Security Audit/eventlog[Security,,,,^4723$])>1 and nodata(/AD DS Security Audit/eventlog[Security,,,,^4723$],600s)=0' 77 | name: 'An attempt was made to change an account''s password.' 78 | - 79 | uuid: b6fbd6ff6c994d8c854644c6092c6f75 80 | name: 'Windows Security (ID4724)' 81 | type: ZABBIX_ACTIVE 82 | key: 'eventlog[Security,,,,^4724$]' 83 | delay: 5m 84 | history: 1w 85 | trends: '0' 86 | value_type: LOG 87 | tags: 88 | - 89 | tag: Application 90 | value: 'Security events' 91 | triggers: 92 | - 93 | uuid: 8c16af4f9d2f498cb71f8b69ee756053 94 | expression: 'logseverity(/AD DS Security Audit/eventlog[Security,,,,^4724$])>1 and nodata(/AD DS Security Audit/eventlog[Security,,,,^4724$],600s)=0' 95 | name: 'An attempt was made to reset an account''s password.' 96 | priority: INFO 97 | - 98 | uuid: 11cda07d18cf4362b8048e2110c76895 99 | name: 'Windows Security (ID4725)' 100 | type: ZABBIX_ACTIVE 101 | key: 'eventlog[Security,,,,^4725$]' 102 | delay: 5m 103 | history: 1w 104 | trends: '0' 105 | value_type: LOG 106 | tags: 107 | - 108 | tag: Application 109 | value: 'Security events' 110 | triggers: 111 | - 112 | uuid: 7967ddb42cb144c2a4f96df98d01f419 113 | expression: 'logseverity(/AD DS Security Audit/eventlog[Security,,,,^4725$])>1 and nodata(/AD DS Security Audit/eventlog[Security,,,,^4725$],600s)=0' 114 | name: 'A user account was disabled.' 115 | priority: INFO 116 | - 117 | uuid: f4038a01684442eb9e1676f11ce7d3af 118 | name: 'Windows Security (ID4726)' 119 | type: ZABBIX_ACTIVE 120 | key: 'eventlog[Security,,,,^4726$]' 121 | delay: 5m 122 | history: 1w 123 | trends: '0' 124 | value_type: LOG 125 | tags: 126 | - 127 | tag: Application 128 | value: 'Security events' 129 | triggers: 130 | - 131 | uuid: 4ef37883978b47a08a11d6a0203f9337 132 | expression: 'logseverity(/AD DS Security Audit/eventlog[Security,,,,^4726$])>1 and nodata(/AD DS Security Audit/eventlog[Security,,,,^4726$],600s)=0' 133 | name: 'A user account was deleted.' 134 | priority: WARNING 135 | - 136 | uuid: 324112cafdf44637b06d93a285418ebd 137 | name: 'Windows Security (ID4738)' 138 | type: ZABBIX_ACTIVE 139 | key: 'eventlog[Security,,,,^4738$]' 140 | delay: 5m 141 | history: 1w 142 | trends: '0' 143 | value_type: LOG 144 | tags: 145 | - 146 | tag: Application 147 | value: 'Security events' 148 | triggers: 149 | - 150 | uuid: 3760ed12a00a4838a51ae0dfa5d5d1e6 151 | expression: 'logseverity(/AD DS Security Audit/eventlog[Security,,,,^4738$])>1 and nodata(/AD DS Security Audit/eventlog[Security,,,,^4738$],600s)=0' 152 | name: 'A user account was changed.' 153 | priority: INFO 154 | - 155 | uuid: 9cd311891c944e2bac1b3c2228e39dd3 156 | name: 'Windows Security (ID4740)' 157 | type: ZABBIX_ACTIVE 158 | key: 'eventlog[Security,,,,^4740$]' 159 | delay: 5m 160 | history: 1w 161 | trends: '0' 162 | value_type: LOG 163 | tags: 164 | - 165 | tag: Application 166 | value: 'Security events' 167 | triggers: 168 | - 169 | uuid: 018938867152482db6386c4d585842b2 170 | expression: 'logseverity(/AD DS Security Audit/eventlog[Security,,,,^4740$])>0 and nodata(/AD DS Security Audit/eventlog[Security,,,,^4740$],600s)=0' 171 | name: 'A user account was locked out.' 172 | priority: INFO 173 | - 174 | uuid: 4e176bbd01114e92b6f9736f30322246 175 | name: 'Windows Security (ID4741)' 176 | type: ZABBIX_ACTIVE 177 | key: 'eventlog[Security,,,,^4741$]' 178 | delay: 5m 179 | history: 1w 180 | trends: '0' 181 | value_type: LOG 182 | tags: 183 | - 184 | tag: Application 185 | value: 'Security events' 186 | triggers: 187 | - 188 | uuid: 11299de9de6748198c002634952bcd10 189 | expression: 'logseverity(/AD DS Security Audit/eventlog[Security,,,,^4741$])>1 and nodata(/AD DS Security Audit/eventlog[Security,,,,^4741$],600s)=0' 190 | name: 'A computer account was created.' 191 | - 192 | uuid: 0a54b898bb284dbab1935b65fa6bf408 193 | name: 'Windows Security (ID4742)' 194 | type: ZABBIX_ACTIVE 195 | key: 'eventlog[Security,,,,^4742$]' 196 | delay: 5m 197 | history: 1w 198 | trends: '0' 199 | value_type: LOG 200 | tags: 201 | - 202 | tag: Application 203 | value: 'Security events' 204 | triggers: 205 | - 206 | uuid: 26d602bbdcd54b6aa58d38d79d3f6409 207 | expression: 'logseverity(/AD DS Security Audit/eventlog[Security,,,,^4742$])>1 and nodata(/AD DS Security Audit/eventlog[Security,,,,^4742$],600s)=0' 208 | name: 'A computer account was changed.' 209 | - 210 | uuid: d8b668807a394b3c981ee36572e87c0d 211 | name: 'Windows Security (ID4743)' 212 | type: ZABBIX_ACTIVE 213 | key: 'eventlog[Security,,,,^4743$]' 214 | delay: 5m 215 | history: 1w 216 | trends: '0' 217 | value_type: LOG 218 | tags: 219 | - 220 | tag: Application 221 | value: 'Security events' 222 | triggers: 223 | - 224 | uuid: 20e8ab11e5b84581a444bd947f31ede0 225 | expression: 'logseverity(/AD DS Security Audit/eventlog[Security,,,,^4743$])>1 and nodata(/AD DS Security Audit/eventlog[Security,,,,^4743$],600s)=0' 226 | name: 'A computer account was deleted.' 227 | - 228 | uuid: 5c377f3dd6b7495e9fb76435e87022db 229 | name: 'Windows Security (ID4767)' 230 | type: ZABBIX_ACTIVE 231 | key: 'eventlog[Security,,,,^4767$]' 232 | delay: 5m 233 | history: 1w 234 | trends: '0' 235 | value_type: LOG 236 | tags: 237 | - 238 | tag: Application 239 | value: 'Security events' 240 | triggers: 241 | - 242 | uuid: 41fd7a633da14268b43284c4aadca067 243 | expression: 'logseverity(/AD DS Security Audit/eventlog[Security,,,,^4767$])>1 and nodata(/AD DS Security Audit/eventlog[Security,,,,^4767$],600s)=0' 244 | name: 'A user account was unlocked.' 245 | priority: INFO 246 | - 247 | uuid: e736d163e4964acd90f185943d84cfd1 248 | name: 'Windows Security (ID4780)' 249 | type: ZABBIX_ACTIVE 250 | key: 'eventlog[Security,,,,^4780$]' 251 | delay: 5m 252 | history: 1w 253 | trends: '0' 254 | value_type: LOG 255 | tags: 256 | - 257 | tag: Application 258 | value: 'Security events' 259 | triggers: 260 | - 261 | uuid: a02b27e8dedc404ab50144a946b85a02 262 | expression: 'logseverity(/AD DS Security Audit/eventlog[Security,,,,^4780$])>1 and nodata(/AD DS Security Audit/eventlog[Security,,,,^4780$],600s)=0' 263 | name: 'The ACL was set on accounts which are members of administrators groups.' 264 | - 265 | uuid: 8a5b8ead83a3499894689b37ab091a31 266 | name: 'Windows Security (ID4781)' 267 | type: ZABBIX_ACTIVE 268 | key: 'eventlog[Security,,,,^4781$]' 269 | delay: 5m 270 | history: 1w 271 | trends: '0' 272 | value_type: LOG 273 | tags: 274 | - 275 | tag: Application 276 | value: 'Security events' 277 | triggers: 278 | - 279 | uuid: 212b75e1cf3c49cf83fd3707e1e37af1 280 | expression: 'logseverity(/AD DS Security Audit/eventlog[Security,,,,^4781$])>1 and nodata(/AD DS Security Audit/eventlog[Security,,,,^4781$],600s)=0' 281 | name: 'The name of an account was changed.' 