Minor It’s possible for a Windows server to forward its events to a “subscribing” server. In this scenario the collector server can become a central repository for Windows logs from other servers in the network. Zabbix agent can be installed on the collector and can be used to monitor received logs from other servers.
The issue is that Zabbix agent does not send events from the "Forwarded Events" event log from collector. It does not generate any errors also.
Details:
- Zabbix agent has 2 items:
eventlog[ForwardedEvents,,,,4625,,] eventlog[Security,,,,4625,,]
- It sends events from the Security log, but does not send for ForwardedEvents
- It does not generate an error for ForwardedEvents also
- Tried to change user from System to administrator - didn't help
Debug has no clue about the root cause:
6328:20170625:203913.873 got [{"response":"success","data":[{"key":"eventlog[ForwardedEvents,,,,4625,,]","delay":1,"lastlogsize":0,"mtime":0},{"key":"eventlog[Security,,,,4625,,]","delay":1,"lastlogsize":47652,"mtime":0}]}]
6328:20170625:203923.490 In process_active_checks() server:'<some IP>' port:10051
6328:20170625:203923.502 In initialize_eventlog6() source:'ForwardedEvents' previous lastlogsize:0
6328:20170625:203923.502 In zbx_open_eventlog6()
6328:20170625:203923.502 End of zbx_open_eventlog6():SUCCEED FirstID:5544 LastID:12572 numIDs:7028
6328:20170625:203923.502 In zbx_get_handle_eventlog6(), previous lastlogsize:0
6328:20170625:203923.502 End of zbx_get_handle_eventlog6():SUCCEED
6328:20170625:203923.519 End of initialize_eventlog6():SUCCEED
6328:20170625:203923.519 In process_eventlog6() source: 'ForwardedEvents' previous lastlogsize: 0, FirstID: 5544, LastID: 12572
6328:20170625:203923.519 In zbx_get_eventlog_message6() EventRecordID:5544
6328:20170625:203923.614 End of zbx_get_eventlog_message6():SUCCEED
6328:20170625:203923.627 End of process_eventlog6():SUCCEED
6328:20170625:203923.627 In finalize_eventlog6()
6328:20170625:203923.627 End of finalize_eventlog6():SUCCEED
6328:20170625:203923.627 In need_meta_update() key:eventlog[ForwardedEvents,,,,4625,,]
6328:20170625:203923.645 End of need_meta_update():FAIL
6328:20170625:203924.738 In process_active_checks() server:'<some IP>' port:10051
6328:20170625:203924.738 In initialize_eventlog6() source:'ForwardedEvents' previous lastlogsize:0
6328:20170625:203924.738 In zbx_open_eventlog6()
6328:20170625:203924.755 End of zbx_open_eventlog6():SUCCEED FirstID:5544 LastID:12584 numIDs:7040
6328:20170625:203924.755 In zbx_get_handle_eventlog6(), previous lastlogsize:0
6328:20170625:203924.755 End of zbx_get_handle_eventlog6():SUCCEED
6328:20170625:203924.770 End of initialize_eventlog6():SUCCEED
6328:20170625:203924.770 In process_eventlog6() source: 'ForwardedEvents' previous lastlogsize: 0, FirstID: 5544, LastID: 12584
6328:20170625:203924.770 In zbx_get_eventlog_message6() EventRecordID:5544
6328:20170625:203924.865 End of zbx_get_eventlog_message6():SUCCEED
6328:20170625:203924.865 End of process_eventlog6():SUCCEED
6328:20170625:203924.879 In finalize_eventlog6()
6328:20170625:203924.879 End of finalize_eventlog6():SUCCEED
6328:20170625:203924.879 In need_meta_update() key:eventlog[ForwardedEvents,,,,4625,,]
6328:20170625:203924.879 End of need_meta_update():FAIL
Note, log size is ~30MB (not "lastlogsize:0"). Agent can see that the log has new events but does not send them (e.g. LastID: 12572 --> LastID: 12584).
