-
Notifications
You must be signed in to change notification settings - Fork 0
/
Windows by Zabbix agent.yaml
1908 lines (1891 loc) · 87.2 KB
/
Windows by Zabbix agent.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
zabbix_export:
version: '6.4'
template_groups:
- uuid: 846977d1dfed4968bc5f8bdb363285bc
name: 'Templates/Operating systems'
templates:
- uuid: 13b06904a6bf41cbb795e3193d896340
template: 'Windows by Zabbix agent'
name: 'Windows by Zabbix agent'
description: |
Official Windows template.
Modified by VijayK.
GitHub: https://github.com/VSKUMBHANI/
vendor:
name: 'https://github.com/VSKUMBHANI'
version: 6.4-0
groups:
- name: 'Templates/Operating systems'
items:
- uuid: af550a1bfe74428eb24492d8af3b405e
name: 'Host name of Zabbix agent running'
key: agent.hostname
delay: 1h
history: 7d
trends: '0'
value_type: CHAR
preprocessing:
- type: DISCARD_UNCHANGED_HEARTBEAT
parameters:
- 1d
tags:
- tag: component
value: system
- uuid: f81e2ce0d1104f9aaf1fc49284ed0ed4
name: 'Zabbix agent ping'
key: agent.ping
history: 7d
description: 'The agent always returns 1 for this item. It could be used in combination with nodata() for availability check.'
valuemap:
name: 'Zabbix agent ping status'
tags:
- tag: component
value: system
- uuid: 5707443d739d4689bde192e75ff4bd0f
name: 'Version of Zabbix agent running'
key: agent.version
delay: 1h
history: 7d
trends: '0'
value_type: CHAR
preprocessing:
- type: DISCARD_UNCHANGED_HEARTBEAT
parameters:
- 1d
tags:
- tag: component
value: application
- uuid: 15cdef2c2dff457ca1ecea74b2c11b9e
name: 'Login Event ID 21'
type: ZABBIX_ACTIVE
key: 'eventlog[Microsoft-Windows-TerminalServices-LocalSessionManager/Operational,,,,^21,,skip]'
delay: 10s
history: 7d
trends: '0'
value_type: LOG
preprocessing:
- type: JAVASCRIPT
parameters:
- |
//User_External_Login_Zabbix_v4
const log = value;
const regex = /Remote Desktop Services:\s(.+?):\r\n\r\nUser:\s(.+?)\r\nSession ID:\s([\d\.]+)\r\nSource Network Address:\s([\d\.]+|LOCAL)/g;
const localregex = /\b192\.168\.(16[6-9]|1[7-8][0-9]|19[0-1])\.(25[0-4]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b|\b192\.168\.(10|11)\.(25[0-4]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b|\b192\.168\.150\.([1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4])\b|\bLOCAL\b/g;
//const logs = JSON.stringify(log); //Convert the value into string.
//var mystring = log;
//return log + " \nMystring "+mystring.match(regex); // Match the string with regex and return 1 if match or else return null.
//Remote Desktop Services:\s(.+?):\.+User:\s(.+?)\.\.Session ID:\s([\d\.]+)\.\.Source Network Address:\s([\d\.]+|LOCAL) - NotWork
//Remote Desktop Services:\s(.+?):\n\nUser:\s(.+?)\nSession ID:\s([\d\.]+)\nSource Network Address:\s([\d\.]+|LOCAL) - NotWork
//Remote Desktop Services:\s(.+?):\n\n\n\nUser:\s(.+?)\n\nSession ID:\s([\d\.]+)\n\nSource Network Address:\s([\d\.]+|LOCAL) - NotWork
//Remote Desktop Services:\s(.+?):\r\n\r\nUser:\s(.+?)\r\nSession ID:\s([\d\.]+)\r\nSource Network Address:\s([\d\.]+|LOCAL) - Working
var match = regex.exec(log); //Compare the regex with value and return the match values.
const stat = match[1];
const user = match[2];
const sessionid = match[3];
const ip = match[4];
var localipmatch = localregex.exec(ip);
if (localipmatch){
return "Login from the local device detect. \n Username: "+user+"\n" + "IP: "+ip;
}
const url = 'http://ip-api.com/json/' + ip;
const http = new HttpRequest();
const data = http.get(url); //Get the details from URL and return the JSON.
data = JSON.parse(data); // Define the JSON in variable.
