Ad Widget

Collapse

Best Practice for Tiered Alerting on Discovered Windows Services in Zabbix 7.4

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • praths
    Junior Member
    • Jul 2025
    • 5
    #1

    Best Practice for Tiered Alerting on Discovered Windows Services in Zabbix 7.4


    Hello Zabbix Community,

    I'm looking for the recommended best practice for setting up a tiered alerting strategy for specific Windows services discovered by LLD on Zabbix 7.4.

    What I Want to Achieve
    My goal is to have different monitoring rules for different services discovered by the standard service.discovery key on Windows hosts. For example:
    1. Default Monitoring: For most services, create a standard Warning trigger if the service stops.
    2. Delayed/Flapping Alert: For a specific service like GoogleUpdaterService (which restarts often), create an initial Information trigger, and only escalate to a Warning if it remains stopped for 2 hours.
    3. High-Priority Alert: For a critical service like GoogleDriveService, create an immediate High severity trigger.
    What I've Tried
    I am using a cloned version of the "Windows by Zabbix agent" template and have explored a few architectures:
    1. Multi-Template Approach: I tried creating a main template that excludes the Google services via the {$SERVICE.NAME.NOT_MATCHES} macro, and a second template with its own discovery rule just for the Google services. This failed because a host cannot inherit two LLD rules with the same key (service.discovery).
    2. Single Template with LLD Overrides/Filters: This seems to be the modern, correct approach. My plan was to use a single discovery rule that finds all services, and then use Overrides or Filters on the trigger prototypes to apply the specific logic. However, I seem to be having some trouble locating the 'Filters' or 'Overrides' tabs on my trigger prototype screen.
    3. Static Items: As a workaround, I tried creating static items and triggers for the Google services. This works but is not ideal, as it won't automatically handle service name changes after an update (e.g., GoogleUpdaterServicebecoming GoogleUpdaterService141.0).
    My Question
    For Zabbix 7.4, what is the definitive, best-practice way to implement this kind of tiered alerting for discovered services? Is the single discovery rule with Overrides the recommended path?
    Any guidance or examples would be greatly appreciated.

    My Environment:
    • Zabbix Server/Frontend Version: 7.4.0
    • User Role: Super Admin
    Thank you!

    Patrick
    Tags: None
    • cyber
      Senior Member
      Zabbix Certified SpecialistZabbix Certified Professional
      • Dec 2006
      • 4807
      #2
      Originally posted by praths
      However, I seem to be having some trouble locating the 'Filters' or 'Overrides' tabs on my trigger prototype screen.
      These are together with discovery rule, not under trigger prototype section...

        Comment

        • BradKnowles
          Junior Member
          • May 2025
          • 24
          #3
          praths & cyber -- I'm trying to do the same thing for certain Windows services, and I found this article, the Reddit thread at https://www.reddit.com/r/zabbix/comm...es_if_stopped/ and the video at https://www.youtube.com/watch?v=rufZHXGl0yE but I'm still having trouble getting this to work. Can you give me any additional pointers that may help?

          I'll do more searching around and post here again if I find anything, but these are the most relevant resources I've found so far.

          Thanks!

            Comment

            • compuj85
              Junior Member
              • Sep 2025
              • 5
              #4
              FWIW, in our deployment I'm using an Override to increase the severity of stopped ADDS services:

              In Data Collection \ Templates \ Windows by Zabbix agent active \ Discovery \ Windows services discovery, I've created an Override where if {#SERVICE.NAME} matches ^(Netlogon|DNS|NTDS)$ and the Trigger prototype contains "not running" the severity is upgraded to High.

              -J

                Comment

                Previous template Next
                Working...