Available versions




Metrics Windows Defender

Description

Uses macro {$AV_EVENTLOG} for the eventlog, Windows defender uses “Microsoft-Windows-Windows Defender/Operational”. Windows Antimalware uses “System”, but also needs {$AV_SOURCE} set to “Microsoft Antimalware”, default value in the template is an empty string.

Overview

Collect selected events for Windows Defender (default config) or with host macro settings will work with Windows Antimalware.

Uses macro {$AV_EVENTLOG} for the event log name, Windows defender uses “Microsoft-Windows-Windows Defender/Operational”.

Windows Antimalware uses “System”, but also needs {$AV_SOURCE} set to “Microsoft Antimalware”. Default value in the template is an empty string.

Template exported from Zabbix 4.0.x but I think the concepts would work with older versions.

Revised: Correct value for {$AV_SOURCE}

Macros used

Name Description Default Type
{$AV_EVENTLOG} <p>-</p> Microsoft-Windows-Windows Defender/Operational Text macro
{$AV_SOURCE} <p>-</p> `` Text macro

There are no template links in this template.

Discovery rules

There are no discovery rules in this template.

Items collected

Name Description Type Key and additional info  
Windows defender malware action critically failed <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1119,,skip]<p>Update: 30s</p>  
Windows defender suspicious behavior detected <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1015,,skip]<p>Update: 30s</p>  
Windows defender scan cancelled <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1002,,skip]<p>Update: 43s</p>  
Windows defender scan completed <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1001,,skip]<p>Update: 43s</p>  
Windows defender platform almost out of date <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},2007,,skip]<p>Update: 59s</p>  
Windows defender antispyware disabled <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5010,,skip]<p>Update: 53s</p>  
Windows antimalware service state <p>-</p> Zabbix agent (active) service.info[MsMpSvc]<p>Update: 120s</p>  
Windows defender history delete <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1013,,skip]<p>Update: 30s</p>  
Windows defender malware detected <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1006 1116,,skip]<p>Update: 37s</p>
Windows defender engine failure <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5008,,skip]<p>Update: 53s</p>  
Windows defender service state <p>-</p> Zabbix agent (active) service.info[WinDefend]<p>Update: 120s</p>  
Windows defender scan failed <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1005,,skip]<p>Update: 43s</p>  
Windows defender RTP disabled <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5001,,skip]<p>Update: 53s</p>  
Windows defender healthy <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1150,,skip]<p>Update: 47s</p>  
Windows defender RTP failure <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},3002,,skip]<p>Update: 53s</p>  
Windows defender malware action failed <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1008 1118,,skip]<p>Update: 30s</p>
Windows defender scan started <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1000,,skip]<p>Update: 43s</p>  
Windows defender signature update failed <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},2001,,skip]<p>Update: 59s</p>  
Windows defender malware action taken <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1007 1117,,skip]<p>Update: 41s</p>
Windows defender antivirus disabled <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5012,,skip]<p>Update: 53s</p>  

Triggers

There are no triggers in this template.

Metrics Windows Defender

Description

Uses macro {$AV_EVENTLOG} for the eventlog, Windows defender uses “Microsoft-Windows-Windows Defender/Operational”. Windows Antimalware uses “System”, but also needs {$AV_SOURCE} set to “Microsoft Antimalware”, default value in the template is an empty string.

Overview

Collect selected events for Windows Defender (default config) or with host macro settings will work with Windows Antimalware.

Uses macro {$AV_EVENTLOG} for the event log name, Windows defender uses “Microsoft-Windows-Windows Defender/Operational”.

Windows Antimalware uses “System”, but also needs {$AV_SOURCE} set to “Microsoft Antimalware”. Default value in the template is an empty string.

Template exported from Zabbix 4.0.x but I think the concepts would work with older versions.

Revised: Correct value for {$AV_SOURCE}

Macros used

Name Description Default Type
{$AV_EVENTLOG} <p>-</p> Microsoft-Windows-Windows Defender/Operational Text macro
{$AV_SOURCE} <p>-</p> `` Text macro

There are no template links in this template.

Discovery rules

There are no discovery rules in this template.