return "Login from the outside device detect. \n Username: "+user+"\n"+"IP: "+data.query+"\n"+"Country: "+data.country+"\n"+"State: "+data.regionName+ "\n" +"City: "+data.city+"\n"+"ISP: "+data.isp;
triggers:
- uuid: 04321bd10b5e461094a5c083c8bd1de2
expression: 'logeventid(/Windows by Zabbix agent/eventlog[Microsoft-Windows-TerminalServices-LocalSessionManager/Operational,,,,^21,,skip])=1 and nodata(/Windows by Zabbix agent/eventlog[Microsoft-Windows-TerminalServices-LocalSessionManager/Operational,,,,^21,,skip],20)=0'
name: 'Login 21 {ITEM.VALUE}'
priority: AVERAGE
- uuid: a0d3627d2d5e45b295bdb1b270b64903
expression: 'find(/Windows by Zabbix agent/eventlog[Microsoft-Windows-TerminalServices-LocalSessionManager/Operational,,,,^21,,skip],,"iregexp","@LocalIP")=0 and nodata(/Windows by Zabbix agent/eventlog[Microsoft-Windows-TerminalServices-LocalSessionManager/Operational,,,,^21,,skip],10)=0'
name: 'User Login from Outside Network'
event_name: 'Outside Network Login detect {ITEM.VALUE}'
priority: AVERAGE
- uuid: 1a677e4347c544df85fa963f360ff7a0
name: 'Logoff Event ID 23'
type: ZABBIX_ACTIVE
key: 'eventlog[Microsoft-Windows-TerminalServices-LocalSessionManager/Operational,,,,^23,,skip]'
delay: 10s
history: 7d
trends: '0'
value_type: LOG
- uuid: 8c62e3529c1749209db8c071a3d1f292
name: 'Login Event ID 1149'
type: ZABBIX_ACTIVE
key: 'eventlog[Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational,,,,1149,,skip]'
delay: 10s
history: 7d
trends: '0'
value_type: LOG
- uuid: 31cce8af1b46473cba4495b67c6839f0
name: 'User Login'
type: ZABBIX_ACTIVE
key: 'eventlog[Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational,,,,^1149,,]'
history: 7d
trends: '0'
value_type: LOG
- uuid: db648910cf8d433cb06c0786848f2693
name: 'Failed Login Event 4625'
type: ZABBIX_ACTIVE
key: 'eventlog[Security,,,,^4625,,skip]'
delay: 10s
history: 7d
trends: '0'
value_type: LOG
preprocessing:
- type: JAVASCRIPT
parameters:
- |
//Script for retrive the data from Windows Event 4625 which is User failed to login in Windows system.
const logonData = value;
//Define the regex for user match.
const regex = /Account Name:\s*(?!-)(\S+)/g;
//Define variable and array to store matched value.
var match, accountNames = [];
//match the regex in value.
while ((match = regex.exec(logonData))) {
accountNames.push(match[1]);
}
//Define variable for other values that require in the result.
const failureReason = logonData.match(/Failure Reason:\s+(.+)$/m)[1];
const sourceNetworkAddress = logonData.match(/Source Network Address:\s+(.+)$/m)[1];
const workstationName = logonData.match(/Workstation Name:\s+(.+)$/m)[1];
//Return the result.
return "Account Name: " + accountNames + "\nIP Address: " + sourceNetworkAddress + "\nDevice: " + workstationName + "\nFailure reason: " + failureReason;
triggers:
- uuid: f099c15b02f94123bf7ee6320c2463a9
expression: 'count(/Windows by Zabbix agent/eventlog[Security,,,,^4625,,skip],5m)>=3 and nodata(/Windows by Zabbix agent/eventlog[Security,,,,^4625,,skip],20s)=0'
name: 'Multiple failed login detect'
priority: WARNING
tags:
- tag: scope
value: authentication
- uuid: e2ed503a53784dfda26d39f52dc26484
name: 'User Active Session'
key: 'perf_counter[\Terminal Services\Active Sessions]'
delay: 2m
history: 2d
trends: 5d
- uuid: fd0c9b6ca7c6488391fb64a685369fd6
name: 'User Inactive Session'
key: 'perf_counter[\Terminal Services\Inactive Sessions]'
delay: 2m
history: 2d
trends: 5d
- uuid: 420fb7d10f0b4d5eaf7091db798462d2
name: 'User Total Session'
key: 'perf_counter[\Terminal Services\Total Sessions]'
delay: 2m
history: 2d
trends: 5d
- uuid: 5219a246de0641a89685a961cdd08c0b
name: 'Cache bytes'
key: 'perf_counter_en["\Memory\Cache Bytes"]'
history: 7d
units: B
description: |
Cache Bytes is the sum of the Memory\\System Cache Resident Bytes, Memory\\System Driver Resident Bytes,
Memory\\System Code Resident Bytes, and Memory\\Pool Paged Resident Bytes counters. This counter displays
the last observed value only; it is not an average.
tags:
- tag: component
value: memory
- uuid: 2ea74fafb9334de095adcb47cced578d
name: 'Free system page table entries'
key: 'perf_counter_en["\Memory\Free System Page Table Entries"]'
history: 7d
description: |
This indicates the number of page table entries not currently in use by the system. If the number is less
than 5,000, there may well be a memory leak or you running out of memory.
tags:
- tag: component
value: memory
triggers:
- uuid: e3118e2e6109460f80cc2d56795ed42f
expression: 'max(/Windows by Zabbix agent/perf_counter_en["\Memory\Free System Page Table Entries"],5m)<{$MEM.PAGE_TABLE_CRIT.MIN}'
name: 'Number of free system page table entries is too low'
event_name: 'Number of free system page table entries is too low (less {$MEM.PAGE_TABLE_CRIT.MIN} for 5m)'
priority: WARNING
description: 'The Memory Free System Page Table Entries is less than {$MEM.PAGE_TABLE_CRIT.MIN} for 5 minutes. If the number is less than 5,000, there may well be a memory leak.'