282 | priority: WARNING 283 | -------------------------------------------------------------------------------- /AD_СS_Health_and_Performance/AD_СS_Health_and_Performance.yaml: -------------------------------------------------------------------------------- 1 | zabbix_export: 2 | version: '6.0' 3 | date: '2024-03-21T13:33:23Z' 4 | groups: 5 | - uuid: b9390195ecad4986968746a2a9b56354 6 | name: 'My Templates' 7 | templates: 8 | - uuid: cddbf652785e400b8c40f422a7304284 9 | template: 'AD CS Health and Monitoring' 10 | name: 'AD CS Health and Monitoring' 11 | description: | 12 | Template tooling version used: 1.11 13 | 14 | https://github.com/NikonovAleksei/zabbix/ 15 | 16 | https://t.me/ad_zabbix_templates 17 | groups: 18 | - name: 'My Templates' 19 | items: 20 | - uuid: a15de568a0ab463082bf485d7179023b 21 | name: 'Certificate Services Events' 22 | type: ZABBIX_ACTIVE 23 | key: 'eventlog[Application,,"Warning|Error|Critical","Microsoft-Windows-CertificationAuthority"]' 24 | delay: 5m 25 | trends: '0' 26 | value_type: LOG 27 | tags: 28 | - tag: Application 29 | value: 'AD СS Events' 30 | - uuid: 7b60d89fdab447c0b3ff3ab438fbc590 31 | name: 'CertificationAuthority (ID15)' 32 | type: ZABBIX_ACTIVE 33 | key: 'eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^15$]' 34 | delay: 5m 35 | trends: '0' 36 | value_type: LOG 37 | description: 'Active Directory Certificate Services did not start: Version does not match certif.dll.' 38 | tags: 39 | - tag: Application 40 | value: 'AD СS Events' 41 | triggers: 42 | - uuid: 1bb8f52688b5490cb4411413171e44b8 43 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^15$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^15$],600s)=0' 44 | name: 'AD CS did not start: Version does not match certif.dll.' 45 | priority: HIGH 46 | manual_close: 'YES' 47 | - uuid: e11dafaf89864a46b6071c69a6759f97 48 | name: 'CertificationAuthority (ID55)' 49 | type: ZABBIX_ACTIVE 50 | key: 'eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^55$]' 51 | delay: 5m 52 | trends: '0' 53 | value_type: LOG 54 | description: 'Active Directory Certificate Services unrevoked the certificate for request %1 for %2.' 55 | tags: 56 | - tag: Application 57 | value: 'AD СS Events' 58 | triggers: 59 | - uuid: c289223480a54523b40c4d58cc915ec8 60 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^55$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^55$],600s)=0' 61 | name: 'AD CS unrevoked the certificate for request' 62 | priority: WARNING 63 | manual_close: 'YES' 64 | - uuid: 3dd168eba18945e68b74ef5a67a469a5 65 | name: 'CertificationAuthority (ID60)' 66 | type: ZABBIX_ACTIVE 67 | key: 'eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^60$]' 68 | delay: 5m 69 | trends: '0' 70 | value_type: LOG 71 | description: 'Active Directory Certificate Services refused to process an extremely long request from %1. This may indicate a denial-of-service attack. If the request was rejected in error, modify the MaxIncomingMessageSize registry parameter via certutil -setreg CA\MaxIncomingMessageSize . Unless verbose logging is enabled, this error will not be logged again for 20 minutes.' 72 | tags: 73 | - tag: Application 74 | value: 'AD СS Events' 75 | triggers: 76 | - uuid: 084ca93dfcf94698be641624006d7f65 77 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^60$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^60$],600s)=0' 78 | name: 'AD CS refused to process an extremely long request.' 79 | priority: HIGH 80 | manual_close: 'YES' 81 | - uuid: 5d44aff3d9d148398a7673d2e62633cc 82 | name: 'CertificationAuthority (ID95)' 83 | type: ZABBIX_ACTIVE 84 | key: 'eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^95$]' 85 | delay: 5m 86 | trends: '0' 87 | value_type: LOG 88 | description: 'Security permissions are corrupted or missing. The Active Directory Certificate Services may need to be reinstalled.' 89 | tags: 90 | - tag: Application 91 | value: 'AD СS Events' 92 | triggers: 93 | - uuid: 6287aaf65f69431d9dee58151cef3db6 94 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^95$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^95$],600s)=0' 95 | name: 'Security permissions are corrupted or missing.' 96 | priority: HIGH 97 | manual_close: 'YES' 98 | - uuid: 425fd1a4d98d4f39b8a056c2a22e4f6a 99 | name: 'Windows Security (ID4657)' 100 | type: ZABBIX_ACTIVE 101 | key: 'eventlog[Security,,,,^4657$]' 102 | delay: 30s 103 | trends: '0' 104 | value_type: LOG 105 | tags: 106 | - tag: Application 107 | value: 'AD СS Events' 108 | triggers: 109 | - uuid: 8d2702a6ca1f46ae824c4a086901a9b4 110 | expression: 'count(/AD CS Health and Monitoring/eventlog[Security,,,,^4657$],90s,"like","EKUOIDsForPublishExpiredCertInCRL")=1' 111 | name: 'An attacker could remove specific certificate types (Registry)' 112 | priority: HIGH 113 | description: 'This value controls what types of certificates remain on a CRL even after the certificate expires. An attacker could remove specific certificate types (such as Code Signing) that would allow a previously revoked certificate that malware was signed with to validate successfully again after the next CRL publication.This value is not changed during normal CA operation.' 114 | manual_close: 'YES' 115 | - uuid: c966fc268e7a46698c1ae78c10ac7168 116 | expression: 'count(/AD CS Health and Monitoring/eventlog[Security,,,,^4657$],90s,"like","RoleSeparationEnabled")=1' 117 | name: 'Role separation enabled (Registry)' 118 | priority: HIGH 119 | description: 'Role separation allows for a CA to tightly control the rights of a specific user and enforce that all users can only have one role on the system (CA Admin, Cert Issuer, administrator, Auditor). A local administrator can always disable role separation, which may allow an account who should not have rights to perform an operation to be eligible for those rights.' 120 | manual_close: 'YES' 121 | - uuid: a5a59f63372048f7ba0efd5239338c2b 122 | expression: 'count(/AD CS Health and Monitoring/eventlog[Security,,,,^4657$],90s,"like","AuditFilter")=1' 123 | name: 'The audit filter for Certificate Services changed (Registry)' 124 | priority: HIGH 125 | description: 'The audit filter controls which Microsoft Windows® Security Auditing events are logged. Changing the audit filter may indicate an attacker attempting to disable logging prior to performing a certificate operation. Normally the audit filter is configured when the CA is created and not changed after.' 126 | manual_close: 'YES' 127 | dependencies: 128 | - name: 'The audit filter for Certificate Services changed.' 129 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4885$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4885$],600s)=0' 130 | - uuid: 9e3ad8cb15f34f2ba3eb1f090a33a87c 131 | expression: 'count(/AD CS Health and Monitoring/eventlog[Security,,,,^4657$],90s,"like","EditFlags")=1' 132 | name: 'The new value enables EDITF_ATTRIBUTESUBJECTALTNAME2 (Registry)' 133 | priority: AVERAGE 134 | description: 'Alert if the new value enables EDITF_ATTRIBUTESUBJECTALTNAME2. This can be identified by taking the value found in the “New Value” field and performing a bitwise “AND” operation with 262144 (the decimal value for the bitmask for the EDITF_ATTRIBUTESUBJECTALTNAME2 value). Adding this value will allow any certificate request to contain arbitrary alternative names.' 