[ZBXNEXT-7943] Missing info and examples on how to specify certain Windows Event logs Created: 2022 Aug 25  Updated: 2025 Mar 04  Resolved: 2025 Mar 03

Status: Closed
Project: ZABBIX FEATURE REQUESTS
Component/s: Documentation (D)
Affects Version/s: None
Fix Version/s: None

Type: New Feature Request Priority: Medium
Reporter: Matthew Steeves Assignee: Marina Generalova
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File event_viewer_example.png    
Issue Links:
Causes
causes ZBXNEXT-9849 Create a How-to guide for Windows eve... IN DOCUMENTING
Story Points: 1

 Description   

I wanted to monitor a Windows Event log: "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"

I wasn't sure how to specify the name correctly. I went to the Zabbix Windows event log documentation page
The description of the name parameter just said: "name of event log". The event log above has spaces in the name. I wasn't sure whether quotes were necessary. I tried including quotes and it worked, but from other examples online, it would seem quotes aren't necessary.

The provided examples only dealt with the "classic" event logs, like "Application" or "System".
But with the newer style event logs, sometimes the log name in the Event viewer GUI doesn't match the file name on disk. For instance, in the example below, within the Event Viewer GUI, the Log Name field differs from the File name on disk. Which one does the agent expect for the Name parameter?
GUI: Microsoft-Windows-Windows Remote Management/Operational
File on disk: Microsoft-Windows-WinRM%4Operational.evtx

From my research, you are supposed to use the file on disk, but with the "%4" replaced with '/'.

To summarize, the documentation would be improved by:

1) Clarifying whether quotes are required when the log name contains spaces

2) Clarifying whether the agent expects the actual file name, or the name shown within the Event Viewer GUI (which is often the tool people will be using to view the logs, and so naturally may think the logname displayed within it is the one to use)

3) Adding an example where the item key is using a newer-style Windows Event log

Thanks!

Matt

 

 Comments   
Comment by Marina Generalova [ 2025 Feb 27 ]

I have updated descriptions for eventlog and eventlog.count in 7.0, 7.2, and 7.4 to make it clear that Zabbix agent expects the log channel name, which is displayed as Log name in the Event viewer.

As for using quotes, the rules there are the same as for any other item key parameter: quotation marks are only required to escape commas or the right square bracket. However, we have added an example with spaces in the log name to illustrate this use case and another example with a newer-style log channel name.

Also, we will add a step-by-step guide for setting up event log monitoring in ZBXNEXT-9849.

Comment by Matthew Steeves [ 2025 Mar 04 ]

Thanks, Marina - good info! I worry I'm being pedantic, but I don't see a field called "Log Name" in the Event Viewer on my Windows 10 PC. I believe the field you're refering to is "Full Name" found under "Log Properties".

Generated at Mon Apr 07 19:52:56 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.