Search code examples
zabbix

How to keep only some metrics of Windows discovery system in Zabbix?

I used zabbix to monitor some Windows server in AWS. Automatically, the Windows discovery system will create many many items as well as triggers in Zabbix. I tried to disable all of them, just keep only 2 items. They're
Service "Dhcp" (DHCP Client) is not running (startup type automatic) Service "MpsSvc" (Windows Firewall) is not running (startup type automatic)

But after a while, there are many items like Service "OneSyncSvc_xxxxxxx" (Sync Host_xxxxxxx) is not running (startup type automatic delayed) I disabled them too, and then later some items with ↑ structure came in. If i disable Windows discovery system, i'm afraid that 2 of the above-mentioned items would not work too.

Is there any ways to handle this?

enter image description here

Solution

  • Most zabbix templates you find are best thought of as examples; what one organization needs to monitor is often quite different from another. This is especially true of low level discovery which is what you are dealing with.

    The best approach is to find the template and see how it generates the LLD items. There are many ways this can be done, from scripts to zabbix walks through SNMP items or Agent items. Regardless, each will have a discovery definition (Configure, Templates, Discovery Rule). On the second tab is a "Filters" page. There you can create a logical set of conditions which will allow (or not) discovery.

    As a simple example, I have a list of names patterns of interfaces I do not want, e.g. "Unrouted VLAN" or "StackSub". If those names are found, the item is not discovered. If you have several templates that will have similar lists, put the list in a regular expression (Administration, General, Regular Expressions). Be careful of the match sense (include/exclude) and you can test them in the regular expression page (second tab).

    In other words, the way you really want to handle it is not to have them discovered at all, as opposed to dealing with them afterwards.

    Note that items no longer discovered (e.g. if you start filtering and eliminate some) are removed after the "Keep lost resources period (in days)" on the discovery rule. It is wise when changing the filters to set this to something larger than 0, then review the items for a device to see which are not discovered and being deleted (they appear with a orange exclamation point, if I recall -- some kind of flag and hover over and it explains).

    If your needs are more complex than static filters can determine, you can script the discovery itself, and have the logic in the script to decide what is needed and what not, but clearly that is a lot more complex to implement.