135 | manual_close: 'YES' 136 | - uuid: aeb28589f1cd4e40aab96a66785b4162 137 | expression: 'count(/AD CS Health and Monitoring/eventlog[Security,,,,^4657$],90s,"like","Active")=1' 138 | name: 'The Policy Modules have been changed (Registry)' 139 | priority: HIGH 140 | description: 'Indicates a change to the active policy module being used by the CA. The policy module control certificate issuance and is changed very infrequently in normal operations.' 141 | manual_close: 'YES' 142 | - uuid: b8f86e8169af4c3aa19da039bf8459e4 143 | expression: 'count(/AD CS Health and Monitoring/eventlog[Security,,,,^4657$],90s,"like","PolicyModules")=1' 144 | name: 'The Policy Modules have been changed (Registry)' 145 | priority: HIGH 146 | description: 'Indicates a change to the active policy module being used by the CA. The policy module control certificate issuance and is changed very infrequently in normal operations.' 147 | manual_close: 'YES' 148 | - uuid: ec753820c62f497a9153621f1bad89f2 149 | expression: "count(/AD CS Health and Monitoring/eventlog[Security,,,,^4657$],90s,\"like\",\"Object Value Name:\tSecurity\")=1" 150 | name: 'The security permissions for Certificate Services changed (Registry)' 151 | priority: HIGH 152 | description: 'Indicates a change to the active policy module being used by the CA. The policy module control certificate issuance and is changed very infrequently in normal operations.' 153 | manual_close: 'YES' 154 | dependencies: 155 | - name: 'The security permissions for Certificate Services changed.' 156 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4882$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4882$],600s)=0' 157 | - uuid: c22a751c97b3468699e8e6a85a707e53 158 | expression: 'count(/AD CS Health and Monitoring/eventlog[Security,,,,^4657$],90s,"like","KRACertHash")=1' 159 | name: 'Was changed KRACertHash (Registry)' 160 | priority: WARNING 161 | description: 'This will happen rarely in normal operations and an attacker who has control of a valid KRA certificate could assign it to a CA to get access to any private keys that are subsequently archived on the CA.' 162 | manual_close: 'YES' 163 | - uuid: 0f54a0595377426e9e47799a0dca602b 164 | name: 'Windows Security (ID4868)' 165 | type: ZABBIX_ACTIVE 166 | key: 'eventlog[Security,,,,^4868$]' 167 | delay: 5m 168 | trends: '0' 169 | value_type: LOG 170 | description: 'The certificate manager denied a pending certificate request.' 171 | tags: 172 | - tag: Application 173 | value: 'AD СS Events' 174 | triggers: 175 | - uuid: 91055ea7f67a42bba2a5621700142445 176 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4868$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4868$],600s)=0' 177 | name: 'The certificate manager denied a pending certificate request.' 178 | priority: WARNING 179 | manual_close: 'YES' 180 | - uuid: 192d073034fa47aab1b5ed8f7d683ca4 181 | name: 'Windows Security (ID4870)' 182 | type: ZABBIX_ACTIVE 183 | key: 'eventlog[Security,,,,^4870$]' 184 | delay: 5m 185 | trends: '0' 186 | value_type: LOG 187 | description: 'Certificate Services revoked a certificate.' 188 | tags: 189 | - tag: Application 190 | value: 'AD СS Events' 191 | triggers: 192 | - uuid: 0810c82bb279479da1cfe0750e957715 193 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4870$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4870$],600s)=0' 194 | name: 'Certificate Services revoked a certificate.' 195 | priority: WARNING 196 | manual_close: 'YES' 197 | - uuid: 856fd62586334576a2b837bc3510591a 198 | name: 'Windows Security (ID4873)' 199 | type: ZABBIX_ACTIVE 200 | key: 'eventlog[Security,,,,^4873$]' 201 | delay: 5m 202 | trends: '0' 203 | value_type: LOG 204 | description: 'A certificate request extension changed. Request ID: %1 Name: %2 Type: %3 Flags: %4 Data: %5' 205 | tags: 206 | - tag: Application 207 | value: 'AD СS Events' 208 | triggers: 209 | - uuid: 9eb02dafcadc4f84bb29a399ab314a1a 210 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4873$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4873$],600s)=0' 211 | name: 'A certificate request extension changed.' 212 | priority: WARNING 213 | manual_close: 'YES' 214 | - uuid: e99f037fb18e414baa3956c7d8f0eb68 215 | name: 'Windows Security (ID4874)' 216 | type: ZABBIX_ACTIVE 217 | key: 'eventlog[Security,,,,^4874$]' 218 | delay: 5m 219 | trends: '0' 220 | value_type: LOG 221 | description: 'One or more certificate request attributes changed. Request ID: %1 Attributes: %2' 222 | tags: 223 | - tag: Application 224 | value: 'AD СS Events' 225 | triggers: 226 | - uuid: 00288391d0cd40b98beabe0bab879835 227 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4874$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4874$],600s)=0' 228 | name: 'One or more certificate request attributes changed.' 229 | priority: WARNING 230 | manual_close: 'YES' 231 | - uuid: 8cb31716bbf840d78282e1099606bffe 232 | name: 'Windows Security (ID4882)' 233 | type: ZABBIX_ACTIVE 234 | key: 'eventlog[Security,,,,^4882$]' 235 | delay: 5m 236 | trends: '0' 237 | value_type: LOG 238 | description: 'The security permissions for Certificate Services changed.' 239 | tags: 240 | - tag: Application 241 | value: 'AD СS Events' 242 | triggers: 243 | - uuid: 18e1f87c07ba49d787ca267bea9d8135 244 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4882$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4882$],600s)=0' 245 | name: 'The security permissions for Certificate Services changed.' 246 | priority: HIGH 247 | manual_close: 'YES' 248 | - uuid: 513285bd574249488e6d8e446bdb3939 249 | name: 'Windows Security (ID4883)' 250 | type: ZABBIX_ACTIVE 251 | key: 'eventlog[Security,,,,^4883$]' 252 | delay: 5m 253 | trends: '0' 254 | value_type: LOG 255 | description: 'Certificate Services retrieved an archived key. Request ID: %1' 256 | tags: 257 | - tag: Application 258 | value: 'AD СS Events' 259 | triggers: 260 | - uuid: 84804ac52ab9436a9d16aee7534092f6 261 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4883$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4883$],600s)=0' 262 | name: 'Certificate Services retrieved an archived key.' 263 | priority: WARNING 264 | manual_close: 'YES' 265 | - uuid: 46af7c3c5a2c4458a369e4db8bfb3779 266 | name: 'Windows Security (ID4885)' 267 | type: ZABBIX_ACTIVE 268 | key: 'eventlog[Security,,,,^4885$]' 269 | delay: 5m 270 | trends: '0' 271 | value_type: LOG 272 | description: 'The audit filter for Certificate Services changed.' 273 | tags: 274 | - tag: Application 275 | value: 'AD СS Events' 276 | triggers: 277 | - uuid: e8ae0c5637394863b81eff141b08debd 278 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4885$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4885$],600s)=0' 279 | name: 'The audit filter for Certificate Services changed.' 