Zabbix windows service names for discovery

No data timeout for active agents. Consider to keep it relatively high.

Timeout after which agent is considered unavailable.

The critical threshold of the % Interrupt Time counter.

The threshold of the % Privileged Time counter.

The threshold of the Processor Queue Length counter.

The critical threshold of the CPU utilization in %.

—

—

—

The warning threshold of the Memory Pages/sec counter.

The warning threshold of the Free System Page Table Entries counter.

The warning threshold of the Memory util item.

This macro is used in Network interface discovery. Can be overridden on the host or linked template level.

This macro is used in Network interface discovery. Can be overridden on the host or linked template level.

This macro is used in Network interface discovery. Can be overridden on the host or linked template level.

This macro is used in Network interface discovery. Can be overridden on the host or linked template level.

This macro is used in Network interface discovery. Can be overridden on the host or linked template level.

This macro is used in Network interface discovery. Can be overridden on the host or linked template level.

This macro is used in Service discovery. Can be overridden on the host or linked template level.

This macro is used in Service discovery. Can be overridden on the host or linked template level.

This macro is used in Service discovery. Can be overridden on the host or linked template level.

This macro is used in Service discovery. Can be overridden on the host or linked template level.

The warning threshold of the minimum free swap.

The threshold for difference of system time in seconds.

This macro is used in physical disks discovery. Can be overridden on the host or linked template level.

This macro is used in physical disks discovery. Can be overridden on the host or linked template level.

Disk read average response time (in s) before the trigger would fire.

The warning threshold of disk time utilization in percent.

Disk write average response time (in s) before the trigger would fire.

The critical threshold of the filesystem utilization.

The warning threshold of the filesystem utilization.

This macro is used in filesystems discovery. Can be overridden on the host or linked template level.

This macro is used in filesystems discovery. Can be overridden on the host or linked template level.

This macro is used in filesystems discovery. Can be overridden on the host or linked template level.

This macro is used in filesystems discovery. Can be overridden on the host or linked template level.

This macro is used in filesystems discovery. Can be overridden on the host or linked template level.

This macro is used in filesystems discovery. Can be overridden on the host or linked template level.

The critical threshold of the filesystem utilization in percent.

The warning threshold of the filesystem utilization in percent.

Discovery of file systems of different types.

Filter:

AND

— {#FSTYPE} MATCHES_REGEX {$VFS.FS.FSTYPE.MATCHES}

— {#FSTYPE} NOT_MATCHES_REGEX {$VFS.FS.FSTYPE.NOT_MATCHES}

— {#FSNAME} MATCHES_REGEX {$VFS.FS.FSNAME.MATCHES}

— {#FSNAME} NOT_MATCHES_REGEX {$VFS.FS.FSNAME.NOT_MATCHES}

— {#FSDRIVETYPE} MATCHES_REGEX {$VFS.FS.FSDRIVETYPE.MATCHES}

— {#FSDRIVETYPE} NOT_MATCHES_REGEX {$VFS.FS.FSDRIVETYPE.NOT_MATCHES}

Discovery of installed network interfaces.

Preprocessing:

— JAVASCRIPT: The text is too long. Please see the template.

— DISCARD_UNCHANGED_HEARTBEAT: 1h

Filter:

AND

— {#IFNAME} MATCHES_REGEX {$NET.IF.IFNAME.MATCHES}

— {#IFNAME} NOT_MATCHES_REGEX {$NET.IF.IFNAME.NOT_MATCHES}

— {#IFDESCR} MATCHES_REGEX {$NET.IF.IFDESCR.MATCHES}

— {#IFDESCR} NOT_MATCHES_REGEX {$NET.IF.IFDESCR.NOT_MATCHES}

— {#IFALIAS} MATCHES_REGEX {$NET.IF.IFALIAS.MATCHES}

— {#IFALIAS} NOT_MATCHES_REGEX {$NET.IF.IFALIAS.NOT_MATCHES}

Discovery of installed physical disks.

Preprocessing:

— STR_REPLACE: {#INSTANCE} {#DEVNAME}

Filter:

AND

— {#DEVNAME} MATCHES_REGEX {$VFS.DEV.DEVNAME.MATCHES}

— {#DEVNAME} NOT_MATCHES_REGEX {$VFS.DEV.DEVNAME.NOT_MATCHES}

Discovery of Windows services of different types as defined in template’s macros.