dependencies:
- name: 'High memory utilization'
expression: 'min(/Windows by Zabbix agent/vm.memory.util,5m)>{$MEMORY.UTIL.MAX}'
tags:
- tag: scope
value: capacity
- uuid: 6c41d254585a4d7b81a0c5766a8913c1
name: 'Memory page faults per second'
key: 'perf_counter_en["\Memory\Page Faults/sec"]'
history: 7d
value_type: FLOAT
description: |
Page Faults/sec is the average number of pages faulted per second. It is measured in number of pages
faulted per second because only one page is faulted in each fault operation, hence this is also equal
to the number of page fault operations. This counter includes both hard faults (those that require
disk access) and soft faults (where the faulted page is found elsewhere in physical memory.) Most
processors can handle large numbers of soft faults without significant consequence. However, hard faults,
which require disk access, can cause significant delays.
tags:
- tag: component
value: memory
- uuid: 287163bc5b0441c4bf51489432a278eb
name: 'Memory pages per second'
key: 'perf_counter_en["\Memory\Pages/sec"]'
history: 7d
value_type: FLOAT
description: |
This measures the rate at which pages are read from or written to disk to resolve hard page faults.
If the value is greater than 1,000, as a result of excessive paging, there may be a memory leak.
tags:
- tag: component
value: memory
triggers:
- uuid: ab4c9a66d16f42e6a32f6144f4d2a3ca
expression: 'min(/Windows by Zabbix agent/perf_counter_en["\Memory\Pages/sec"],5m)>{$MEM.PAGE_SEC.CRIT.MAX}'
name: 'The Memory Pages/sec is too high'
event_name: 'The Memory Pages/sec is too high (over {$MEM.PAGE_SEC.CRIT.MAX} for 5m)'
priority: WARNING
description: 'The Memory Pages/sec in the last 5 minutes exceeds {$MEM.PAGE_SEC.CRIT.MAX}. If the value is greater than 1,000, as a result of excessive paging, there may be a memory leak.'
dependencies:
- name: 'High memory utilization'
expression: 'min(/Windows by Zabbix agent/vm.memory.util,5m)>{$MEMORY.UTIL.MAX}'
tags:
- tag: scope
value: capacity
- uuid: fb822cb2a17948208a61bd6661c496df
name: 'Memory pool non-paged'
key: 'perf_counter_en["\Memory\Pool Nonpaged Bytes"]'
history: 7d
units: B
description: |
This measures the size, in bytes, of the non-paged pool. This is an area of system memory for objects
that cannot be written to disk but instead must remain in physical memory as long as they are allocated.
There is a possible memory leak if the value is greater than 175MB (or 100MB with the /3GB switch).
A typical Event ID 2019 is recorded in the system event log.
tags:
- tag: component
value: memory
- uuid: b99a722d267d455fad3c07c53302b20f
name: 'Used swap space in %'
key: 'perf_counter_en["\Paging file(_Total)\% Usage"]'
history: 7d
value_type: FLOAT
units: '%'
description: 'The used space of swap volume/file in percent.'
tags:
- tag: component
value: memory
- tag: component
value: storage
- uuid: ee1f116fdab34969a6e6f5e1c25fc3d2
name: 'CPU DPC time'
key: 'perf_counter_en["\Processor Information(_total)\% DPC Time"]'
history: 7d
value_type: FLOAT
units: '%'
description: |
Processor DPC time is the time that a single processor spent receiving and servicing deferred procedure
calls (DPCs). DPCs are interrupts that run at a lower priority than standard interrupts. % DPC Time is a
component of % Privileged Time because DPCs are executed in privileged mode. If a high % DPC Time is
sustained, there may be a processor bottleneck or an application or hardware related issue that can
significantly diminish overall system performance.
tags:
- tag: component
value: cpu
- uuid: e403552481b04ebdba2e8a019f114f20
name: 'CPU interrupt time'
key: 'perf_counter_en["\Processor Information(_total)\% Interrupt Time"]'
history: 7d
value_type: FLOAT
units: '%'
description: |
The Processor Information\% Interrupt Time is the time the processor spends receiving and servicing
hardware interrupts during sample intervals. This value is an indirect indicator of the activity of
devices that generate interrupts, such as the system clock, the mouse, disk drivers, data communication
lines, network interface cards and other peripheral devices. This is an easy way to identify a potential
hardware failure. This should never be higher than 20%.
tags:
- tag: component
value: cpu
triggers:
- uuid: f67bedcb282349b2aac052baf4963480
expression: 'min(/Windows by Zabbix agent/perf_counter_en["\Processor Information(_total)\% Interrupt Time"],5m)>{$CPU.INTERRUPT.CRIT.MAX}'
name: 'CPU interrupt time is too high'
event_name: 'CPU interrupt time is too high (over {$CPU.INTERRUPT.CRIT.MAX}% for 5m)'
priority: WARNING
description: |
"The CPU Interrupt Time in the last 5 minutes exceeds {$CPU.INTERRUPT.CRIT.MAX}%."
