2 Windows Zabbix agent

Overview

The Windows Zabbix agent items are presented in two lists:

• Shared items - the item keys that are shared with the UNIX Zabbix agent;
• Windows-specific items - the item keys that are supported only on Windows.

Note that all item keys supported by Zabbix agent on Windows are also supported by the new generation Zabbix agent 2. See the additional item keys that you can use with the agent 2 only.

See also: Minimum permissions for Windows items

Shared items

The table below lists Zabbix agent items that are supported on Windows and are shared with the UNIX Zabbix agent:

• The item key is a link to full details of the UNIX Zabbix agent item
• Windows-relevant item comments are included

Windows-specific items

The table provides details on the item keys that are supported only by the Windows Zabbix agent.

Windows-specific items sometimes are an approximate counterpart of a similar agent item, for example proc_info, supported on Windows, roughly corresponds to the proc.mem item, not supported on Windows.

The item key is a link to full item key details.

Item key details

Parameters without angle brackets are mandatory. Parameters marked with angle brackets < > are optional.

eventlog[name,<regexp>,<severity>,<source>,<eventid>,<maxlines>,<mode>]

The event log monitoring.
Return value: Log.

Parameters:

• name - the name of the event log;
  
• regexp - a regular expression describing the required pattern (case sensitive);
  
• severity - a regular expression describing severity (case insensitive). This parameter accepts a regular expression based on the following values: "Information", "Warning", "Error", "Critical", "Verbose" (running on Windows Vista or newer).
  
• source - a regular expression describing the source identifier (case insensitive);
  
• eventid - a regular expression describing the event identifier(s) (case sensitive);
  
• maxlines - the maximum number of new lines per second the agent will send to Zabbix server or proxy. This parameter overrides the value of 'MaxLinesPerSecond' in zabbix_agentd.conf.
  
• mode - possible values: all (default) or skip - skip the processing of older data (affects only newly created items).

Comments:

• The item must be configured as an active check;
• The agent is unable to send in events from the "Forwarded events" log;
• Windows Eventing 6.0 is supported;
• Selecting a non-Log type of information for this item will lead to the loss of local timestamp, as well as log severity and source information;
• See also additional information on log monitoring.

Examples:

eventlog[Application]
       eventlog[Security,,"Failure Audit",,^(529|680)$]
       eventlog[System,,"Warning|Error"]
       eventlog[System,,,,^1$]
       eventlog[System,,,,@TWOSHORT] #here a custom regular expression named `TWOSHORT` is referenced (defined as a *Result is TRUE* type, the expression itself being `^1$|^70$`).

eventlog.count[name,<regexp>,<severity>,<source>,<eventid>,<maxproclines>,<mode>]

The count of lines in the Windows event log.
Return value: Integer.

Parameters:

• name - the name of the event log;
  
• regexp - a regular expression describing the required pattern (case sensitive);
  
• severity - a regular expression describing severity (case insensitive). This parameter accepts a regular expression based on the following values: "Information", "Warning", "Error", "Critical", "Verbose" (running on Windows Vista or newer).
  
• source - a regular expression describing the source identifier (case insensitive);
  
• eventid - a regular expression describing the event identifier(s) (case sensitive);
  
• maxproclines - the maximum number of new lines per second the agent will analyze (cannot exceed 10000). The default value is 10*'MaxLinesPerSecond' in zabbix_agentd.conf.
  
• mode - possible values: all (default) or skip - skip the processing of older data (affects only newly created items).

Comments:

• The item must be configured as an active check;
• The agent is unable to send in events from the "Forwarded events" log;
• Windows Eventing 6.0 is supported;
• Selecting a non-Log type of information for this item will lead to the loss of local timestamp, as well as log severity and source information;
• See also additional information on log monitoring.

Example:

eventlog.count[System,,"Warning|Error"]    

net.if.list

The network interface list (includes interface type, status, IPv4 address, description).
Return value: Text.

Comments:

• Multi-byte interface names supported;
• Disabled interfaces are not listed;
• Enabling/disabling some components may change their ordering in the Windows interface name;
• Some Windows versions (for example, Server 2008) might require the latest updates installed to support non-ASCII characters in interface names.

perf_counter[counter,<interval>]

The value of any Windows performance counter.
Return value: Integer, float, string or text (depending on the request).

Parameters:

• counter - the path to the counter;
  
• interval - the last N seconds for storing the average value. The interval must be between 1 and 900 seconds (included) and the default value is 1.

Comments:

• interval is used for counters that require more than one sample (like CPU utilization), so the check returns an average value for last "interval" seconds every time;
• Performance Monitor can be used to obtain the list of available counters.
• See also: Windows performance counters.

perf_counter_en[counter,<interval>]

The value of any Windows performance counter in English.
Return value: Integer, float, string or text (depending on the request).

