Windows Zabbix agent

• - the item keys that are shared with the UNIX Zabbix agent;
• Windows-specific items - the item keys that are supported only on Windows.

Note that all item keys supported by Zabbix agent on Windows are also supported by the new generation Zabbix agent 2. See the that you can use with the agent 2 only.

See also: Minimum permissions for Windows items

Shared items

The table below lists Zabbix agent items that are supported on Windows and are shared with the UNIX Zabbix agent:

• The item key is a link to full details of the UNIX Zabbix agent item
• Windows-relevant item comments are included

The table provides details on the item keys that are supported only by the Windows Zabbix agent.

Windows-specific items sometimes are an approximate counterpart of a similar agent item, for example proc_info, supported on Windows, roughly corresponds to the proc.mem item, not supported on Windows.

The item key is a link to full item key details.

Item key details

Parameters without angle brackets are mandatory. Parameters marked with angle brackets < > are optional.

eventlog[name,<regexp>,<severity>,<source>,<eventid>,<maxlines>,<mode>]

The event log monitoring.
Return value: Log.

Parameters:

• name - the name of the event log;

• regexp - a regular expression describing the required pattern (case sensitive);

• severity - a regular expression describing severity (case insensitive). This parameter accepts the following values: “Information”, “Warning”, “Error”, “Critical”, “Verbose” (running on Windows Vista or newer).

• source - a regular expression describing the source identifier (case insensitive);

• eventid - a regular expression describing the event identifier(s) (case sensitive);

• maxlines - the maximum number of new lines per second the agent will send to Zabbix server or proxy. This parameter overrides the value of ‘MaxLinesPerSecond’ in .

Comments:

• The item must be configured as an active check;
• The agent is unable to send in events from the “Forwarded events” log;
• Windows Eventing 6.0 is supported;
• Selecting a non-Log for this item will lead to the loss of local timestamp, as well as log severity and source information;
• See also additional information on log monitoring.

Examples:

net.if.list

The network interface list (includes interface type, status, IPv4 address, description).
Return value: Text.

Comments:

• Multi-byte interface names supported;
• Disabled interfaces are not listed;
• Enabling/disabling some components may change their ordering in the Windows interface name;
• Some Windows versions (for example, Server 2008) might require the latest updates installed to support non-ASCII characters in interface names.

perf_counter[counter,<interval>]

The value of any Windows performance counter.
Return value: Integer, float, string or text (depending on the request).

Parameters:

• counter - the path to the counter;

• interval - the last N seconds for storing the average value. The interval must be between 1 and 900 seconds (included) and the default value is 1.

Comments:

• interval is used for counters that require more than one sample (like CPU utilization), so the check returns an average value for last “interval” seconds every time;
• Performance Monitor can be used to obtain the list of available counters.
• See also: .

perf_counter_en[counter,<interval>]

The value of any Windows performance counter in English.
Return value: Integer, float, string or text (depending on the request).

Parameters:

• counter - the path to the counter in English;

• interval - the last N seconds for storing the average value. The interval must be between 1 and 900 seconds (included) and the default value is 1.

Comments:

• interval is used for counters that require more than one sample (like CPU utilization), so the check returns an average value for last “interval” seconds every time;
• This item is only supported on Windows Server 2008/Vista and above;
• You can find the list of English strings by viewing the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009.

perf_instance.discovery[object]

Parameter:

• object - the object name (localized).

perf_instance_en.discovery[object]

The list of object instances of Windows performance counters, discovered using the object names in English. Used for .
Return value: JSON object.

Parameter:

• object - the object name (in English).

proc_info[process,<attribute>,<type>]

Various information about specific process(es).
Return value: Float.

Parameters:

• process - the process name;

• attribute - the requested process attribute;

• type - the representation type (meaningful when more than one process with the same name exists)

Comments:

• The following attributes are supported:
  vmsize (default) - size of process virtual memory in Kbytes
  wkset - size of process working set (amount of physical memory used by process) in Kbytes
  pf - number of page faults
  ktime - process kernel time in milliseconds
  utime - process user time in milliseconds
  io_read_b - number of bytes read by process during I/O operations
  io_read_op - number of read operation performed by process
  io_write_b - number of bytes written by process during I/O operations
  io_write_op - number of write operation performed by process
  io_other_b - number of bytes transferred by process during operations other than read and write operations
  io_other_op - number of I/O operations performed by process, other than read and write operations
  gdiobj - number of GDI objects used by process
  userobj - number of USER objects used by process;

• Valid types are:
  avg (default) - average value for all processes named <process>
  min - minimum value among all processes named <process>
  max - maximum value among all processes named <process>
  sum - sum of values for all processes named <process>;

• io\*, _gdiobj and userobj attributes are available only on Windows 2000 and later versions of Windows, not on Windows NT 4.0;
• On a 64-bit system, a 64-bit Zabbix agent is required for this item to work correctly.

Examples:

proc_info[iexplore.exe,wkset,sum] #retrieve the amount of physical memory taken by all Internet Explorer processes
       proc_info[iexplore.exe,pf,avg] #retrieve the average number of page faults for Internet Explorer processes

registry.data[key,<value name>]

Return data for the specified value name in the Windows Registry key.
Return value: Integer, string or text (depending on the value type)

Parameters:

• key - the registry key including the root key; root abbreviations (e.g. HKLM) are allowed;
• value name - the registry value name in the key (empty string “” by default). The default value is returned if the value name is not supplied.