The Processor Information\% Interrupt Time is the time the processor spends receiving and servicing
hardware interrupts during sample intervals. This value is an indirect indicator of the activity of
devices that generate interrupts, such as the system clock, the mouse, disk drivers, data communication
lines, network interface cards and other peripheral devices. This is an easy way to identify a potential
hardware failure. This should never be higher than 20%.
dependencies:
- name: 'High CPU utilization'
expression: 'min(/Windows by Zabbix agent/system.cpu.util,5m)>{$CPU.UTIL.CRIT}'
tags:
- tag: scope
value: performance
- uuid: 37448f05afe340a3891d05528c9d1adc
name: 'CPU privileged time'
key: 'perf_counter_en["\Processor Information(_total)\% Privileged Time"]'
history: 7d
value_type: FLOAT
units: '%'
description: |
The Processor Information\% Privileged Time counter shows the percent of time that the processor is spent
executing in Kernel (or Privileged) mode. Privileged mode includes services interrupts inside Interrupt
Service Routines (ISRs), executing Deferred Procedure Calls (DPCs), Device Driver calls and other kernel-mode
functions of the Windows® Operating System.
tags:
- tag: component
value: cpu
triggers:
- uuid: 4d099256b3ba42f1b90143e2014900dd
expression: 'min(/Windows by Zabbix agent/perf_counter_en["\Processor Information(_total)\% Privileged Time"],5m)>{$CPU.PRIV.CRIT.MAX}'
name: 'CPU privileged time is too high'
event_name: 'CPU privileged time is too high (over {$CPU.PRIV.CRIT.MAX}% for 5m)'
priority: WARNING
description: 'The CPU privileged time in the last 5 minutes exceeds {$CPU.PRIV.CRIT.MAX}%.'
dependencies:
- name: 'CPU interrupt time is too high'
expression: 'min(/Windows by Zabbix agent/perf_counter_en["\Processor Information(_total)\% Interrupt Time"],5m)>{$CPU.INTERRUPT.CRIT.MAX}'
- name: 'High CPU utilization'
expression: 'min(/Windows by Zabbix agent/system.cpu.util,5m)>{$CPU.UTIL.CRIT}'
tags:
- tag: scope
value: performance
- uuid: 575912d512624143b564ca0fbfd0bb8f
name: 'CPU user time'
key: 'perf_counter_en["\Processor Information(_total)\% User Time"]'
history: 7d
value_type: FLOAT
units: '%'
description: |
The Processor Information\% User Time counter shows the percent of time that the processor(s) is spent executing
in User mode.
tags:
- tag: component
value: cpu
- uuid: 2322a85bfc1049a3b5c892d83b5d5054
name: 'Context switches per second'
key: 'perf_counter_en["\System\Context Switches/sec"]'
history: 7d
value_type: FLOAT
description: |
Context Switches/sec is the combined rate at which all processors on the computer are switched from one thread to another.
Context switches occur when a running thread voluntarily relinquishes the processor, is preempted by a higher priority ready thread, or switches between user-mode and privileged (kernel) mode to use an Executive or subsystem service.
It is the sum of Thread\\Context Switches/sec for all threads running on all processors in the computer and is measured in numbers of switches.
There are context switch counters on the System and Thread objects. This counter displays the difference between the values observed in the last two samples, divided by the duration of the sample interval.
tags:
- tag: component
value: cpu
- uuid: 002af28df72f4a788c88bc022d88c6dd
name: 'CPU queue length'
key: 'perf_counter_en["\System\Processor Queue Length"]'
history: 7d
value_type: FLOAT
description: |
The Processor Queue Length shows the number of threads that are observed as delayed in the processor Ready Queue
and are waiting to be executed.
tags:
- tag: component
value: cpu
- uuid: 630b7b2af6274936ab80b1dd774113e5
name: 'Number of threads'
key: 'perf_counter_en["\System\Threads"]'
history: 7d
description: 'The number of threads used by all running processes.'
tags:
- tag: component
value: os
- uuid: b305029532f84daf93c8da2d181ac3a1
name: 'Number of processes'
key: 'proc.num[]'
history: 7d
description: 'The number of processes.'
tags:
- tag: component
value: os
- uuid: c2ed8e2efab04564b6c70ee8ad14730f
name: 'CPU utilization'
key: system.cpu.util
history: 7d
value_type: FLOAT
units: '%'
description: 'CPU utilization in %.'
tags:
- tag: component
value: cpu
triggers:
- uuid: 806aa232f56640ab98aacc79491fc4d7
expression: 'min(/Windows by Zabbix agent/system.cpu.util,5m)>{$CPU.UTIL.CRIT}'
name: 'High CPU utilization'
event_name: 'High CPU utilization (over {$CPU.UTIL.CRIT}% for 5m)'
opdata: 'Current utilization: {ITEM.LASTVALUE1}'
priority: WARNING
description: 'CPU utilization is too high. The system might be slow to respond.'
tags:
- tag: scope
value: performance
- uuid: cb056886ce72426e833a0445f9263906
name: 'System name'
key: system.hostname
history: 2w
trends: '0'
value_type: CHAR
description: 'System host name.'
inventory_link: NAME
preprocessing:
- type: DISCARD_UNCHANGED_HEARTBEAT
parameters:
- 1d
tags:
- tag: component
value: system
triggers:
- uuid: 6b50d36a4e29468a9546e880f3004399
expression: 'last(/Windows by Zabbix agent/system.hostname,#1)<>last(/Windows by Zabbix agent/system.hostname,#2) and length(last(/Windows by Zabbix agent/system.hostname))>0'
name: 'System name has changed'
event_name: 'System name has changed (new name: {ITEM.VALUE})'
priority: INFO
description: 'System name has changed. Ack to close.'
manual_close: 'YES'
tags:
- tag: scope
value: notice
- uuid: 94c4dfe23e2e4c6e995a3a715941a8eb
name: 'System local time'
key: system.localtime
history: 7d
units: unixtime
description: 'System local time of the host.'
