I only want to monitor a specific AD group. The check works quite well so far, but I am also receiving feedback from other groups regarding this Event ID. The check is supposed to run every 5 minutes and return data from the last 10 minutes. I am receiving the following output:
Eventlog Security: 1 Critical Event source Microsoft-Windows-Security-Auditing
_ Event source Microsoft-Windows-Security-Auditing
_ Found 1 event(s) for event id 4728 in timeframe [06/02/2026 09:31:04] - [06/02/2026 09:31:04]
_ Event Message: A member was added to a security-enabled global group.Subject: Security ID: XXXXXXXXXXXXX-XXXXXXXXXXXXXXXXXX Account Name: XXXXXXXXXXX Account Domain: XXXXX Logon ID:XXXXXX-XXXXXXXX Member: Security ID: S-1-5-21-331945610-768685722-1232828436-16191 Account Name: CN=XXXXX,OU=XXXXX,OU=XXXXXXX,DC=XXXXXXX,DC=XXXXX Group: Security ID: XXXXXXXXXXX_XXXXXXXXXXX_XXX Group Name: XXXXXXXXXX-XXXXXXXXX Group Domain: XXXXXXXXXXXXX Information: Privileges: -
_ Number of events found for Id 4728: 1 is greater than threshold 0
I tried it with the -regex flag and the -IncludeMessage flag.
Neither of them worked; can someone show me where my mistake is?
- Icinga for Windows output - See below.
- Version used - 2.13.2
- Operating System and version - Ubuntu 22.04
- Enabled features - api checker icingadb influxdb2 mainlog notification
- Icinga Web 2 version and modules - 2.12.6