# Windows by SNMP ## Overview This template is designed for the effortless deployment of Windows monitoring by Zabbix via SNMP and doesn't require any external scripts. ## Requirements Zabbix version: 7.0 and higher. ## Tested versions This template has been tested on: - Windows OS ## Configuration > Zabbix should be configured according to the instructions in the [Templates out of the box](https://www.zabbix.com/documentation/7.0/manual/config/templates_out_of_the_box) section. ## Setup Refer to the vendor documentation. ### Macros used |Name|Description|Default| |----|-----------|-------| |{$SNMP.TIMEOUT}||`5m`| |{$ICMP_LOSS_WARN}||`20`| |{$ICMP_RESPONSE_TIME_WARN}||`0.15`| |{$VFS.FS.FSNAME.NOT_MATCHES}|

This macro is used in filesystems discovery. Can be overridden on the host or linked template level.

|`^(/dev\|/sys\|/run\|/proc\|.+/shm$)`| |{$VFS.FS.FSNAME.MATCHES}|

This macro is used in filesystems discovery. Can be overridden on the host or linked template level.

|`.+`| |{$VFS.FS.FSTYPE.NOT_MATCHES}|

This macro is used in filesystems discovery. Can be overridden on the host or linked template level.

|`CHANGE_IF_NEEDED`| |{$VFS.FS.FSTYPE.MATCHES}|

This macro is used in filesystems discovery. Can be overridden on the host or linked template level.

|`.*(\.4\|\.9\|hrStorageFixedDisk\|hrStorageFlashMemory)$`| |{$VFS.FS.FREE.MIN.CRIT}|

The critical threshold of the filesystem utilization.

|`5G`| |{$VFS.FS.FREE.MIN.WARN}|

The warning threshold of the filesystem utilization.

|`10G`| |{$VFS.FS.PUSED.MAX.CRIT}||`90`| |{$VFS.FS.PUSED.MAX.WARN}||`80`| |{$MEMORY.UTIL.MAX}|

The warning threshold of the "Physical memory: Memory utilization" item.

|`90`| |{$MEMORY.TYPE.NOT_MATCHES}|

This macro is used in memory discovery. Can be overridden on the host or linked template level if you need to filter out results.

|`CHANGE_IF_NEEDED`| |{$MEMORY.TYPE.MATCHES}|

This macro is used in memory discovery. Can be overridden on the host or linked template level.

|`.*(\.2\|hrStorageRam)$`| |{$MEMORY.NAME.MATCHES}|

This macro is used in memory discovery. Can be overridden on the host or linked template level.

|`.*`| |{$MEMORY.NAME.NOT_MATCHES}|

This macro is used in memory discovery. Can be overridden on the host or linked template level if you need to filter out results.

|`CHANGE_IF_NEEDED`| |{$CPU.UTIL.CRIT}||`90`| |{$IFCONTROL}||`1`| |{$NET.IF.IFNAME.MATCHES}||`^.*$`| |{$NET.IF.IFNAME.NOT_MATCHES}|

Filter out loopbacks, nulls, docker veth links and docker0 bridge by default

|`Macro too long. Please see the template.`| |{$NET.IF.IFOPERSTATUS.MATCHES}||`^.*$`| |{$NET.IF.IFOPERSTATUS.NOT_MATCHES}|

Ignore notPresent(6)

|`^6$`| |{$NET.IF.IFADMINSTATUS.MATCHES}||`^.*$`| |{$NET.IF.IFADMINSTATUS.NOT_MATCHES}|

Ignore down(2) administrative status

|`^2$`| |{$NET.IF.IFDESCR.MATCHES}||`.*`| |{$NET.IF.IFDESCR.NOT_MATCHES}||`Macro too long. Please see the template.`| |{$NET.IF.IFALIAS.MATCHES}||`.*`| |{$NET.IF.IFALIAS.NOT_MATCHES}||`CHANGE_IF_NEEDED`| |{$NET.IF.IFTYPE.MATCHES}||`.*`| |{$NET.IF.IFTYPE.NOT_MATCHES}||`CHANGE_IF_NEEDED`| |{$IF.UTIL.MAX}||`90`| |{$IF.ERRORS.WARN}||`2`| ### Items |Name|Description|Type|Key and additional info| |----|-----------|----|-----------------------| |Windows: Uptime (network)|