280 | priority: HIGH 281 | manual_close: 'YES' 282 | - uuid: 2db86df51b8d403db015c2f800dc2593 283 | name: 'Windows Security (ID4887)' 284 | type: ZABBIX_ACTIVE 285 | key: 'eventlog[Security,,,,^4887$]' 286 | delay: 5m 287 | trends: '0' 288 | value_type: LOG 289 | description: 'Certificate Services approved a certificate request and issued a certificate. Request ID: %1 Requester: %2 Attributes: %3 Disposition: %4 SKI: %5 Subject: %6' 290 | tags: 291 | - tag: Application 292 | value: 'AD СS Events' 293 | triggers: 294 | - uuid: 80db3f51472248fc84f4235330b8f57d 295 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4887$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4887$],600s)=0' 296 | name: 'Certificate Services approved a certificate request and issued a certificate.' 297 | priority: WARNING 298 | manual_close: 'YES' 299 | - uuid: de29b215b97f4075a9165e1bee8219fb 300 | name: 'Windows Security (ID4888)' 301 | type: ZABBIX_ACTIVE 302 | key: 'eventlog[Security,,,,^4888$]' 303 | delay: 5m 304 | trends: '0' 305 | value_type: LOG 306 | description: 'Certificate Services denied a certificate request. Request ID: %1 Requester: %2 Attributes: %3 Disposition: %4 SKI: %5 Subject: %6' 307 | tags: 308 | - tag: Application 309 | value: 'AD СS Events' 310 | triggers: 311 | - uuid: 5fb2ed69fb364653bb0f58ec4a47a6be 312 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4888$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4888$],600s)=0' 313 | name: 'Certificate Services denied a certificate request.' 314 | priority: WARNING 315 | manual_close: 'YES' 316 | - uuid: c0a7efec3d9e4012978b118b5b15d90d 317 | name: 'Windows Security (ID4890)' 318 | type: ZABBIX_ACTIVE 319 | key: 'eventlog[Security,,,,^4890$]' 320 | delay: 5m 321 | trends: '0' 322 | value_type: LOG 323 | description: 'The certificate manager settings for Certificate Services changed.' 324 | tags: 325 | - tag: Application 326 | value: 'AD СS Events' 327 | triggers: 328 | - uuid: 20ff500a3d9a4409b0804351000beadf 329 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4890$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4890$],600s)=0' 330 | name: 'The certificate manager settings for Certificate Services changed.' 331 | priority: WARNING 332 | manual_close: 'YES' 333 | - uuid: 6bf8a2f11e934337b8e300cdcca0b0d4 334 | name: 'Windows Security (ID4891)' 335 | type: ZABBIX_ACTIVE 336 | key: 'eventlog[Security,,,,^4891$]' 337 | delay: 5m 338 | trends: '0' 339 | value_type: LOG 340 | description: 'A configuration entry changed in Certificate Services. Node: %1 Entry: %2 Value: %3' 341 | tags: 342 | - tag: Application 343 | value: 'AD СS Events' 344 | triggers: 345 | - uuid: 8a0670ecdf4b4ce0b4b913df392dbede 346 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4891$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4891$],600s)=0' 347 | name: 'A configuration entry changed in Certificate Services.' 348 | priority: WARNING 349 | manual_close: 'YES' 350 | - uuid: f7114dfb8fb84d3cbfc114426f82f2a2 351 | name: 'Windows Security (ID4892)' 352 | type: ZABBIX_ACTIVE 353 | key: 'eventlog[Security,,,,^4892$]' 354 | delay: 5m 355 | trends: '0' 356 | value_type: LOG 357 | description: 'A property of Certificate Services changed.' 358 | tags: 359 | - tag: Application 360 | value: 'AD СS Events' 361 | triggers: 362 | - uuid: a99b1b7cdbbf46c3b1fea771b3262130 363 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4892$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4892$],600s)=0' 364 | name: 'A property of Certificate Services changed.' 365 | priority: WARNING 366 | manual_close: 'YES' 367 | - uuid: fecda5d9cdea4bddae46cbdf3e72c8ee 368 | name: 'Windows Security (ID4896)' 369 | type: ZABBIX_ACTIVE 370 | key: 'eventlog[Security,,,,^4896$]' 371 | delay: 5m 372 | trends: '0' 373 | value_type: LOG 374 | description: 'One or more rows have been deleted from the certificate database.' 375 | tags: 376 | - tag: Application 377 | value: 'AD СS Events' 378 | triggers: 379 | - uuid: 23bf0198ccac4e28a78bdfee7a7ae59b 380 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4896$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4896$],600s)=0' 381 | name: 'One or more rows have been deleted from the certificate database.' 382 | priority: WARNING 383 | manual_close: 'YES' 384 | - uuid: f3f47337410640bca67f5225a829cf24 385 | name: 'Windows Security (ID4897)' 386 | type: ZABBIX_ACTIVE 387 | key: 'eventlog[Security,,,,^4897$]' 388 | delay: 5m 389 | trends: '0' 390 | value_type: LOG 391 | description: 'Role separation enabled: %1' 392 | tags: 393 | - tag: Application 394 | value: 'AD СS Events' 395 | triggers: 396 | - uuid: 8cb098688c364616b83f40a300a793b0 397 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4897$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4897$],600s)=0' 398 | name: 'Role separation enabled' 399 | priority: WARNING 400 | description: 'If role separation is used, this can be used to trigger an alert if the expected configuration changes.' 401 | manual_close: 'YES' 402 | - uuid: 7d0e90f6bff2456c86e50242f769ccc9 403 | name: 'Windows Security (ID4898)' 404 | type: ZABBIX_ACTIVE 405 | key: 'eventlog[Security,,,,^4898$]' 406 | delay: 5m 407 | trends: '0' 408 | value_type: LOG 409 | description: 'Certificate Services loaded a template. %1 v%2 (Schema V%3) %4 %5 Template Information: Template Content: %7 Security Descriptor: %8 Additional Information: Domain Controller: %6' 410 | tags: 411 | - tag: Application 412 | value: 'AD СS Events' 413 | triggers: 414 | - uuid: a0e87a76dd24425a8e1c0e5b8739b868 415 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4898$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4898$],600s)=0' 416 | name: 'Certificate Services loaded a template.' 417 | priority: WARNING 418 | description: 'Alert if templates that are not expected on a CA are loaded.' 419 | manual_close: 'YES' 420 | - uuid: b0f2b714a1b7423393aae0df2f96a000 421 | name: 'Windows Security (ID4899)' 422 | type: ZABBIX_ACTIVE 423 | key: 'eventlog[Security,,,,^4899$]' 424 | delay: 5m 425 | trends: '0' 426 | value_type: LOG 427 | description: 'A Certificate Services template was updated. %1 v%2 (Schema V%3) %4 %5 Template Change Information: Old Template Content: %8 New Template Content: %7 Additional Information: Domain Controller: %6' 428 | tags: 429 | - tag: Application 430 | value: 'AD СS Events' 431 | triggers: 432 | - uuid: 14c1debb92a043fdb00c14c4d3e0fc6d 433 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4899$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4899$],600s)=0' 434 | name: 'A Certificate Services template was updated.' 435 | priority: WARNING 436 | manual_close: 'YES' 437 | - uuid: d77b1764e4d04f49a0002af14d97910d 438 | name: 'Windows Security (ID4900)' 439 | type: ZABBIX_ACTIVE 440 | key: 'eventlog[Security,,,,^4900$]' 441 | delay: 5m 442 | trends: '0' 443 | value_type: LOG 444 | description: 'Certificate Services template security was updated. %1 v%2 (Schema V%3) %4 %5 Template Change Information: Old Template Content: %9 New Template Content: %7 Old Security Descriptor: %10 New Security Descriptor: %8 Additional Information: Domain Controller: %6' 445 | tags: 446 | - tag: Application 447 | value: 'AD СS Events' 448 | triggers: 449 | - uuid: 0bb54f1d22c74629a95514b51c481f6e 450 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4900$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4900$],600s)=0' 451 | name: 'Certificate Services template security was updated.' 