tags:
- tag: component
value: system
triggers:
- uuid: 37ca2366c8474cc8a49a605e93377601
expression: 'fuzzytime(/Windows by Zabbix agent/system.localtime,{$SYSTEM.FUZZYTIME.MAX})=0'
name: 'System time is out of sync'
event_name: 'System time is out of sync (diff with Zabbix server > {$SYSTEM.FUZZYTIME.MAX}s)'
priority: WARNING
description: 'The host system time is different from the Zabbix server time.'
manual_close: 'YES'
tags:
- tag: scope
value: notice
- uuid: 7e8b3476db6d4322a10cd1a28cbdb7ea
name: 'Operating system architecture'
key: system.sw.arch
delay: 1h
history: 2w
trends: '0'
value_type: CHAR
description: 'Operating system architecture of the host.'
preprocessing:
- type: DISCARD_UNCHANGED_HEARTBEAT
parameters:
- 1d
tags:
- tag: component
value: os
- uuid: 11cac38334544e5cbb028cfd473cb39e
name: 'Free swap space'
type: CALCULATED
key: system.swap.free
history: 7d
units: B
params: 'last(//system.swap.size[,total]) - last(//system.swap.size[,total]) / 100 * last(//perf_counter_en["\Paging file(_Total)\% Usage"])'
description: 'The free space of swap volume/file in bytes.'
tags:
- tag: component
value: memory
- tag: component
value: storage
- uuid: 9c7e3c843a3045df81dddc5d18de267c
name: 'Free swap space in %'
type: DEPENDENT
key: system.swap.pfree
delay: '0'
history: 7d
value_type: FLOAT
units: '%'
description: 'The free space of swap volume/file in percent.'
preprocessing:
- type: JAVASCRIPT
parameters:
- 'return (100 - value)'
master_item:
key: 'perf_counter_en["\Paging file(_Total)\% Usage"]'
tags:
- tag: component
value: memory
- tag: component
value: storage
- uuid: f981835baf04494eaff2f33f159e0ab5
name: 'Total swap space'
key: 'system.swap.size[,total]'
history: 7d
units: B
description: 'The total space of swap volume/file in bytes.'
tags:
- tag: component
value: memory
- tag: component
value: storage
- uuid: b103a2c22fe344f886e9dc9f4e4a65ec
name: 'System description'
key: system.uname
delay: 15m
history: 2w
trends: '0'
value_type: CHAR
description: 'System description of the host.'
inventory_link: OS_FULL
preprocessing:
- type: DISCARD_UNCHANGED_HEARTBEAT
parameters:
- 1d
tags:
- tag: component
value: system
- uuid: 12503fbf4400488e9b5ff0488f164cb6
name: Uptime
key: system.uptime
delay: 30s
history: 2w
trends: 0d
units: uptime
description: 'System uptime in ''N days, hh:mm:ss'' format.'
tags:
- tag: component
value: system
triggers:
- uuid: d27b9eab4034439f91dff41fe6f043ab
expression: 'last(/Windows by Zabbix agent/system.uptime)<10m'
name: 'Host has been restarted'
event_name: 'Host has been restarted (uptime < 10m)'
priority: WARNING
description: 'The device uptime is less than 10 minutes.'
manual_close: 'YES'
tags:
- tag: scope
value: notice
- uuid: 09e9a345a0f445b1a65685911f5eb9b0
name: 'Total memory'
key: 'vm.memory.size[total]'
history: 7d
units: B
description: 'Total memory in Bytes.'
tags:
- tag: component
value: memory
- uuid: 1cbf45e11dab453797fe291639aa0c01
name: 'Used memory'
key: 'vm.memory.size[used]'
history: 7d
units: B
description: 'Used memory in Bytes.'
tags:
- tag: component
value: memory
- uuid: 3b1e4ecaa04a46e9b0aee956918f0713
name: 'Memory utilization'
type: CALCULATED
key: vm.memory.util
history: 7d
value_type: FLOAT
units: '%'
params: 'last(//vm.memory.size[used]) / last(//vm.memory.size[total]) * 100'
description: 'Memory utilization in %.'
tags:
- tag: component
value: memory
triggers:
- uuid: b442993bb2a6404a8ebcb7be39d16ce6
expression: 'min(/Windows by Zabbix agent/vm.memory.util,5m)>{$MEMORY.UTIL.MAX}'
name: 'High memory utilization'
event_name: 'High memory utilization (>{$MEMORY.UTIL.MAX}% for 5m)'
priority: AVERAGE
description: 'The system is running out of free memory.'
tags:
- tag: scope
value: capacity
- tag: scope
value: performance
- uuid: 08b70a5b80fd435ba393e3deb3ca5adb
name: 'Network interfaces WMI get'
key: 'wmi.getall[root\cimv2,"select Name,Description,NetConnectionID,Speed,AdapterTypeId,NetConnectionStatus,GUID from win32_networkadapter where PhysicalAdapter=True and NetConnectionStatus>0"]'
history: '0'
trends: '0'
value_type: TEXT
description: 'Raw data of win32_networkadapter.'
