Ad Widget

Collapse

Enhance filter for windows discovery

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • frater
    Senior Member
    • Oct 2010
    • 340
    #1

    Enhance filter for windows discovery

    I would like to add an extra filter for the service discovery so that it does not add services containing:

    Code:
    One_SyncSvc_
clr_optimization_v4.0
sppsvc
    Something similar for the "Network Interfaces" to filter out:

    Code:
    miniport
ISATAP
Teredo
RAS
Packet Scheduler
    I know there's a filter, but I don't know (yet) how to enhance it.
    Anyone knows how to do this?
    Zabbix agents on Linux, FreeBSD, Windows, AVM-Fritz!box, DD-WRT and QNAP
    Tags: discovery rules
    • kaspars.mednis
      Senior Member
      Zabbix Certified Trainer
      Zabbix Certified SpecialistZabbix Certified Professional
      • Oct 2017
      • 349
      #2
      Create a global regular expression, name it something like Windows services to exclude, and write your own expressions there, e.g

      Expression Type : Character String Not included
      Expression: One_SyncSvc

      Add them as much as you need

      You can test your expressions in test tab, the combined result must be FALSE if you want to exclude the strings

      Regards,
      Kaspars

        Comment

        • frater
          Senior Member
          • Oct 2010
          • 340
          #3
          Thanks, thanks, thanks....

          I've been using Zabbix for more than 8 years I think and I have never been in that section. Who thought of hiding these features in a dropdown box?

          Anyhow...
          Now you've pointed me to there I noticed that some kind of filtering already exists as it already contains a few expressions.
          (I was already wondering how it handled some of the automatic services that always shutdown)
          They can however be improved.
          This is what's there at this time:

          Code:
          ^(MMCSS|gupdate|SysmonLog|clr_optimization_v2.0.50727_32|clr_optimization_v4.0.30319_32)$	[Result is FALSE]
          I think I'm going to lose the caret (^) and the dollar-sign ($) so it can also it detect "clr_optimization_v4.0.30319_64". There are several services that contain UserSvC which are updated with a different name each time. They are not interesting, so better lose them right here to avoid the nuisance of removing these all the time.


          I changed it into:
          Code:
          (ShellHWDetection|MMCSS|gupdate|SysmonLog|clr_optimization_|sppsvc|UserSvc|^One|^Wpn|^DoSvc)	[Result is FALSE]
          It's working as expected....
          Maybe I should have changed to the format with separate items like the network interfaces one, but for the time being I keep it like this.
          If I come across some other service to filter, I will put it here.


          For the Windows network interfaces I created a new filter which is like this:

          Code:
          Windows Network interfaces for discovery	
1	»	Kernel	[Result is FALSE]
2	»	Virtual	[Result is FALSE]
3	»	Bluetooth	[Result is FALSE]
4	»	Software Loopback Interface	[Result is FALSE]
5	»	ISATAP	[Result is FALSE]
6	»	Filter	[Result is FALSE]
7	»	Teredo	[Result is FALSE]
8	»	QoS	[Result is FALSE]
9	»	RAS	[Result is FALSE]
10	»	PPTP	[Result is FALSE]
11	»	Minipoort	[Result is FALSE]
12	»	Miniport	[Result is FALSE]
13	»	^$	[Result is FALSE]
14	»	Packet	[Result is FALSE]
          As to the ^$
          One server (and only one) came up with an empty network interface. I don't know why. Better filter it here.

          It was my intention to leave the original discovery for network interfaces untouched.
          I'm using it for non-Windows, which means in my case either FreeBSD or Linux.
          The "Software Loopback Interface" could be deleted, but it doesn't hurt and is good for compatibility with the standard templates.
          I did change "^lo$" to "^lo" as it would otherwise not filter the lo0 interface I'm getting on FreeBSD.
          I've added the "^bond" interface as that one appeared on all my QNAP-devices (Linux)

          Code:
          Network interfaces for discovery	
1	»	^lo	[Result is FALSE]
2	»	^Software Loopback Interface	[Result is FALSE]
3	»	^bond	[Result is FALSE]
          Last edited by frater; 26-11-2017, 21:27.
          Zabbix agents on Linux, FreeBSD, Windows, AVM-Fritz!box, DD-WRT and QNAP

            Comment

            Previous template Next
            Working...