452 | priority: WARNING 453 | manual_close: 'YES' 454 | - uuid: 35e8b5a2afa0478fb1eaf11620c15eb3 455 | name: 'Windows Security (ID5120)' 456 | type: ZABBIX_ACTIVE 457 | key: 'eventlog[Security,,,,^5120$]' 458 | delay: 5m 459 | trends: '0' 460 | value_type: LOG 461 | description: 'OCSP Responder Service Started' 462 | tags: 463 | - tag: Application 464 | value: 'AD СS Events' 465 | triggers: 466 | - uuid: 77d6c23c1b7f4394a90989c4cb432421 467 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^5120$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^5120$],600s)=0' 468 | name: 'OCSP Responder Service Started' 469 | priority: WARNING 470 | manual_close: 'YES' 471 | - uuid: 53a31c2266c24a68811c0197c85eb7e7 472 | name: 'Windows Security (ID5121)' 473 | type: ZABBIX_ACTIVE 474 | key: 'eventlog[Security,,,,^5121$]' 475 | delay: 5m 476 | trends: '0' 477 | value_type: LOG 478 | description: 'OCSP Responder Service Stopped' 479 | tags: 480 | - tag: Application 481 | value: 'AD СS Events' 482 | triggers: 483 | - uuid: fe58dde3a9a447cba2661798058aa927 484 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^5121$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^5121$],600s)=0' 485 | name: 'OCSP Responder Service Stopped' 486 | priority: WARNING 487 | manual_close: 'YES' 488 | - uuid: df03fa4c967548c48ae89def9e0d2ca3 489 | name: 'Windows Security (ID5122)' 490 | type: ZABBIX_ACTIVE 491 | key: 'eventlog[Security,,,,^5122$]' 492 | delay: 5m 493 | trends: '0' 494 | value_type: LOG 495 | description: 'A configuration entry changed in OCSP Responder Service' 496 | tags: 497 | - tag: Application 498 | value: 'AD СS Events' 499 | triggers: 500 | - uuid: 35d99c6bd23246929eee35c9fc94c49d 501 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^5122$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^5122$],600s)=0' 502 | name: 'A configuration entry changed in OCSP Responder Service' 503 | priority: WARNING 504 | manual_close: 'YES' 505 | - uuid: 666c6b2da450418aa2541b86ce23f2e3 506 | name: 'Windows Security (ID5123)' 507 | type: ZABBIX_ACTIVE 508 | key: 'eventlog[Security,,,,^5123$]' 509 | delay: 5m 510 | trends: '0' 511 | value_type: LOG 512 | description: 'A configuration entry changed in OCSP Responder Service' 513 | tags: 514 | - tag: Application 515 | value: 'AD СS Events' 516 | triggers: 517 | - uuid: b91666738edd4219bf4f602a98f9791b 518 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^5123$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^5123$],600s)=0' 519 | name: 'A configuration entry changed in OCSP Responder Service' 520 | priority: WARNING 521 | manual_close: 'YES' 522 | - uuid: 80ef5e920b9c48069e5d5c3dc77a4997 523 | name: 'Windows Security (ID5124)' 524 | type: ZABBIX_ACTIVE 525 | key: 'eventlog[Security,,,,^5124$]' 526 | delay: 5m 527 | trends: '0' 528 | value_type: LOG 529 | description: 'A security setting was updated on the OCSP Responder Service.' 530 | tags: 531 | - tag: Application 532 | value: 'AD СS Events' 533 | triggers: 534 | - uuid: 38c56cb7889849d989692455e2803750 535 | expression: 'logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^5124$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^5124$],600s)=0' 536 | name: 'A security setting was updated on the OCSP Responder Service.' 537 | priority: HIGH 538 | manual_close: 'YES' 539 | - uuid: ca68dfbd2f0140c6bb1d00e327adb13a 540 | name: 'Failed Requests/sec' 541 | key: 'perf_counter_en[\Certification Authority(_Total)\Failed Requests/sec]' 542 | history: 1w 543 | value_type: FLOAT 544 | units: Requests/sec 545 | description: 'This monitor returns the number of failed certificate requests processed per second.' 546 | tags: 547 | - tag: Application 548 | value: 'AD СS Performance' 549 | - uuid: f6dce5c171104f328822423320e66e19 550 | name: 'Pending Requests/sec' 551 | key: 'perf_counter_en[\Certification Authority(_Total)\Pending Requests/sec]' 552 | history: 1w 553 | value_type: FLOAT 554 | units: Requests/sec 555 | description: 'This monitor returns the number of pending certificate requests processed per second.' 556 | tags: 557 | - tag: Application 558 | value: 'AD СS Performance' 559 | - uuid: 0462a2a60dcb448bbe35a2a8c044bf05 560 | name: Requests/sec 561 | key: 'perf_counter_en[\Certification Authority(_Total)\Requests/sec]' 562 | history: 1w 563 | value_type: FLOAT 564 | units: Requests/sec 565 | description: 'This monitor returns the number of certificate requests processed per second.' 566 | tags: 567 | - tag: Application 568 | value: 'AD СS Performance' 569 | - uuid: 27835a46d09e493cae5f278db0d08bab 570 | name: Retrievals/sec 571 | key: 'perf_counter_en[\Certification Authority(_Total)\Retrievals/sec]' 572 | history: 1w 573 | value_type: FLOAT 574 | units: Requests/sec 575 | description: 'This monitor returns the number of certificate retrieval requests processed per second.' 576 | tags: 577 | - tag: Application 578 | value: 'AD СS Performance' 579 | - uuid: f909d3aa0ab84136ba71296717acd387 580 | name: 'State of service "certsvc" (Certificate Services)' 581 | key: 'service.info[certsvc,state]' 582 | history: 1d 583 | valuemap: 584 | name: 'Windows service state' 585 | tags: 586 | - tag: Application 587 | value: 'AD CS Services' 588 | triggers: 589 | - uuid: cfde8e3bb43b46cc945381ab472a0757 590 | expression: 'min(/AD CS Health and Monitoring/service.info[certsvc,state],#3)<>0' 591 | name: '"Certsvc" (Certificate Services) is not running' 592 | priority: AVERAGE 593 | description: 'The service has a state other than "Running" for the last three times.' 594 | - uuid: 77e2032afa1140ea9ce5c2b8e110e419 595 | name: 'CertDB Size' 596 | key: 'vfs.dir.size["{$CSDB_PATH}"]' 597 | delay: 24h 598 | units: Bytes 599 | tags: 600 | - tag: Application 601 | value: 'AD CS Services' 602 | macros: 603 | - macro: '{$CSDB_PATH}' 604 | value: 'c:\windows\Systen32\CertLog' 605 | valuemaps: 606 | - uuid: 0b683fa7d30c4ced99bbd40128ced1ef 607 | name: 'Service state' 608 | mappings: 609 | - value: '0' 610 | newvalue: Down 611 | - value: '1' 612 | newvalue: Up 613 | - uuid: ecfc40b4ebbc4527a3398a28802337f3 614 | name: 'Windows service state' 615 | mappings: 616 | - value: '0' 617 | newvalue: Running 618 | - value: '1' 619 | newvalue: Paused 620 | - value: '2' 621 | newvalue: 'Start pending' 622 | - value: '3' 623 | newvalue: 'Pause pending' 624 | - value: '4' 625 | newvalue: 'Continue pending' 626 | - value: '5' 627 | newvalue: 'Stop pending' 628 | - value: '6' 629 | newvalue: Stopped 630 | - value: '7' 631 | newvalue: Unknown 632 | - value: '255' 633 | newvalue: 'No such service' 634 | graphs: 635 | - uuid: b28412c059d944a2bc34919aa8fb886c 636 | name: 'Сertificate requests' 637 | ymin_type_1: FIXED 638 | graph_items: 639 | - color: FF0000 640 | calc_fnc: ALL 641 | item: 642 | host: 'AD CS Health and Monitoring' 643 | key: 'perf_counter_en[\Certification Authority(_Total)\Failed Requests/sec]' 644 | - sortorder: '1' 645 | color: 0040FF 646 | calc_fnc: ALL 647 | item: 648 | host: 'AD CS Health and Monitoring' 649 | key: 'perf_counter_en[\Certification Authority(_Total)\Pending Requests/sec]' 650 | - sortorder: '2' 651 | color: 00FF00 652 | calc_fnc: ALL 653 | item: 654 | host: 'AD CS Health and Monitoring' 655 | key: 'perf_counter_en[\Certification Authority(_Total)\Requests/sec]' 656 | - sortorder: '3' 657 | color: F7941D 658 | calc_fnc: ALL 659 | item: 660 | host: 'AD CS Health and Monitoring' 661 | key: 'perf_counter_en[\Certification Authority(_Total)\Retrievals/sec]' 662 | -------------------------------------------------------------------------------- /AD_СS_Health_and_Performance/README.md: -------------------------------------------------------------------------------- 1 | ##changelog 2 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Nikonov Aleksei 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Other Templates/README.md: -------------------------------------------------------------------------------- 1 | # zabbix 2 | Zabbix templates 3 | 4 | 5 | 6 | 7 | UserParameter=windowsdb.discovery,powershell -NoProfile -ExecutionPolicy Bypass -File "Drive$\zabbix\conf\get_sqldbs.ps1" 8 | -------------------------------------------------------------------------------- /Other Templates/get_sqldbs.ps1: -------------------------------------------------------------------------------- 1 | function convertto-encoding ([string]$from, [string]$to){ 2 | begin{ 3 | $encfrom = [system.text.encoding]::getencoding($from) 4 | $encto = [system.text.encoding]::getencoding($to) 5 | } 6 | process{ 7 | $bytes = $encto.getbytes($_) 8 | $bytes = [system.text.encoding]::convert($encfrom, $encto, $bytes) 9 | $encto.getstring($bytes) 10 | } 11 | } 12 | 13 | #Задаем переменные для подключение к MSSQL. $uid и $pwd нужны для проверки подлинности windows / We define the variables for connecting to MS SQL. $uid и $pwd need to authenticate windows 14 | $SQLServer = "localhost\MSSQL2017" #use Server\Instance for named SQL instances! 15 | #$uid = "user" 16 | #$pwd = "password" 17 | 18 | #Создаем подключение к MSSQL / Create a connection to MSSQL 19 | 20 | #Если проверка подлинности windows / If windows authentication 21 | #$connectionString = "Server = $SQLServer; User ID = $uid; Password = $pwd;" 22 | 23 | #Если Интегрированная проверка подлинности / If integrated authentication 24 | $connectionString = "Server = $SQLServer; Integrated Security = True;" 25 | 26 | $connection = New-Object System.Data.SqlClient.SqlConnection 27 | $connection.ConnectionString = $connectionString 28 | $connection.Open() 29 | 30 | #Создаем запрос непосредственно к MSSQL / Create a request directly to MSSQL 31 | $SqlCmd = New-Object System.Data.SqlClient.SqlCommand 32 | $SqlCmd.CommandText = "SELECT name FROM sysdatabases" 33 | $SqlCmd.Connection = $Connection 34 | $SqlAdapter = New-Object System.Data.SqlClient.SqlDataAdapter 35 | $SqlAdapter.SelectCommand = $SqlCmd 36 | $DataSet = New-Object System.Data.DataSet 37 | $SqlAdapter.Fill($DataSet) > $null 38 | $Connection.Close() 39 | 40 | #Получили список баз. Записываем в переменную. / We get a list of databases. Write to the variable. 41 | $basename = $DataSet.Tables[0] 42 | 43 | 44 | $idx = 1 45 | write-host "{" 46 | write-host " `"data`":[`n" 47 | foreach ($name in $basename) 48 | { 49 | if ($idx -lt $basename.Rows.Count) 50 | { 51 | $line= "{ `"{#DBS}`" : `"" + $name.name + "`" }," | convertto-encoding "cp866" "utf-8" 52 | write-host $line 53 | } 54 | elseif ($idx -ge $basename.Rows.Count) 55 | { 56 | $line= "{ `"{#DBS}`" : `"" + $name.name + "`" }" | convertto-encoding "cp866" "utf-8" 57 | write-host $line 58 | } 59 | $idx++; 60 | } 61 | 62 | write-host 63 | write-host " ]" 64 | write-host "}" -------------------------------------------------------------------------------- /RDS/RDS Session Host.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 3.4 4 | 2019-02-26T05:32:48Z 5 | 6 | 7 | My Templates 8 | 9 | 10 | 11 | 484 | 485 | 486 | 487 | {Template Windows 2012 R2 RDS Session:net.tcp.listen[3389].last(,0)}=0 488 | 0 489 | 490 | RDS Port is down on {HOST.NAME} 491 | 0 492 | 493 | 494 | 0 495 | 4 496 | 497 | 0 498 | 0 499 | 500 | 501 | 502 | 503 | {Template Windows 2012 R2 RDS Session:service.rds.info[TermService,state].min(#3)}<>0 504 | 0 505 | 506 | Service "TermService" (Remote Desktop Services) is not running (startup type automatic) 507 | 0 508 | 509 | 510 | 0 511 | 3 512 | 513 | 0 514 | 0 515 | 516 | 517 | 518 | 519 | {Template Windows 2012 R2 RDS Session:eventlog[Microsoft-Windows-TerminalServices-LocalSessionManager/Operational,,"Information",,^23$].logeventid(23)}=1 and {Template Windows 2012 R2 RDS Session:eventlog[Microsoft-Windows-TerminalServices-LocalSessionManager/Operational,,"Information",,^23$].nodata(60)}=0 520 | 0 521 | 522 | User ( {{ITEM.VALUE}.iregsub("(\w.+[: {$DOMAIN}].*)","\1")}) logoff succeeded from RDS on {HOST.NAME} 523 | 0 524 | 525 | 526 | 0 527 | 1 528 | 529 | 0 530 | 0 531 | 532 | 533 | 534 | 535 | {Template Windows 2012 R2 RDS Session:eventlog[Microsoft-Windows-TerminalServices-LocalSessionManager/Operational,,"Information",,^21$].logeventid(21)}=1 and {Template Windows 2012 R2 RDS Session:eventlog[Microsoft-Windows-TerminalServices-LocalSessionManager/Operational,,"Information",,^21$].nodata(60)}=0 536 | 0 537 | 538 | User ( {{ITEM.VALUE}.iregsub("(\w.+[: {$DOMAIN}].*)","\1")}) logon succeeded in RDS on {HOST.NAME} 539 | 0 540 | 541 | 542 | 0 543 | 1 544 | 545 | 0 546 | 0 547 | 548 | 549 | 550 | 551 | 552 | 553 | RDS Sessions 554 | 900 555 | 200 556 | 0.0000 557 | 100.0000 558 | 1 559 | 1 560 | 0 561 | 1 562 | 0 563 | 0.0000 564 | 0.0000 565 | 1 566 | 0 567 | 0 568 | 0 569 | 570 | 571 | 0 572 | 1 573 | 1A7C11 574 | 0 575 | 2 576 | 0 577 | 578 | Template Windows 2012 R2 RDS Session 579 | perf_counter[\1920\1922] 580 | 581 | 582 | 583 | 1 584 | 3 585 | F63100 586 | 0 587 | 2 588 | 0 589 | 590 | Template Windows 2012 R2 RDS Session 591 | perf_counter[\1920\1926] 592 | 593 | 594 | 595 | 2 596 | 0 597 | 2774A4 598 | 0 599 | 2 600 | 0 601 | 602 | Template Windows 2012 R2 RDS Session 603 | perf_counter[\1920\1924] 604 | 605 | 606 | 607 | 608 | 609 | 610 | 611 | Windows service state 612 | 613 | 614 | 0 615 | Running 616 | 617 | 618 | 1 619 | Paused 620 | 621 | 622 | 2 623 | Start pending 624 | 625 | 626 | 3 627 | Pause pending 628 | 629 | 630 | 4 631 | Continue pending 632 | 633 | 634 | 5 635 | Stop pending 636 | 637 | 638 | 6 639 | Stopped 640 | 641 | 642 | 7 643 | Unknown 644 | 645 | 646 | 255 647 | No such service 648 | 649 | 650 | 651 | 652 | 653 | -------------------------------------------------------------------------------- /RDS/README.md: -------------------------------------------------------------------------------- 1 | ##changelog 2 | -------------------------------------------------------------------------------- /RDS/Template Windows 2012 R2 RDS Gateway.