MIB: SNMPv2-MIB

The time (in hundredths of a second) since the network management portion of the system was last re-initialized.

|SNMP agent|system.net.uptime[sysUpTime.0]

**Preprocessing**

| |Windows: Uptime (hardware)|

MIB: HOST-RESOURCES-MIB

The amount of time since this host was last initialized. Note that this is different from sysUpTime in the SNMPv2-MIB [RFC1907] because sysUpTime is the uptime of the network management portion of the system.

|SNMP agent|system.hw.uptime[hrSystemUptime.0]

**Preprocessing**

| |Windows: SNMP traps (fallback)|

The item is used to collect all SNMP traps unmatched by other snmptrap items

|SNMP trap|snmptrap.fallback| |Windows: System location|

MIB: SNMPv2-MIB

The physical location of this node (e.g., `telephone closet, 3rd floor'). If the location is unknown, the value is the zero-length string.

|SNMP agent|system.location[sysLocation.0]

**Preprocessing**

| |Windows: System contact details|

MIB: SNMPv2-MIB

The textual identification of the contact person for this managed node, together with information on how to contact this person. If no contact information is known, the value is the zero-length string.

|SNMP agent|system.contact[sysContact.0]

**Preprocessing**

| |Windows: System object ID|

MIB: SNMPv2-MIB

The vendor's authoritative identification of the network management subsystem contained in the entity. This value is allocated within the SMI enterprises subtree (1.3.6.1.4.1) and provides an easy and unambiguous means for determining`what kind of box' is being managed. For example, if vendor`Flintstones, Inc.' was assigned the subtree1.3.6.1.4.1.4242, it could assign the identifier 1.3.6.1.4.1.4242.1.1 to its `Fred Router'.

|SNMP agent|system.objectid[sysObjectID.0]

**Preprocessing**

| |Windows: System name|

MIB: SNMPv2-MIB

An administratively-assigned name for this managed node.By convention, this is the node's fully-qualified domain name. If the name is unknown, the value is the zero-length string.

|SNMP agent|system.name

**Preprocessing**

| |Windows: System description|

MIB: SNMPv2-MIB

A textual description of the entity. This value should

include the full name and version identification of the system's hardware type, software operating-system, and

networking software.

|SNMP agent|system.descr[sysDescr.0]

**Preprocessing**

| |Windows: SNMP agent availability|

Availability of SNMP checks on the host. The value of this item corresponds to availability icons in the host list.

Possible value:

0 - not available

1 - available

2 - unknown

|Zabbix internal|zabbix[host,snmp,available]| |Windows: ICMP ping||Simple check|icmpping| |Windows: ICMP loss||Simple check|icmppingloss| |Windows: ICMP response time||Simple check|icmppingsec| |Windows: SNMP walk mounted filesystems|

HOST-RESOURCES-MIB::hrStorage discovery.

|SNMP agent|vfs.fs.walk| |Windows: CPU utilization|

MIB: HOST-RESOURCES-MIB

The average, over the last minute, of the percentage of time that processors was not idle.

Implementations may approximate this one minute smoothing period if necessary.

|SNMP agent|system.cpu.util

**Preprocessing**

| |Windows: SNMP walk network interfaces|

Discovering interfaces from IF-MIB.

|SNMP agent|net.if.walk| ### Triggers |Name|Description|Expression|Severity|Dependencies and additional info| |----|-----------|----------|--------|--------------------------------| |Windows: Host has been restarted|

Uptime is less than 10 minutes.

|`(last(/Windows by SNMP/system.hw.uptime[hrSystemUptime.0])>0 and last(/Windows by SNMP/system.hw.uptime[hrSystemUptime.0])<10m) or (last(/Windows by SNMP/system.hw.uptime[hrSystemUptime.0])=0 and last(/Windows by SNMP/system.net.uptime[sysUpTime.0])<10m)`|Warning|**Manual close**: Yes
**Depends on**:
| |Windows: System name has changed|