preprocessing:
- type: DISCARD_UNCHANGED_HEARTBEAT
parameters:
- 1h
tags:
- tag: component
value: raw
- uuid: bc9997be31674068a93eeeb995227914
name: OS
key: 'wmi.get["root\cimv2","SELECT Caption from Win32_OperatingSystem"]'
trends: '0'
value_type: TEXT
inventory_link: OS
- uuid: 0de4efc299a642d490b2c6f3ace63990
name: Vendor
key: 'wmi.get["root\cimv2","SELECT manufacturer FROM Win32_BIOS"]'
trends: '0'
value_type: TEXT
inventory_link: VENDOR
- uuid: 8b539e415a314abdba68731940d9df91
name: 'Serial Numner'
key: 'wmi.get["root\cimv2","SELECT serialnumber FROM Win32_BIOS"]'
trends: '0'
value_type: TEXT
inventory_link: SERIALNO_A
- uuid: 83c8c6f15b524a2fb04fc90d04d3e8a2
name: 'Number of cores'
key: 'wmi.get[root/cimv2,"Select NumberOfLogicalProcessors from Win32_ComputerSystem"]'
history: 7d
description: 'The number of logical processors available on the computer.'
tags:
- tag: component
value: cpu
- uuid: 3dcb0f79342b4ded97cdec0794472266
name: 'Zabbix agent availability'
type: INTERNAL
key: 'zabbix[host,agent,available]'
history: 7d
description: 'Monitoring agent availability status'
valuemap:
name: zabbix.host.available
tags:
- tag: component
value: system
triggers:
- uuid: 05beb4500cae480892fad0739f99807d
expression: 'max(/Windows by Zabbix agent/zabbix[host,agent,available],{$AGENT.TIMEOUT})=0'
name: 'Zabbix agent is not available'
event_name: 'Zabbix agent is not available (for {$AGENT.TIMEOUT})'
priority: AVERAGE
description: 'For passive only agents, host availability is used with {$AGENT.TIMEOUT} as time threshold.'
manual_close: 'YES'
tags:
- tag: scope
value: availability
discovery_rules:
- uuid: ba19d6566fdb4a668d4363769d1fee01
name: 'Network interfaces discovery'
type: DEPENDENT
key: net.if.discovery
delay: '0'
filter:
evaltype: AND
conditions:
- macro: '{#IFALIAS}'
value: '{$NET.IF.IFALIAS.MATCHES}'
formulaid: A
- macro: '{#IFALIAS}'
value: '{$NET.IF.IFALIAS.NOT_MATCHES}'
operator: NOT_MATCHES_REGEX
formulaid: B
- macro: '{#IFDESCR}'
value: '{$NET.IF.IFDESCR.MATCHES}'
formulaid: C
- macro: '{#IFDESCR}'
value: '{$NET.IF.IFDESCR.NOT_MATCHES}'
operator: NOT_MATCHES_REGEX
formulaid: D
- macro: '{#IFNAME}'
value: '{$NET.IF.IFNAME.MATCHES}'
formulaid: E
- macro: '{#IFNAME}'
value: '{$NET.IF.IFNAME.NOT_MATCHES}'
operator: NOT_MATCHES_REGEX
formulaid: F
description: 'Discovery of installed network interfaces.'
item_prototypes:
- uuid: 8a7bb1e8afd24d32a65fa2116ba439ce
name: 'Interface {#IFNAME}({#IFALIAS}): Inbound packets discarded'
key: 'net.if.in["{#IFGUID}",dropped]'
delay: 3m
history: 2d
trends: 5d
description: 'The number of incoming packets dropped on the network interface.'
preprocessing:
- type: CHANGE_PER_SECOND
parameters:
- ''
tags:
- tag: component
value: network
- tag: description
value: '{#IFALIAS}'
- tag: interface
value: '{#IFNAME}'
- uuid: 6e1f3dfb91024095a20870ee94d01822
name: 'Interface {#IFNAME}({#IFALIAS}): Inbound packets with errors'
key: 'net.if.in["{#IFGUID}",errors]'
delay: 3m
history: 2d
trends: 5d
description: 'The number of incoming packets with errors on the network interface.'
preprocessing:
- type: CHANGE_PER_SECOND
parameters:
- ''
tags:
- tag: component
value: network
- tag: description
value: '{#IFALIAS}'
- tag: interface
value: '{#IFNAME}'
- uuid: 82accc942f5747a2b399484466625051
name: 'Interface {#IFNAME}({#IFALIAS}): Bits received'
key: 'net.if.in["{#IFGUID}"]'
delay: 3m
history: 2d
trends: 5d
units: bps
description: 'Incoming traffic on the network interface.'
preprocessing:
- type: CHANGE_PER_SECOND
parameters:
- ''
- type: MULTIPLIER
parameters:
- '8'
tags:
- tag: component
value: network
- tag: description
value: '{#IFALIAS}'
- tag: interface
value: '{#IFNAME}'
- uuid: 9ddb9aaf863a45c0affbd90e4a6fa393
name: 'Interface {#IFNAME}({#IFALIAS}): Outbound packets discarded'
key: 'net.if.out["{#IFGUID}",dropped]'
delay: 3m
history: 2d
trends: 5d
description: 'The number of outgoing packets dropped on the network interface.'
preprocessing:
- type: CHANGE_PER_SECOND
parameters:
- ''
tags:
- tag: component
value: network
- tag: description
value: '{#IFALIAS}'
- tag: interface
value: '{#IFNAME}'
- uuid: 38c8a1aa95b343e39e23e7b508521dad
name: 'Interface {#IFNAME}({#IFALIAS}): Outbound packets with errors'
key: 'net.if.out["{#IFGUID}",errors]'
delay: 3m
history: 2d
trends: 5d
description: 'The number of outgoing packets with errors on the network interface.'