Filter:

AND

— {#SERVICE.NAME} MATCHES_REGEX {$SERVICE.NAME.MATCHES}

— {#SERVICE.NAME} NOT_MATCHES_REGEX {$SERVICE.NAME.NOT_MATCHES}

— {#SERVICE.STARTUPNAME} MATCHES_REGEX {$SERVICE.STARTUPNAME.MATCHES}

— {#SERVICE.STARTUPNAME} NOT_MATCHES_REGEX {$SERVICE.STARTUPNAME.NOT_MATCHES}

The CPU utilization expressed in %.

The Processor Information% Interrupt Time is the time the processor spends receiving and servicing

hardware interrupts during sample intervals. This value is an indirect indicator of the activity of

devices that generate interrupts, such as the system clock, the mouse, disk drivers, data communication

lines, network interface cards and other peripheral devices. This is an easy way to identify a potential

hardware failure. This should never be higher than 20%.

Context Switches/sec is the combined rate at which all processors on the computer are switched from one thread to another.

Context switches occur when a running thread voluntarily relinquishes the processor, is preempted by a higher priority ready thread, or switches between user-mode and privileged (kernel) mode to use an Executive or subsystem service.

It is the sum of ThreadContext Switches/sec for all threads running on all processors in the computer and is measured in numbers of switches.

There are context switch counters on the System and Thread objects. This counter displays the difference between the values observed in the last two samples, divided by the duration of the sample interval.

The Processor Information% Privileged Time counter shows the percent of time that the processor is spent

executing in Kernel (or Privileged) mode. Privileged mode includes services interrupts inside Interrupt

Service Routines (ISRs), executing Deferred Procedure Calls (DPCs), Device Driver calls and other kernel-mode

functions of the Windows® Operating System.

Processor DPC time is the time that a single processor spent receiving and servicing deferred procedure

calls (DPCs). DPCs are interrupts that run at a lower priority than standard interrupts. % DPC Time is a

component of % Privileged Time because DPCs are executed in privileged mode. If a high % DPC Time is

sustained, there may be a processor bottleneck or an application or hardware related issue that can

significantly diminish overall system performance.

The Processor Information% User Time counter shows the percent of time that the processor(s) is spent executing

in User mode.

The number of logical processors available on the computer.

The Processor Queue Length shows the number of threads that are observed as delayed in the processor Ready Queue

and are waiting to be executed.

Used storage expressed in Bytes.

Preprocessing:

— JSONPATH: $.bytes.used

The total space expressed in Bytes.

Preprocessing:

— JSONPATH: $.bytes.total

Space utilization in % for {#FSNAME}

Preprocessing:

— JSONPATH: $.bytes.pused

The local system time of the host.

The host name of the system.

Preprocessing:

— DISCARD_UNCHANGED_HEARTBEAT: 1d

System description of the host.

Preprocessing:

— DISCARD_UNCHANGED_HEARTBEAT: 1d

The number of processes.

The number of threads used by all running processes.

—

Preprocessing:

— DISCARD_UNCHANGED_HEARTBEAT: 1d

The architecture of the operating system.

Preprocessing:

— DISCARD_UNCHANGED_HEARTBEAT: 1d

Used memory in Bytes.

The total memory expressed in Bytes.

Memory utilization in %.

Expression:

last(//vm.memory.size[used]) / last(//vm.memory.size[total]) * 100

Cache Bytes is the sum of the MemorySystem Cache Resident Bytes, MemorySystem Driver Resident Bytes,

MemorySystem Code Resident Bytes, and MemoryPool Paged Resident Bytes counters. This counter displays

the last observed value only; it is not an average.

The free space of the swap volume/file expressed in bytes.

Expression:

last(//system.swap.size[,total]) - last(//system.swap.size[,total]) / 100 * last(//perf_counter_en["Paging file(_Total)% Usage"])

The free space of the swap volume/file expressed in %.

Preprocessing:

— JAVASCRIPT: return (100 - value)

The used space of swap volume/file in percent.

The total space of the swap volume/file expressed in bytes.

This indicates the number of page table entries not currently in use by the system. If the number is less

than 5,000, there may well be a memory leak or you running out of memory.

Page Faults/sec is the average number of pages faulted per second. It is measured in number of pages

faulted per second because only one page is faulted in each fault operation, hence this is also equal

to the number of page fault operations. This counter includes both hard faults (those that require

disk access) and soft faults (where the faulted page is found elsewhere in physical memory.) Most

processors can handle large numbers of soft faults without significant consequence. However, hard faults,

which require disk access, can cause significant delays.