The name of the system has changed. Acknowledge to close the problem manually.

|`last(/Windows by SNMP/system.name,#1)<>last(/Windows by SNMP/system.name,#2) and length(last(/Windows by SNMP/system.name))>0`|Info|**Manual close**: Yes| |Windows: No SNMP data collection|

SNMP is not available for polling. Please check device connectivity and SNMP settings.

|`max(/Windows by SNMP/zabbix[host,snmp,available],{$SNMP.TIMEOUT})=0`|Warning|**Depends on**:
| |Windows: Unavailable by ICMP ping|

Last three attempts returned timeout. Please check device connectivity.

|`max(/Windows by SNMP/icmpping,#3)=0`|High|| |Windows: High ICMP ping loss||`min(/Windows by SNMP/icmppingloss,5m)>{$ICMP_LOSS_WARN} and min(/Windows by SNMP/icmppingloss,5m)<100`|Warning|**Depends on**:
| |Windows: High ICMP ping response time||`avg(/Windows by SNMP/icmppingsec,5m)>{$ICMP_RESPONSE_TIME_WARN}`|Warning|**Depends on**:
| |Windows: High CPU utilization|

The CPU utilization is too high. The system might be slow to respond.

|`min(/Windows by SNMP/system.cpu.util,5m)>{$CPU.UTIL.CRIT}`|Warning|| ### LLD rule Storage discovery |Name|Description|Type|Key and additional info| |----|-----------|----|-----------------------| |Storage discovery|

HOST-RESOURCES-MIB::hrStorage discovery with storage filter.

|Dependent item|vfs.fs.discovery[snmp]

**Preprocessing**

| ### Item prototypes for Storage discovery |Name|Description|Type|Key and additional info| |----|-----------|----|-----------------------| |{#FSNAME}: Used space|

MIB: HOST-RESOURCES-MIB

The amount of the storage represented by this entry that is allocated, in units of hrStorageAllocationUnits.

|Dependent item|vfs.fs.used[hrStorageUsed.{#SNMPINDEX}]

**Preprocessing**

| |{#FSNAME}: Total space|

MIB: HOST-RESOURCES-MIB

The size of the storage represented by this entry, in units of hrStorageAllocationUnits.

This object is writable to allow remote configuration of the size of the storage area in those cases where such an operation makes sense and is possible on the underlying system.

For example, the amount of main storage allocated to a buffer pool might be modified or the amount of disk space allocated to virtual storage might be modified.

|Dependent item|vfs.fs.total[hrStorageSize.{#SNMPINDEX}]

**Preprocessing**

| |{#FSNAME}: Space utilization|

The space utilization expressed in % for {#FSNAME}.

|Calculated|vfs.fs.pused[storageUsedPercentage.{#SNMPINDEX}]| ### Trigger prototypes for Storage discovery |Name|Description|Expression|Severity|Dependencies and additional info| |----|-----------|----------|--------|--------------------------------| |{#FSNAME}: Disk space is critically low|

Two conditions should match:
1. The first condition - utilization of the space should be above `{$VFS.FS.PUSED.MAX.CRIT:"{#FSNAME}"}`.
2. The second condition should be one of the following:
- the disk free space is less than `{$VFS.FS.FREE.MIN.CRIT:"{#FSNAME}"}`;
- the disk will be full in less than 24 hours.

|`last(/Windows by SNMP/vfs.fs.pused[storageUsedPercentage.{#SNMPINDEX}])>{$VFS.FS.PUSED.MAX.CRIT:"{#FSNAME}"} and ((last(/Windows by SNMP/vfs.fs.total[hrStorageSize.{#SNMPINDEX}])-last(/Windows by SNMP/vfs.fs.used[hrStorageUsed.{#SNMPINDEX}]))<{$VFS.FS.FREE.MIN.CRIT:"{#FSNAME}"} or timeleft(/Windows by SNMP/vfs.fs.pused[storageUsedPercentage.{#SNMPINDEX}],1h,100)<1d)`|Average|**Manual close**: Yes| |{#FSNAME}: Disk space is low|