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4.4 4 | 2020-05-18T09:18:31Z 5 | 6 | 7 | My Templates 8 | 9 | 10 | 11 | 141 | 142 | 143 | -------------------------------------------------------------------------------- /RDS/Template Windows RDS Broker.yml: -------------------------------------------------------------------------------- 1 | zabbix_export: 2 | version: '6.0' 3 | date: '2024-01-31T07:21:10Z' 4 | groups: 5 | - uuid: b9390195ecad4986968746a2a9b56354 6 | name: 'My Templates' 7 | templates: 8 | - uuid: dd20877844654c37a114d909ef4be4aa 9 | template: 'Template Windows RDS Broker' 10 | name: 'Template Windows RDS Broker' 11 | description: | 12 | Template tooling version used: 1.00 13 | 14 | https://github.com/NikonovAleksei/zabbix/ 15 | 16 | https://t.me/ad_zabbix_templates 17 | groups: 18 | - name: 'My Templates' 19 | items: 20 | - uuid: d6cc74534ca4405f90a905c468919abd 21 | name: 'State of service "Tssdis" (Remote Desktop Connection Broker)' 22 | key: 'service_state[Tssdis]' 23 | history: 1d 24 | tags: 25 | - tag: Application 26 | value: Services 27 | triggers: 28 | - uuid: 4a58f13d64aa4dcbbf4065fbf5dd3399 29 | expression: 'min(/Template Windows RDS Broker/service_state[Tssdis],#3)<>0' 30 | name: 'Service "Tssdis" (Remote Desktop Connection Broker) is not running' 31 | priority: HIGH 32 | -------------------------------------------------------------------------------- /RDS/Template Windows RDS Gateway.yml: -------------------------------------------------------------------------------- 1 | zabbix_export: 2 | version: '6.0' 3 | date: '2024-01-31T07:20:46Z' 4 | groups: 5 | - uuid: b9390195ecad4986968746a2a9b56354 6 | name: 'My Templates' 7 | templates: 8 | - uuid: 160344450f9e4017b0d8f40d46ba3fe6 9 | template: 'Template Windows RDS Gateway' 10 | name: 'Template Windows RDS Gateway' 11 | description: | 12 | Template tooling version used: 1.00 13 | 14 | https://github.com/NikonovAleksei/zabbix/ 15 | 16 | https://t.me/ad_zabbix_templates 17 | groups: 18 | - name: 'My Templates' 19 | items: 20 | - uuid: 4b33a7026fe54d7880f852b81815237f 21 | name: 'The user did not meet connection authorization policy requirements' 22 | type: ZABBIX_ACTIVE 23 | key: 'eventlog[Microsoft-Windows-TerminalServices-Gateway/Operational,,"Error",,^201$]' 24 | delay: 30s 25 | trends: '0' 26 | value_type: LOG 27 | request_method: POST 28 | tags: 29 | - tag: Application 30 | value: 'RDS Events' 31 | triggers: 32 | - uuid: 1e6eb0811820497daaee3854fe426ab1 33 | expression: 'logeventid(/Template Windows RDS Gateway/eventlog[Microsoft-Windows-TerminalServices-Gateway/Operational,,"Error",,^201$],,"201")=1 and nodata(/Template Windows RDS Gateway/eventlog[Microsoft-Windows-TerminalServices-Gateway/Operational,,"Error",,^201$],60s)=0' 34 | name: 'The user ( {{ITEM.VALUE}.iregsub("(\w.+[: {$DOMAIN}].*)","\1")}), on "{HOST.NAME}", RDS didn''t allow connection' 35 | priority: WARNING 36 | - uuid: 11ad220b7c5a4662b20f5486e7684bc8 37 | name: 'RDS GW Port' 38 | key: 'net.tcp.listen[{$RDS.GW.PORT}]' 39 | delay: 30s 40 | tags: 41 | - tag: Application 42 | value: RDS 43 | triggers: 44 | - uuid: 9ec33bef017149ecb7a3a69a5e9fa3f3 45 | expression: 'last(/Template Windows RDS Gateway/net.tcp.listen[{$RDS.GW.PORT}],#1:now-0)=0' 46 | name: 'RDS GW Port is down on {HOST.NAME}' 47 | priority: HIGH 48 | - uuid: e8eff81eb85d4a0f9accd1becfc7af5a 49 | name: 'RDS Current sessions' 50 | key: 'perf_counter[\Terminal Service Gateway\Current connections]' 51 | delay: 5m 52 | description: 'perf_counter[\8676\8682]' 53 | tags: 54 | - tag: Application 55 | value: RDS 56 | - uuid: caa18599054f42b884003ff8d6e932e3 57 | name: 'State of service "IAS" (Network Policy Server)' 58 | key: 'service_state[IAS]' 59 | history: 1d 60 | description: 'To resolve this issue, ensure that the Network Policy Server service is started.' 61 | tags: 62 | - tag: Application 63 | value: Services 64 | triggers: 65 | - uuid: 4659079a54ff43988bf409e4700c2eb4 66 | expression: 'min(/Template Windows RDS Gateway/service_state[IAS],#3)<>0' 67 | name: 'Service "IAS" (Network Policy Server) is not running' 68 | priority: HIGH 69 | - uuid: d203279b2f7249aca399e249450823d9 70 | name: 'State of service "RPCHTTPLBS" (RPC/HTTP Load Balancing Service)' 71 | key: 'service_state[RPCHTTPLBS]' 72 | history: 1d 73 | tags: 74 | - tag: Application 75 | value: Services 76 | triggers: 77 | - uuid: 92391fe1e8f24351a358857a5c91fb22 78 | expression: 'min(/Template Windows RDS Gateway/service_state[RPCHTTPLBS],#3)<>0' 79 | name: 'Service "RPCHTTPLBS" (RPC/HTTP Load Balancing Service) is not running' 80 | priority: HIGH 81 | - uuid: bd80a3612bd9436ea07018b1a4806276 82 | name: 'State of service "TSGateway" (Remote Desktop Gateway)' 83 | key: 'service_state[TSGateway]' 84 | history: 1d 85 | description: 'To resolve this issue, restart the Remote Desktop Gateway service. Restarting the Remote Desktop Gateway service also restarts all dependent services.' 86 | tags: 87 | - tag: Application 88 | value: Services 89 | triggers: 90 | - uuid: a351c05a77044ddaaf8bd78ab984150f 91 | expression: 'min(/Template Windows RDS Gateway/service_state[TSGateway],#3)<>0' 92 | name: 'Service "TSGateway" (Remote Desktop Gateway) is not running' 93 | priority: HIGH 94 | macros: 95 | - macro: '{$RDS.GW.PORT}' 96 | value: '443' 97 | -------------------------------------------------------------------------------- /RDS/Template Windows RDS Licensing.yml: -------------------------------------------------------------------------------- 1 | zabbix_export: 2 | version: '6.0' 3 | date: '2024-01-31T07:22:27Z' 4 | groups: 5 | - uuid: b9390195ecad4986968746a2a9b56354 6 | name: 'My Templates' 7 | templates: 8 | - uuid: 7a215b9c3c5b4115ba7ab37ddaf7ddd4 9 | template: 'Template Windows RDS Licensing' 10 | name: 'Template Windows RDS Licensing' 11 | description: | 12 | Template tooling version used: 1.00 13 | 14 | https://github.com/NikonovAleksei/zabbix/ 15 | 16 | https://t.me/ad_zabbix_templates 17 | groups: 18 | - name: 'My Templates' 19 | items: 20 | - uuid: be9676f04a1143f19a5a0255a8b0ce07 21 | name: 'State of service "termservlicensing" (Remote Desktop Licensing)' 22 | key: 'service_state[termservlicensing]' 23 | history: 1d 24 | tags: 25 | - tag: Application 26 | value: Services 27 | triggers: 28 | - uuid: f1d13eb75f7a4145853ea99da12174e3 29 | expression: 'min(/Template Windows RDS Licensing/service_state[termservlicensing],#3)<>0' 30 | name: 'Service "Tssdis" (Remote Desktop Licensing) is not running' 31 | priority: HIGH 32 | -------------------------------------------------------------------------------- /RDS/Template Windows RDS Session.yml: -------------------------------------------------------------------------------- 1 | zabbix_export: 2 | version: '6.0' 