This measures the rate at which pages are read from or written to disk to resolve hard page faults.

If the value is greater than 1,000, as a result of excessive paging, there may be a memory leak.

This measures the size, in bytes, of the non-paged pool. This is an area of system memory for objects

that cannot be written to disk but instead must remain in physical memory as long as they are allocated.

There is a possible memory leak if the value is greater than 175MB (or 100MB with the /3GB switch).

A typical Event ID 2019 is recorded in the system event log.

—

Preprocessing:

— DISCARD_UNCHANGED_HEARTBEAT: 1d

—

Preprocessing:

— DISCARD_UNCHANGED_HEARTBEAT: 1d

Availability of active checks on the host. The value of this item corresponds to availability icons in the host list.

Possible value:

0 — unknown

1 — available

2 — not available

Incoming traffic on the network interface.

Preprocessing:

— CHANGE_PER_SECOND

— MULTIPLIER: 8

Outgoing traffic on the network interface.

Preprocessing:

— CHANGE_PER_SECOND

— MULTIPLIER: 8

The number of incoming packets dropped on the network interface.

Preprocessing:

— CHANGE_PER_SECOND

The number of outgoing packets dropped on the network interface.

Preprocessing:

— CHANGE_PER_SECOND

The number of incoming packets with errors on the network interface.

Preprocessing:

— CHANGE_PER_SECOND

The number of outgoing packets with errors on the network interface.

Preprocessing:

— CHANGE_PER_SECOND

Estimated bandwidth of the network interface if any.

Preprocessing:

— JSONPATH: $[?(@.GUID == "{#IFGUID}")].Speed.first()

⛔️ON_FAIL: CUSTOM_VALUE -> 0

— JAVASCRIPT: return (value=='9223372036854775807' ? 0 : value)

— DISCARD_UNCHANGED_HEARTBEAT: 1h

The type of the network interface.

Preprocessing:

— JSONPATH: $[?(@.GUID == "{#IFGUID}")].AdapterTypeId.first()

— DISCARD_UNCHANGED_HEARTBEAT: 1d

The operational status of the network interface.

Preprocessing:

— JSONPATH: $[?(@.GUID == "{#IFGUID}")].NetConnectionStatus.first()

— DISCARD_UNCHANGED_HEARTBEAT: 1d

—

The system uptime expressed in the following format:»N days, hh:mm:ss».

The agent always returns 1 for this item. It could be used in combination with nodata() for availability check.

Rate of read operations on the disk.

Rate of write operations on the disk.

The current average disk queue; the number of requests outstanding on the disk while the performance data is being collected.

This item is the percentage of elapsed time that the selected disk drive was busy servicing read or writes requests based on idle time.

Preprocessing:

— JAVASCRIPT: return (100 - value)

The average time for read requests issued to the device to be served. This includes the time spent by the requests in queue and the time spent servicing them.

The average time for write requests issued to the device to be served. This includes the time spent by the requests in queue and the time spent servicing them.

Average disk read queue, the number of requests outstanding on the disk at the time the performance data is collected.

Average disk write queue, the number of requests outstanding on the disk at the time the performance data is collected.

The vfs.fs.get key acquires raw information set about the file systems. Later to be extracted by preprocessing in dependent items.

Raw data of win32_networkadapter.

Preprocessing:

— DISCARD_UNCHANGED_HEARTBEAT: 1h

—

Preprocessing:

— JSONPATH: $.[?(@.fsname=='{#FSNAME}')].first()

The CPU utilization is too high. The system might be slow to respond.

«The CPU Interrupt Time in the last 5 minutes exceeds {$CPU.INTERRUPT.CRIT.MAX}%.»

The Processor Information% Interrupt Time is the time the processor spends receiving and servicing

hardware interrupts during sample intervals. This value is an indirect indicator of the activity of

devices that generate interrupts, such as the system clock, the mouse, disk drivers, data communication

lines, network interface cards and other peripheral devices. This is an easy way to identify a potential

hardware failure. This should never be higher than 20%.

Depends on:

— High CPU utilization

The CPU privileged time in the last 5 minutes exceeds {$CPU.PRIV.CRIT.MAX}%.

Depends on:

— CPU interrupt time is too high

— High CPU utilization

The CPU Queue Length in the last 5 minutes exceeds {$CPU.QUEUE.CRIT.MAX}. According to actual observations, PQL should not exceed the number of cores * 2. To fine-tune the conditions, use the macro {$CPU.QUEUE.CRIT.MAX }.