Two conditions should match:
1. The first condition - utilization of the space should be above `{$VFS.FS.PUSED.MAX.WARN:"{#FSNAME}"}`.
2. The second condition should be one of the following:
- the disk free space is less than `{$VFS.FS.FREE.MIN.WARN:"{#FSNAME}"}`;
- the disk will be full in less than 24 hours.

|`last(/Windows by SNMP/vfs.fs.pused[storageUsedPercentage.{#SNMPINDEX}])>{$VFS.FS.PUSED.MAX.WARN:"{#FSNAME}"} and ((last(/Windows by SNMP/vfs.fs.total[hrStorageSize.{#SNMPINDEX}])-last(/Windows by SNMP/vfs.fs.used[hrStorageUsed.{#SNMPINDEX}]))<{$VFS.FS.FREE.MIN.WARN:"{#FSNAME}"} or timeleft(/Windows by SNMP/vfs.fs.pused[storageUsedPercentage.{#SNMPINDEX}],1h,100)<1d)`|Warning|**Manual close**: Yes
**Depends on**:
| ### LLD rule Memory discovery |Name|Description|Type|Key and additional info| |----|-----------|----|-----------------------| |Memory discovery|

HOST-RESOURCES-MIB::hrStorage discovery with memory filter

|Dependent item|vm.memory.discovery

**Preprocessing**

| ### Item prototypes for Memory discovery |Name|Description|Type|Key and additional info| |----|-----------|----|-----------------------| |{#MEMNAME}: Used memory|

MIB: HOST-RESOURCES-MIB

The amount of the storage represented by this entry that is allocated, in units of hrStorageAllocationUnits.

|Dependent item|vm.memory.used[hrStorageUsed.{#SNMPINDEX}]

**Preprocessing**

| |{#MEMNAME}: Total memory|

MIB: HOST-RESOURCES-MIB

The size of the storage represented by this entry, in units of hrStorageAllocationUnits.

This object is writable to allow remote configuration of the size of the storage area in those cases where such an operation makes sense and is possible on the underlying system.

For example, the amount of main memory allocated to a buffer pool might be modified or the amount of disk space allocated to virtual memory might be modified.

|Dependent item|vm.memory.total[hrStorageSize.{#SNMPINDEX}]

**Preprocessing**

| |{#MEMNAME}: Memory utilization|

Memory utilization in %.

|Calculated|vm.memory.util[memoryUsedPercentage.{#SNMPINDEX}]| ### Trigger prototypes for Memory discovery |Name|Description|Expression|Severity|Dependencies and additional info| |----|-----------|----------|--------|--------------------------------| |{#MEMNAME}: High memory utilization|

The system is running out of free memory.

|`min(/Windows by SNMP/vm.memory.util[memoryUsedPercentage.{#SNMPINDEX}],5m)>{$MEMORY.UTIL.MAX}`|Average|| ### LLD rule Network interfaces discovery |Name|Description|Type|Key and additional info| |----|-----------|----|-----------------------| |Network interfaces discovery|

Discovering interfaces from IF-MIB.

|Dependent item|net.if.discovery

**Preprocessing**

| ### Item prototypes for Network interfaces discovery |Name|Description|Type|Key and additional info| |----|-----------|----|-----------------------| |Interface {#IFNAME}({#IFALIAS}): Operational status|

MIB: IF-MIB

The current operational state of the interface.