preprocessing:
- type: CHANGE_PER_SECOND
parameters:
- ''
tags:
- tag: component
value: network
- tag: description
value: '{#IFALIAS}'
- tag: interface
value: '{#IFNAME}'
- uuid: 3b090da19af842189bb6fa56d49ceec3
name: 'Interface {#IFNAME}({#IFALIAS}): Bits sent'
key: 'net.if.out["{#IFGUID}"]'
delay: 3m
history: 2d
trends: 5d
units: bps
description: 'Outgoing traffic on the network interface.'
preprocessing:
- type: CHANGE_PER_SECOND
parameters:
- ''
- type: MULTIPLIER
parameters:
- '8'
tags:
- tag: component
value: network
- tag: description
value: '{#IFALIAS}'
- tag: interface
value: '{#IFNAME}'
- uuid: 0445b842d1ce4c7f9fd5716c78a079c4
name: 'Interface {#IFNAME}({#IFALIAS}): Speed'
type: DEPENDENT
key: 'net.if.speed["{#IFGUID}"]'
delay: '0'
history: 2d
trends: '0'
units: bps
description: 'Estimated bandwidth of the network interface if any.'
preprocessing:
- type: JSONPATH
parameters:
- '$[?(@.GUID == "{#IFGUID}")].Speed.first()'
error_handler: CUSTOM_VALUE
error_handler_params: '0'
- type: JAVASCRIPT
parameters:
- 'return (value==''9223372036854775807'' ? 0 : value)'
- type: DISCARD_UNCHANGED_HEARTBEAT
parameters:
- 1h
master_item:
key: 'wmi.getall[root\cimv2,"select Name,Description,NetConnectionID,Speed,AdapterTypeId,NetConnectionStatus,GUID from win32_networkadapter where PhysicalAdapter=True and NetConnectionStatus>0"]'
tags:
- tag: component
value: network
- tag: description
value: '{#IFALIAS}'
- tag: interface
value: '{#IFNAME}'
- uuid: c495bffb7e244e5caf5dc013d839b758
name: 'Interface {#IFNAME}({#IFALIAS}): Operational status'
type: DEPENDENT
key: 'net.if.status["{#IFGUID}"]'
delay: '0'
history: 2d
trends: '0'
description: 'The operational status of the network interface.'
valuemap:
name: 'Win32_NetworkAdapter::NetConnectionStatus'
preprocessing:
- type: JSONPATH
parameters:
- '$[?(@.GUID == "{#IFGUID}")].NetConnectionStatus.first()'
- type: DISCARD_UNCHANGED_HEARTBEAT
parameters:
- 1d
master_item:
key: 'wmi.getall[root\cimv2,"select Name,Description,NetConnectionID,Speed,AdapterTypeId,NetConnectionStatus,GUID from win32_networkadapter where PhysicalAdapter=True and NetConnectionStatus>0"]'
tags:
- tag: component
value: network
- tag: description
value: '{#IFALIAS}'
- tag: interface
value: '{#IFNAME}'
trigger_prototypes:
- uuid: a9b1c61ac4a6481aab93d40c6fb93462
expression: '{$IFCONTROL:"{#IFNAME}"}=1 and last(/Windows by Zabbix agent/net.if.status["{#IFGUID}"])<>2 and (last(/Windows by Zabbix agent/net.if.status["{#IFGUID}"],#1)<>last(/Windows by Zabbix agent/net.if.status["{#IFGUID}"],#2))'
recovery_mode: RECOVERY_EXPRESSION
recovery_expression: 'last(/Windows by Zabbix agent/net.if.status["{#IFGUID}"])=2 or {$IFCONTROL:"{#IFNAME}"}=0'
name: 'Interface {#IFNAME}({#IFALIAS}): Link down'
opdata: 'Current state: {ITEM.LASTVALUE1}'
priority: AVERAGE
description: |
This trigger expression works as follows:
1. Can be triggered if operations status is down.
2. {$IFCONTROL:\"{#IFNAME}\"}=1 - user can redefine Context macro to value - 0. That marks this interface as not important.
No new trigger will be fired if this interface is down.
3. {TEMPLATE_NAME:METRIC.diff()}=1) - trigger fires only if operational status is different from Connected(2).
WARNING: if closed manually - won't fire again on next poll, because of .diff.
manual_close: 'YES'
tags:
- tag: scope
value: availability
- uuid: 11ce3d38745a49f58f713fcef1a913c5
name: 'Interface {#IFNAME}({#IFALIAS}): Interface type'
type: DEPENDENT
key: 'net.if.type["{#IFGUID}"]'
delay: '0'
history: 2d
trends: '0'
description: 'The type of the network interface.'