Parameters:

• counter - the path to the counter in English;
  
• interval - the last N seconds for storing the average value. The interval must be between 1 and 900 seconds (included) and the default value is 1.

Comments:

• interval is used for counters that require more than one sample (like CPU utilization), so the check returns an average value for last "interval" seconds every time;
• This item is only supported on Windows Server 2008/Vista and above;
• You can find the list of English strings by viewing the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009.

perf_instance.discovery[object]

The list of object instances of Windows performance counters. Used for low-level discovery.
Return value: JSON object.

Parameter:

• object - the object name (localized).

perf_instance_en.discovery[object]

The list of object instances of Windows performance counters, discovered using the object names in English. Used for low-level discovery.
Return value: JSON object.

Parameter:

• object - the object name (in English).

proc_info[process,<attribute>,<type>]

Various information about specific process(es).
Return value: Float.

Parameters:

• process - the process name;
  
• attribute - the requested process attribute;
  
• type - the representation type (meaningful when more than one process with the same name exists)

Comments:

• The following attributes are supported:
  vmsize (default) - size of process virtual memory in Kbytes
  wkset - size of process working set (amount of physical memory used by process) in Kbytes
  pf - number of page faults
  ktime - process kernel time in milliseconds
  utime - process user time in milliseconds
  io_read_b - number of bytes read by process during I/O operations
  io_read_op - number of read operation performed by process
  io_write_b - number of bytes written by process during I/O operations
  io_write_op - number of write operation performed by process
  io_other_b - number of bytes transferred by process during operations other than read and write operations
  io_other_op - number of I/O operations performed by process, other than read and write operations
  gdiobj - number of GDI objects used by process
  userobj - number of USER objects used by process;
  
• Valid types are:
  avg (default) - average value for all processes named <process>
  min - minimum value among all processes named <process>
  max - maximum value among all processes named <process>
  sum - sum of values for all processes named <process>;
• On a 64-bit system, a 64-bit Zabbix agent is required for this item to work correctly.
  

Examples:

proc_info[iexplore.exe,wkset,sum] #retrieve the amount of physical memory taken by all Internet Explorer processes
       proc_info[iexplore.exe,pf,avg] #retrieve the average number of page faults for Internet Explorer processes

registry.data[key,<value name>]

Return data for the specified value name in the Windows Registry key.
Return value: Integer, string or text (depending on the value type)

Parameters:

• key - the registry key including the root key; root abbreviations (e.g. HKLM) are allowed;
• value name - the registry value name in the key (empty string "" by default). The default value is returned if the value name is not supplied.

Comments:

• Supported root abbreviations:
  HKCR - HKEY_CLASSES_ROOT
  HKCC - HKEY_CURRENT_CONFIG
  HKCU - HKEY_CURRENT_USER
  HKCULS - HKEY_CURRENT_USER_LOCAL_SETTINGS
  HKLM - HKEY_LOCAL_MACHINE
  HKPD - HKEY_PERFORMANCE_DATA
  HKPN - HKEY_PERFORMANCE_NLSTEXT
  HKPT - HKEY_PERFORMANCE_TEXT
  HKU - HKEY_USERS
  
• Keys with spaces must be double-quoted.

Examples:

registry.data["HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting"] #return the data of the default value of this key
       registry.data["HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting","EnableZip"] #return the data of the value named "Enable Zip" in this key

registry.get[key,<mode>,<name regexp>]

The list of Windows Registry values or keys located at given key.
Return value: JSON object.

Parameters:

• key - the registry key including the root key; root abbreviations (e.g. HKLM) are allowed (see comments for registry.data[] to see full list of abbreviations);
  
• mode - possible values:
  values (default) or keys;
  
• name regexp - only discover values with names that match the regexp (default - discover all values). Allowed only with values as mode.

Keys with spaces must be double-quoted.

Examples:

registry.get[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,values,"^DisplayName|DisplayVersion$"] #return the data of the values named "DisplayName" or "DisplayValue" in this key. The JSON will include details of the key, last subkey, value name, value type and value data.
       registry.get[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,values] #return the data of the all values in this key. The JSON will include details of the key, last subkey, value name, value type and value data.
       registry.get[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,keys] #return all subkeys of this key. The JSON will include details of the key and last subkey.

service.discovery

The list of Windows services. Used for low-level discovery.
Return value: JSON object.

service.info[service,<param>]

Information about a service.
Return value: Integer - with param as state, startup; String - with param as displayname, path, user; Text - with param as description
Specifically for state: 0 - running, 1 - paused, 2 - start pending, 3 - pause pending, 4 - continue pending, 5 - stop pending, 6 - stopped, 7 - unknown, 255 - no such service
Specifically for startup: 0 - automatic, 1 - automatic delayed, 2 - manual, 3 - disabled, 4 - unknown, 5 - automatic trigger start, 6 - automatic delayed trigger start, 7 - manual trigger start

Parameters:

• service - a real service name or its display name as seen in the MMC Services snap-in;
• param - state (default), displayname, path, user, startup, or description.