- The testing(3) state indicates that no operational packet scan be passed

- If ifAdminStatus is down(2) then ifOperStatus should be down(2)

- If ifAdminStatus is changed to up(1) then ifOperStatus should change to up(1) if the interface is ready to transmit and receive network traffic

- It should change todormant(5) if the interface is waiting for external actions (such as a serial line waiting for an incoming connection)

- It should remain in the down(2) state if and only if there is a fault that prevents it from going to the up(1) state

- It should remain in the notPresent(6) state if the interface has missing(typically, hardware) components.

|Dependent item|net.if.status[ifOperStatus.{#SNMPINDEX}]

**Preprocessing**

| |Interface {#IFNAME}({#IFALIAS}): Bits received|

MIB: IF-MIB

The total number of octets received on the interface,including framing characters. Discontinuities in the value of this counter can occur at re-initialization of the management system, and another times as indicated by the value of ifCounterDiscontinuityTime.

|Dependent item|net.if.in[ifInOctets.{#SNMPINDEX}]

**Preprocessing**

| |Interface {#IFNAME}({#IFALIAS}): Bits sent|

MIB: IF-MIB

The total number of octets transmitted out of the interface, including framing characters. Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of ifCounterDiscontinuityTime.

|Dependent item|net.if.out[ifOutOctets.{#SNMPINDEX}]

**Preprocessing**

| |Interface {#IFNAME}({#IFALIAS}): Inbound packets with errors|

MIB: IF-MIB

For packet-oriented interfaces, the number of inbound packets that contained errors preventing them from being deliverable to a higher-layer protocol. For character-oriented or fixed-length interfaces, the number of inbound transmission units that contained errors preventing them from being deliverable to a higher-layer protocol. Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of ifCounterDiscontinuityTime.

|Dependent item|net.if.in.errors[ifInErrors.{#SNMPINDEX}]

**Preprocessing**

| |Interface {#IFNAME}({#IFALIAS}): Outbound packets with errors|

MIB: IF-MIB

For packet-oriented interfaces, the number of outbound packets that contained errors preventing them from being deliverable to a higher-layer protocol. For character-oriented or fixed-length interfaces, the number of outbound transmission units that contained errors preventing them from being deliverable to a higher-layer protocol. Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of ifCounterDiscontinuityTime.

|Dependent item|net.if.out.errors[ifOutErrors.{#SNMPINDEX}]

**Preprocessing**

| |Interface {#IFNAME}({#IFALIAS}): Outbound packets discarded|

MIB: IF-MIB

The number of outbound packets which were chosen to be discarded

even though no errors had been detected to prevent their being deliverable to a higher-layer protocol.

One possible reason for discarding such a packet could be to free up buffer space.

Discontinuities in the value of this counter can occur at re-initialization of the management system,

and at other times as indicated by the value of ifCounterDiscontinuityTime.

|Dependent item|net.if.out.discards[ifOutDiscards.{#SNMPINDEX}]

**Preprocessing**

| |Interface {#IFNAME}({#IFALIAS}): Inbound packets discarded|

MIB: IF-MIB

The number of inbound packets which were chosen to be discarded

even though no errors had been detected to prevent their being deliverable to a higher-layer protocol.

One possible reason for discarding such a packet could be to free up buffer space.

Discontinuities in the value of this counter can occur at re-initialization of the management system,

and at other times as indicated by the value of ifCounterDiscontinuityTime.

|Dependent item|net.if.in.discards[ifInDiscards.{#SNMPINDEX}]

**Preprocessing**

| |Interface {#IFNAME}({#IFALIAS}): Interface type|

MIB: IF-MIB

The type of interface.

Additional values for ifType are assigned by the Internet Assigned Numbers Authority (IANA),

through updating the syntax of the IANAifType textual convention.

|Dependent item|net.if.type[ifType.{#SNMPINDEX}]

**Preprocessing**

| |Interface {#IFNAME}({#IFALIAS}): Speed|

MIB: IF-MIB

An estimate of the interface's current bandwidth in units of 1,000,000 bits per second. If this object reports a value of `n' then the speed of the interface is somewhere in the range of `n-500,000' to`n+499,999'. For interfaces which do not vary in bandwidth or for those where no accurate estimation can be made, this object should contain the nominal bandwidth. For a sub-layer which has no concept of bandwidth, this object should be zero.

|Dependent item|net.if.speed[ifHighSpeed.{#SNMPINDEX}]

**Preprocessing**

| ### Trigger prototypes for Network interfaces discovery |Name|Description|Expression|Severity|Dependencies and additional info| |----|-----------|----------|--------|--------------------------------| |Interface {#IFNAME}({#IFALIAS}): Link down|

This trigger expression works as follows:
1. It can be triggered if the operations status is down.
2. `{$IFCONTROL:"{#IFNAME}"}=1` - a user can redefine context macro to value - 0. That marks this interface as not important. No new trigger will be fired if this interface is down.
3. `{TEMPLATE_NAME:METRIC.diff()}=1` - the trigger fires only if the operational status was up to (1) sometime before (so, do not fire for the 'eternal off' interfaces.)