Depends on:

— High CPU utilization

Two conditions should match: First, space utilization should be above {$VFS.FS.PUSED.MAX.CRIT:»{#FSNAME}»}.

Second condition should be one of the following:

— The disk free space is less than {$VFS.FS.FREE.MIN.CRIT:»{#FSNAME}»}.

— The disk will be full in less than 24 hours.

Manual close: YES

Two conditions should match: First, space utilization should be above {$VFS.FS.PUSED.MAX.WARN:»{#FSNAME}»}.

Second condition should be one of the following:

— The disk free space is less than {$VFS.FS.FREE.MIN.WARN:»{#FSNAME}»}.

— The disk will be full in less than 24 hours.

Manual close: YES

Depends on:

— {#FSLABEL}({#FSNAME}): Disk space is critically low

The host system time is different from the Zabbix server time.

Manual close: YES

System name has changed. Ack to close.

Manual close: YES

The description of the operating system has changed. Possible reasons are that the system has been updated or replaced. Ack to close the problem manually.

Manual close: YES

Depends on:

— System name has changed

The system is running out of free memory.

This trigger is ignored, if there is no swap configured

Depends on:

— High memory utilization

The Memory Free System Page Table Entries is less than {$MEM.PAGE_TABLE_CRIT.MIN} for 5 minutes. If the number is less than 5,000, there may well be a memory leak.

Depends on:

— High memory utilization

The Memory Pages/sec in the last 5 minutes exceeds {$MEM.PAGE_SEC.CRIT.MAX}. If the value is greater than 1,000, as a result of excessive paging, there may be a memory leak.

Depends on:

— High memory utilization

Active checks are considered unavailable. Agent is not sending heartbeat for prolonged time.

The network interface utilization is close to its estimated maximum bandwidth.

Recovery expression:

avg(/Windows by Zabbix agent active/net.if.in["{#IFGUID}"],15m)<(({$IF.UTIL.MAX:"{#IFNAME}"}-3)/100)*last(/Windows by Zabbix agent active/net.if.speed["{#IFGUID}"]) and avg(/Windows by Zabbix agent active/net.if.out["{#IFGUID}"],15m)<(({$IF.UTIL.MAX:"{#IFNAME}"}-3)/100)*last(/Windows by Zabbix agent active/net.if.speed["{#IFGUID}"])

Manual close: YES

Depends on:

— Interface {#IFNAME}({#IFALIAS}): Link down

Recovers when below 80% of {$IF.ERRORS.WARN:»{#IFNAME}»} threshold

Recovery expression:

max(/Windows by Zabbix agent active/net.if.in["{#IFGUID}",errors],5m)<{$IF.ERRORS.WARN:"{#IFNAME}"}*0.8 and max(/Windows by Zabbix agent active/net.if.out["{#IFGUID}",errors],5m)<{$IF.ERRORS.WARN:"{#IFNAME}"}*0.8

Manual close: YES

Depends on:

— Interface {#IFNAME}({#IFALIAS}): Link down

This Ethernet connection has transitioned down from its known maximum speed. This might be a sign of autonegotiation issues. Ack to close.

Manual close: YES

Depends on:

— Interface {#IFNAME}({#IFALIAS}): Link down

This trigger expression works as follows:

1. Can be triggered if operations status is down.

2. {$IFCONTROL:»{#IFNAME}»}=1 — user can redefine Context macro to value — 0. That marks this interface as not important.

No new trigger will be fired if this interface is down.

3. {TEMPLATE_NAME:METRIC.diff()}=1) — trigger fires only if operational status is different from Connected(2).

WARNING: if closed manually — won’t fire again on next poll, because of .diff.

Recovery expression:

last(/Windows by Zabbix agent active/net.if.status["{#IFGUID}"])=2 or {$IFCONTROL:"{#IFNAME}"}=0

Manual close: YES

The service has a state other than «Running» for the last three times.

The device uptime is less than 10 minutes.

Manual close: YES

For active agents, nodata() with agent.ping is used with {$AGENT.NODATA_TIMEOUT} as time threshold.

Manual close: YES

The disk appears to be under heavy load

Manual close: YES

Depends on:

— {#DEVNAME}: Disk read request responses are too high

— {#DEVNAME}: Disk write request responses are too high

This trigger might indicate disk {#DEVNAME} saturation.

Manual close: YES

This trigger might indicate disk {#DEVNAME} saturation.

Manual close: YES