3 | date: '2024-01-31T07:20:04Z' 4 | groups: 5 | - uuid: b9390195ecad4986968746a2a9b56354 6 | name: 'My Templates' 7 | templates: 8 | - uuid: 6eac039be9f640be943bc77d22573fef 9 | template: 'Template Windows RDS Session' 10 | name: 'Template Windows RDS Session' 11 | description: | 12 | Template tooling version used: 1.00 13 | 14 | https://github.com/NikonovAleksei/zabbix/ 15 | 16 | https://t.me/ad_zabbix_templates 17 | groups: 18 | - name: 'My Templates' 19 | items: 20 | - uuid: 3f3ab63fb4a442a4ba04cb0148d61dc7 21 | name: 'Login to RDS Server' 22 | type: ZABBIX_ACTIVE 23 | key: 'eventlog[Microsoft-Windows-TerminalServices-LocalSessionManager/Operational,,"Information",,^21$]' 24 | delay: 30s 25 | trends: '0' 26 | value_type: LOG 27 | tags: 28 | - tag: Application 29 | value: 'RDS Events' 30 | - uuid: be6377c640bb41f5a24e00231eec8f72 31 | name: 'Logoff form RDS Server' 32 | type: ZABBIX_ACTIVE 33 | key: 'eventlog[Microsoft-Windows-TerminalServices-LocalSessionManager/Operational,,"Information",,^23$]' 34 | delay: 30s 35 | trends: '0' 36 | value_type: LOG 37 | tags: 38 | - tag: Application 39 | value: 'RDS Events' 40 | - uuid: 6602dde0d28945fe91ec7ca8f09a5e03 41 | name: 'RDS Port' 42 | key: 'net.tcp.listen[3389]' 43 | tags: 44 | - tag: Application 45 | value: RDS 46 | triggers: 47 | - uuid: e73a5517fb694cd68cfebeb67dfd6aeb 48 | expression: 'last(/Template Windows RDS Session/net.tcp.listen[3389])=0' 49 | name: 'RDS Port is down on {HOST.NAME}' 50 | priority: HIGH 51 | - uuid: 79d0888253334aa8affb80fce6feae15 52 | name: 'RDS Active sessions' 53 | key: 'perf_counter[\Terminal Services\Active sessions]' 54 | history: 1w 55 | tags: 56 | - tag: Application 57 | value: RDS 58 | - uuid: 8ce6c18ff883491fb38654c4c360f418 59 | name: 'RDS Inactive sessions' 60 | key: 'perf_counter[\Terminal Services\Inactive Sessions]' 61 | history: 1w 62 | tags: 63 | - tag: Application 64 | value: RDS 65 | - uuid: 63353a6e34794494a325b8f18993ecf8 66 | name: 'RDS Total sessions' 67 | key: 'perf_counter_en[\Terminal Services\Total sessions]' 68 | history: 1w 69 | tags: 70 | - tag: Application 71 | value: RDS 72 | - uuid: dba1346787114f2bb1f86b4032eddab3 73 | name: 'State of service TermService (Remote Desktop Services)' 74 | key: 'service_state[TermService]' 75 | history: 1d 76 | tags: 77 | - tag: Application 78 | value: Services 79 | triggers: 80 | - uuid: 4bde7dc4b2be41a19363c1d9924703f5 81 | expression: 'min(/Template Windows RDS Session/service_state[TermService],#3)>0' 82 | name: 'Service TermService (Remote Desktop Services) is not running (startup type automatic)' 83 | priority: HIGH 84 | graphs: 85 | - uuid: 05283993861740e8ba894eee8d4ceeb6 86 | name: 'RDS Sessions' 87 | ymin_type_1: FIXED 88 | graph_items: 89 | - color: 199C0D 90 | calc_fnc: ALL 91 | item: 92 | host: 'Template Windows RDS Session' 93 | key: 'perf_counter_en[\Terminal Services\Total sessions]' 94 | - sortorder: '1' 95 | color: F63100 96 | calc_fnc: ALL 97 | item: 98 | host: 'Template Windows RDS Session' 99 | key: 'perf_counter_en[\Terminal Services\Active sessions]' 100 | - sortorder: '2' 101 | color: 2774A4 102 | calc_fnc: ALL 103 | item: 104 | host: 'Template Windows RDS Session' 105 | key: 'perf_counter_en[\Terminal Services\Inactive Sessions]' 106 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Active Directory monitoring with Zabbix 2 | 3 | ## [AD DS Health and Performance v 2.06](https://github.com/NikonovAleksei/zabbix/wiki/AD-DS-Health-and-Performance) 4 | Active Directory Health and Performance: 5 | 6 | The folder contains zabbix template for Active Directory and based on MS documents: 7 | - Troubleshooting Active Directory Domain Services performance 8 | - Capacity Planning for Active Directory Domain Services 9 | - How to do performance tuning for NTLM authentication by using the MaxConcurrentApi setting 10 | 11 | ## [AD DS Monitoring and Attack Detection v 2.00](https://github.com/NikonovAleksei/zabbix/wiki/AD-DS-Monitoring-and-Attack-Detection) 12 | Active Directory Monitoring and Attack Detection: 13 | 14 | Template based on MS document 15 | - Best Practices for Securing Active Directory 16 | 17 | ## AD DS Security Audit 18 | 19 | # Active Directory Certification Services monitoring with Zabbix 20 | ## [AD CS Health and Monitoring v 1.11](https://github.com/NikonovAleksei/zabbix/wiki/AD-CS-Health-and-Monitoring) 21 | Active Directory Certification Services Health and Monitoring 22 | 23 | Template based on MS documents 24 | - Securing Public Key Infrastructure (PKI) 25 | 26 | # Remote Desktop Services 27 | ## [RDS v1.00]((https://github.com/NikonovAleksei/zabbix/wiki/RDS)) 28 | - Template Windows RDS Broker 29 | - Template Windows RDS Gateway 30 | - Template Windows RDS Licensing 31 | - Template Windows RDS Session 32 | -------------------------------------------------------------------------------- /_includes/head-custom.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 12 | -------------------------------------------------------------------------------- /icons/README.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /icons/router_def.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NikonovAleksei/zabbix/165fa9ac15c298718946a37d82f4a56e1301de45/icons/router_def.png -------------------------------------------------------------------------------- /icons/router_deg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NikonovAleksei/zabbix/165fa9ac15c298718946a37d82f4a56e1301de45/icons/router_deg.png -------------------------------------------------------------------------------- /icons/router_disable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NikonovAleksei/zabbix/165fa9ac15c298718946a37d82f4a56e1301de45/icons/router_disable.png -------------------------------------------------------------------------------- /icons/router_main.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NikonovAleksei/zabbix/165fa9ac15c298718946a37d82f4a56e1301de45/icons/router_main.png -------------------------------------------------------------------------------- /icons/switch_def.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NikonovAleksei/zabbix/165fa9ac15c298718946a37d82f4a56e1301de45/icons/switch_def.png -------------------------------------------------------------------------------- /icons/switch_deg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NikonovAleksei/zabbix/165fa9ac15c298718946a37d82f4a56e1301de45/icons/switch_deg.png -------------------------------------------------------------------------------- /icons/switch_disable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NikonovAleksei/zabbix/165fa9ac15c298718946a37d82f4a56e1301de45/icons/switch_disable.png -------------------------------------------------------------------------------- /icons/switch_main.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NikonovAleksei/zabbix/165fa9ac15c298718946a37d82f4a56e1301de45/icons/switch_main.png --------------------------------------------------------------------------------