WARNING: if closed manually - it will not fire again on the next poll, because of .diff.

|`{$IFCONTROL:"{#IFNAME}"}=1 and last(/Windows by SNMP/net.if.status[ifOperStatus.{#SNMPINDEX}])=2 and (last(/Windows by SNMP/net.if.status[ifOperStatus.{#SNMPINDEX}],#1)<>last(/Windows by SNMP/net.if.status[ifOperStatus.{#SNMPINDEX}],#2))`|Average|**Manual close**: Yes| |Interface {#IFNAME}({#IFALIAS}): High bandwidth usage|

The utilization of the network interface is close to its estimated maximum bandwidth.

|`(avg(/Windows by SNMP/net.if.in[ifInOctets.{#SNMPINDEX}],15m)>({$IF.UTIL.MAX:"{#IFNAME}"}/100)*last(/Windows by SNMP/net.if.speed[ifHighSpeed.{#SNMPINDEX}]) or avg(/Windows by SNMP/net.if.out[ifOutOctets.{#SNMPINDEX}],15m)>({$IF.UTIL.MAX:"{#IFNAME}"}/100)*last(/Windows by SNMP/net.if.speed[ifHighSpeed.{#SNMPINDEX}])) and last(/Windows by SNMP/net.if.speed[ifHighSpeed.{#SNMPINDEX}])>0`|Warning|**Manual close**: Yes
**Depends on**:
| |Interface {#IFNAME}({#IFALIAS}): High error rate|

It recovers when it is below 80% of the `{$IF.ERRORS.WARN:"{#IFNAME}"}` threshold.

|`min(/Windows by SNMP/net.if.in.errors[ifInErrors.{#SNMPINDEX}],5m)>{$IF.ERRORS.WARN:"{#IFNAME}"} or min(/Windows by SNMP/net.if.out.errors[ifOutErrors.{#SNMPINDEX}],5m)>{$IF.ERRORS.WARN:"{#IFNAME}"}`|Warning|**Manual close**: Yes
**Depends on**:
| |Interface {#IFNAME}({#IFALIAS}): Ethernet has changed to lower speed than it was before|

This Ethernet connection has transitioned down from its known maximum speed. This might be a sign of autonegotiation issues. Acknowledge to close the problem manually.

|`change(/Windows by SNMP/net.if.speed[ifHighSpeed.{#SNMPINDEX}])<0 and last(/Windows by SNMP/net.if.speed[ifHighSpeed.{#SNMPINDEX}])>0 and ( last(/Windows by SNMP/net.if.type[ifType.{#SNMPINDEX}])=6 or last(/Windows by SNMP/net.if.type[ifType.{#SNMPINDEX}])=7 or last(/Windows by SNMP/net.if.type[ifType.{#SNMPINDEX}])=11 or last(/Windows by SNMP/net.if.type[ifType.{#SNMPINDEX}])=62 or last(/Windows by SNMP/net.if.type[ifType.{#SNMPINDEX}])=69 or last(/Windows by SNMP/net.if.type[ifType.{#SNMPINDEX}])=117 ) and (last(/Windows by SNMP/net.if.status[ifOperStatus.{#SNMPINDEX}])<>2)`|Info|**Manual close**: Yes
**Depends on**:
| ## Feedback Please report any issues with the template at [`https://support.zabbix.com`](https://support.zabbix.com) You can also provide feedback, discuss the template, or ask for help at [`ZABBIX forums`](https://www.zabbix.com/forum/zabbix-suggestions-and-feedback)