Comments:

• Supported root abbreviations:
  HKCR - HKEY_CLASSES_ROOT
  HKCC - HKEY_CURRENT_CONFIG
  HKCU - HKEY_CURRENT_USER
  HKCULS - HKEY_CURRENT_USER_LOCAL_SETTINGS
  HKLM - HKEY_LOCAL_MACHINE
  HKPD - HKEY_PERFORMANCE_DATA
  HKPN - HKEY_PERFORMANCE_NLSTEXT
  HKPT - HKEY_PERFORMANCE_TEXT
  HKU - HKEY_USERS

Examples:

registry.data["HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting"] #return the data of the default value of this key
       registry.data["HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting","EnableZip"] #return the data of the value named "Enable Zip" in this key

registry.get[key,<mode>,<name regexp>]

The list of Windows Registry values or keys located at given key.
Return value: JSON object.

Parameters:

• key - the registry key including the root key; root abbreviations (e.g. HKLM) are allowed (see comments for registry.data[] to see full list of abbreviations);

• mode - possible values:
  values (default) or keys;

• name regexp - only discover values with names that match the regexp (default - discover all values). Allowed only with values as mode.

Keys with spaces must be double-quoted.

Examples:

service.discovery

The list of Windows services. Used for low-level discovery.
Return value: JSON object.

service.info[service,<param>]

Information about a service.
Return value: Integer - with param as state, startup; String - with param as displayname, path, user; Text - with as description
Specifically for state: 0 - running, 1 - paused, 2 - start pending, 3 - pause pending, 4 - continue pending, 5 - stop pending, 6 - stopped, 7 - unknown, 255 - no such service
Specifically for startup: 0 - automatic, 1 - automatic delayed, 2 - manual, 3 - disabled, 4 - unknown, 5 - automatic trigger start, 6 - automatic delayed trigger start, 7 - manual trigger start

Parameters:

• service - a real service name or its display name as seen in the MMC Services snap-in;
• param - state (default), displayname, path, user, startup, or description.

Comments:

• Items like service.info[service,state] and service.info[service] will return the same information;
• Only with param as state this item returns a value for non-existing services (255).

Examples:

service.info[SNMPTRAP] - state of the SNMPTRAP service;
       service.info[SNMP Trap] - state of the same service, but with the display name specified;
       service.info[EventLog,startup] - the startup type of the EventLog service

services[<type>,<state>,<exclude>]

Parameters:

• type - all (default), automatic, manual, or disabled;
• state - all (default), stopped, started, start_pending, stop_pending, running, continue_pending, pause_pending, or paused;
• exclude - the services to exclude from the result. Excluded services should be listed in double quotes, separated by comma, without spaces.

Examples:

services[,started] #returns the list of started services;
       services[automatic, stopped] #returns the list of stopped services that should be running;
       services[automatic, stopped, "service1,service2,service3"] #returns the list of stopped services that should be running, excluding services named "service1", "service2" and "service3"

vm.vmemory.size[<type>]

The virtual memory size in bytes or in percentage from the total.
Return value: Integer - for bytes; float - for percentage.

Parameter:

• type - possible values: available (available virtual memory), pavailable (available virtual memory, in percent), pused (used virtual memory, in percent), total (total virtual memory, default), or used (used virtual memory)

Comments:

• The monitoring of virtual memory statistics is based on:

  • Total virtual memory on Windows (total physical + page file size);

  • The maximum amount of memory Zabbix agent can commit;

  • The current committed memory limit for the system or Zabbix agent, whichever is smaller.

Example:

wmi.get[<namespace>,<query>]

Execute a WMI query and return the first selected object.
Return value: Integer, float, string or text (depending on the request).

Parameters:

• namespace - the WMI namespace;

• query - the WMI query returning a single object.

WMI queries are performed with .

Example:

wmi.get[root\cimv2,select status from Win32_DiskDrive where Name like '%PHYSICALDRIVE0%'] #returns the status of the first physical disk

wmi.getall[<namespace>,<query>]

Execute a WMI query and return the whole response. Can be used for .
Return value: JSON object

Parameters:

• namespace - the WMI namespace;

• query - the WMI query.

Comments:

• WMI queries are performed with WQL.
• JSONPath can be used to point to more specific values in the returned JSON.

Example:

wmi.getall[root\cimv2,select * from Win32_DiskDrive where Name like '%PHYSICALDRIVE%'] #returns status information of physical disks

This tutorial provides step-by-step instructions for setting up the monitoring of Windows services. It is assumed that Zabbix server and agent are configured and operational.

Step 1

Get the service name.

You can get the service name by going to the MMC Services snap-in and bringing up the properties of the service. In the General tab you should see a field called “Service name”. The value that follows is the name you will use when setting up an item for monitoring. For example, if you wanted to monitor the “workstation” service, then your service might be: lanmanworkstation.

Step 2

for monitoring the service.

The item service.info[service,<param>] retrieves information about a particular service. Depending on the information you need, specify the param option which accepts the following values: displayname, state, path, user, startup or description. The default value is state if param is not specified (service.info[service]).

The type of return value depends on chosen param: integer for state and startup; character string for displayname, path and user; text for description.

Example:

• Key:
• Type of information: Numeric (unsigned)

The item service.info[lanmanworkstation] will retrieve information about the state of the service as a numerical value. To map a numerical value to a text representation in the frontend (“0” as “Running”, “1” as “Paused”, etc.), you can configure value mapping on the host on which the item is configured. To do this, either Windows services by Zabbix agent or Windows services by Zabbix agent active to the host, or configure on the host a new value map that is based on the Windows service state value map configured on the mentioned templates.

Discovery of Windows services

provides a way to automatically create items, triggers, and graphs for different entities on a computer. Zabbix can automatically start monitoring Windows services on your machine, without the need to know the exact name of a service or create items for each service manually. A filter can be used to generate real items, triggers, and graphs only for services of interest.