Comments:

• Items like service.info[service,state] and service.info[service] will return the same information;
• Only with param as state this item returns a value for non-existing services (255).

Examples:

service.info[SNMPTRAP] - state of the SNMPTRAP service;
       service.info[SNMP Trap] - state of the same service, but with the display name specified;
       service.info[EventLog,startup] - the startup type of the EventLog service

services[<type>,<state>,<exclude>]

The listing of services.
Return value: 0 - if empty; Text - the list of services separated by a newline.

Parameters:

• type - all (default), automatic, manual, or disabled;
• state - all (default), stopped, started, start_pending, stop_pending, running, continue_pending, pause_pending, or paused;
• exclude - the services to exclude from the result. Excluded services should be listed in double quotes, separated by comma, without spaces.

Examples:

services[,started] #returns the list of started services;
       services[automatic, stopped] #returns the list of stopped services that should be running;
       services[automatic, stopped, "service1,service2,service3"] #returns the list of stopped services that should be running, excluding services named "service1", "service2" and "service3"

vm.vmemory.size[<type>]

The virtual memory size in bytes or in percentage from the total.
Return value: Integer - for bytes; float - for percentage.

Parameter:

• type - possible values: available (available virtual memory), pavailable (available virtual memory, in percent), pused (used virtual memory, in percent), total (total virtual memory, default), or used (used virtual memory)

Comments:

• The monitoring of virtual memory statistics is based on:
  
  • Total virtual memory on Windows (total physical + page file size);
    
  • The maximum amount of memory Zabbix agent can commit;
    
  • The current committed memory limit for the system or Zabbix agent, whichever is smaller.

Example:

vm.vmemory.size[pavailable] #return the available virtual memory, in percentage

wmi.get[<namespace>,<query>]

Execute a WMI query and return the first selected object.
Return value: Integer, float, string or text (depending on the request).

Parameters:

• namespace - the WMI namespace;
  
• query - the WMI query returning a single object.

WMI queries are performed with WQL.

Example:

wmi.get[root\cimv2,select status from Win32_DiskDrive where Name like '%PHYSICALDRIVE0%'] #returns the status of the first physical disk

wmi.getall[<namespace>,<query>]

Execute a WMI query and return the whole response. Can be used for low-level discovery.
Return value: JSON object

Parameters:

• namespace - the WMI namespace;
  
• query - the WMI query.

Comments:

• WMI queries are performed with WQL.
• JSONPath preprocessing can be used to point to more specific values in the returned JSON.

Example:

wmi.getall[root\cimv2,select * from Win32_DiskDrive where Name like '%PHYSICALDRIVE%'] #returns status information of physical disks

Monitoring Windows services

This tutorial provides step-by-step instructions for setting up the monitoring of Windows services. It is assumed that Zabbix server and agent are configured and operational.

Step 1

Get the service name.

You can get the service name by going to the MMC Services snap-in and bringing up the properties of the service. In the General tab you should see a field called "Service name". The value that follows is the name you will use when setting up an item for monitoring. For example, if you wanted to monitor the "workstation" service, then your service might be: lanmanworkstation.

Step 2

Configure an item for monitoring the service.

The item service.info[service,<param>] retrieves information about a particular service. Depending on the information you need, specify the param option which accepts the following values: displayname, state, path, user, startup or description. The default value is state if param is not specified (service.info[service]).

The type of return value depends on chosen param: integer for state and startup; character string for displayname, path and user; text for description.

Example:

• Key: service.info[lanmanworkstation]
• Type of information: Numeric (unsigned)

The item service.info[lanmanworkstation] will retrieve information about the state of the service as a numerical value. To map a numerical value to a text representation in the frontend ("0" as "Running", "1" as "Paused", etc.), you can configure value mapping on the host on which the item is configured. To do this, either link the template Windows services by Zabbix agent or Windows services by Zabbix agent active to the host, or configure on the host a new value map that is based on the Windows service state value map configured on the mentioned templates.

Note that both of the mentioned templates have a discovery rule configured that will discover services automatically. If you do not want this, you can disable the discovery rule on the host level once the template has been linked to the host.

Discovery of Windows services

Low-level discovery provides a way to automatically create items, triggers, and graphs for different entities on a computer. Zabbix can automatically start monitoring Windows services on your machine, without the need to know the exact name of a service or create items for each service manually. A filter can be used to generate real items, triggers, and graphs only for services of interest.