valuemap:
name: 'Win32_NetworkAdapter::AdapterTypeId'
preprocessing:
- type: JSONPATH
parameters:
- '$[?(@.GUID == "{#IFGUID}")].AdapterTypeId.first()'
- type: DISCARD_UNCHANGED_HEARTBEAT
parameters:
- 1d
master_item:
key: 'wmi.getall[root\cimv2,"select Name,Description,NetConnectionID,Speed,AdapterTypeId,NetConnectionStatus,GUID from win32_networkadapter where PhysicalAdapter=True and NetConnectionStatus>0"]'
tags:
- tag: component
value: network
- tag: description
value: '{#IFALIAS}'
- tag: interface
value: '{#IFNAME}'
trigger_prototypes:
- uuid: b2191521a7a54985a19740e3ee2674f2
expression: |
change(/Windows by Zabbix agent/net.if.speed["{#IFGUID}"])<0 and
last(/Windows by Zabbix agent/net.if.speed["{#IFGUID}"])>0 and
last(/Windows by Zabbix agent/net.if.status["{#IFGUID}"])=2
name: 'Interface {#IFNAME}({#IFALIAS}): Ethernet has changed to lower speed than it was before'
opdata: 'Current reported speed: {ITEM.LASTVALUE1}'
priority: INFO
description: 'This Ethernet connection has transitioned down from its known maximum speed. This might be a sign of autonegotiation issues. Ack to close.'
manual_close: 'YES'
dependencies:
- name: 'Interface {#IFNAME}({#IFALIAS}): Link down'
expression: '{$IFCONTROL:"{#IFNAME}"}=1 and last(/Windows by Zabbix agent/net.if.status["{#IFGUID}"])<>2 and (last(/Windows by Zabbix agent/net.if.status["{#IFGUID}"],#1)<>last(/Windows by Zabbix agent/net.if.status["{#IFGUID}"],#2))'
recovery_expression: 'last(/Windows by Zabbix agent/net.if.status["{#IFGUID}"])=2 or {$IFCONTROL:"{#IFNAME}"}=0'
tags:
- tag: scope
value: capacity
- uuid: c93048183c3942808c60d6dd61963bc0
expression: |
(avg(/Windows by Zabbix agent/net.if.in["{#IFGUID}"],15m)>({$IF.UTIL.MAX:"{#IFNAME}"}/100)*last(/Windows by Zabbix agent/net.if.speed["{#IFGUID}"]) or
avg(/Windows by Zabbix agent/net.if.out["{#IFGUID}"],15m)>({$IF.UTIL.MAX:"{#IFNAME}"}/100)*last(/Windows by Zabbix agent/net.if.speed["{#IFGUID}"])) and
last(/Windows by Zabbix agent/net.if.speed["{#IFGUID}"])>0
recovery_mode: RECOVERY_EXPRESSION
recovery_expression: |
avg(/Windows by Zabbix agent/net.if.in["{#IFGUID}"],15m)<(({$IF.UTIL.MAX:"{#IFNAME}"}-3)/100)*last(/Windows by Zabbix agent/net.if.speed["{#IFGUID}"]) and
avg(/Windows by Zabbix agent/net.if.out["{#IFGUID}"],15m)<(({$IF.UTIL.MAX:"{#IFNAME}"}-3)/100)*last(/Windows by Zabbix agent/net.if.speed["{#IFGUID}"])
name: 'Interface {#IFNAME}({#IFALIAS}): High bandwidth usage'
event_name: 'Interface {#IFNAME}({#IFALIAS}): High bandwidth usage (>{$IF.UTIL.MAX:"{#IFNAME}"}%)'
opdata: 'In: {ITEM.LASTVALUE1}, out: {ITEM.LASTVALUE3}, speed: {ITEM.LASTVALUE2}'
priority: WARNING
description: 'The network interface utilization is close to its estimated maximum bandwidth.'
manual_close: 'YES'
dependencies:
- name: 'Interface {#IFNAME}({#IFALIAS}): Link down'
expression: '{$IFCONTROL:"{#IFNAME}"}=1 and last(/Windows by Zabbix agent/net.if.status["{#IFGUID}"])<>2 and (last(/Windows by Zabbix agent/net.if.status["{#IFGUID}"],#1)<>last(/Windows by Zabbix agent/net.if.status["{#IFGUID}"],#2))'
recovery_expression: 'last(/Windows by Zabbix agent/net.if.status["{#IFGUID}"])=2 or {$IFCONTROL:"{#IFNAME}"}=0'
tags:
- tag: scope
value: performance
- uuid: a4fa6e161bb64b98b25b1a2a501a83f4
expression: |
min(/Windows by Zabbix agent/net.if.in["{#IFGUID}",errors],5m)>{$IF.ERRORS.WARN:"{#IFNAME}"}
or min(/Windows by Zabbix agent/net.if.out["{#IFGUID}",errors],5m)>{$IF.ERRORS.WARN:"{#IFNAME}"}
recovery_mode: RECOVERY_EXPRESSION
recovery_expression: |
max(/Windows by Zabbix agent/net.if.in["{#IFGUID}",errors],5m)<{$IF.ERRORS.WARN:"{#IFNAME}"}*0.8
and max(/Windows by Zabbix agent/net.if.out["{#IFGUID}",errors],5m)<{$IF.ERRORS.WARN:"{#IFNAME}"}*0.8
name: 'Interface {#IFNAME}({#IFALIAS}): High error rate'
event_name: 'Interface {#IFNAME}({#IFALIAS}): High error rate (>{$IF.ERRORS.WARN:"{#IFNAME}"} for 5m)'
opdata: 'errors in: {ITEM.LASTVALUE1}, errors out: {ITEM.LASTVALUE2}'
priority: WARNING
description: 'Recovers when below 80% of {$IF.ERRORS.WARN:"{#IFNAME}"} threshold'
manual_close: 'YES'
dependencies:
- name: 'Interface {#IFNAME}({#IFALIAS}): Link down'