Items collected

Name Description Type Key and additional info  
Windows defender suspicious behavior detected <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1015,,skip]<p>Update: 30s</p>  
Windows defender malware action failed <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1008 1118,,skip]<p>Update: 30s</p>
Windows defender antivirus disabled <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5012,,skip]<p>Update: 53s</p>  
Windows defender malware action taken <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1007 1117,,skip]<p>Update: 41s</p>
Windows defender healthy <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1150,,skip]<p>Update: 47s</p>  
Windows defender engine failure <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5008,,skip]<p>Update: 53s</p>  
Windows defender RTP failure <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},3002,,skip]<p>Update: 53s</p>  
Windows defender scan failed <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1005,,skip]<p>Update: 43s</p>  
Windows defender signature update failed <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},2001,,skip]<p>Update: 59s</p>  
Windows defender service state <p>-</p> Zabbix agent (active) service.info[WinDefend]<p>Update: 120s</p>  
Windows defender malware action critically failed <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1119,,skip]<p>Update: 30s</p>  
Windows defender RTP disabled <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5001,,skip]<p>Update: 53s</p>  
Windows defender malware detected <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1006 1116,,skip]<p>Update: 37s</p>
Windows defender scan completed <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1001,,skip]<p>Update: 43s</p>  
Windows defender platform almost out of date <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},2007,,skip]<p>Update: 59s</p>  
Windows defender scan started <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1000,,skip]<p>Update: 43s</p>  
Windows defender history delete <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1013,,skip]<p>Update: 30s</p>  
Windows defender scan cancelled <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1002,,skip]<p>Update: 43s</p>  
Windows defender antispyware disabled <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5010,,skip]<p>Update: 53s</p>  
Windows antimalware service state <p>-</p> Zabbix agent (active) service.info[MsMpSvc]<p>Update: 120s</p>  

Triggers

There are no triggers in this template.

Metrics Windows Defender

Description

Uses macro {$AV_EVENTLOG} for the eventlog, Windows defender uses “Microsoft-Windows-Windows Defender/Operational”. Windows Antimalware uses “System”, but also needs {$AV_SOURCE} set to “Microsoft Antimalware”, default value in the template is an empty string.

Overview

Collect selected events for Windows Defender (default config) or with host macro settings will work with Windows Antimalware.

Uses macro {$AV_EVENTLOG} for the event log name, Windows defender uses “Microsoft-Windows-Windows Defender/Operational”.

Windows Antimalware uses “System”, but also needs {$AV_SOURCE} set to “Microsoft Antimalware”. Default value in the template is an empty string.

Template exported from Zabbix 4.0.x but I think the concepts would work with older versions.

Revised: Correct value for {$AV_SOURCE}

Macros used

Name Description Default Type
{$AV_EVENTLOG} <p>-</p> Microsoft-Windows-Windows Defender/Operational Text macro
{$AV_SOURCE} <p>-</p> `` Text macro

There are no template links in this template.

Discovery rules

There are no discovery rules in this template.

Items collected

Name Description Type Key and additional info  
Windows defender suspicious behavior detected <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1015,,skip]<p>Update: 30s</p>  
Windows defender malware action failed <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1008 1118,,skip]<p>Update: 30s</p>
Windows defender antivirus disabled <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5012,,skip]<p>Update: 53s</p>  
Windows defender malware action taken <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1007 1117,,skip]<p>Update: 41s</p>
Windows defender healthy <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1150,,skip]<p>Update: 47s</p>  
Windows defender engine failure <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5008,,skip]<p>Update: 53s</p>  
Windows defender RTP failure <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},3002,,skip]<p>Update: 53s</p>  
Windows defender scan failed <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1005,,skip]<p>Update: 43s</p>  
Windows defender signature update failed <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},2001,,skip]<p>Update: 59s</p>  
Windows defender service state <p>-</p> Zabbix agent (active) service.info[WinDefend]<p>Update: 120s</p>  
Windows defender malware action critically failed <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1119,,skip]<p>Update: 30s</p>  
Windows defender RTP disabled <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5001,,skip]<p>Update: 53s</p>  
Windows defender malware detected <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1006 1116,,skip]<p>Update: 37s</p>
Windows defender scan completed <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1001,,skip]<p>Update: 43s</p>  
Windows defender platform almost out of date <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},2007,,skip]<p>Update: 59s</p>  
Windows defender scan started <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1000,,skip]<p>Update: 43s</p>  
Windows defender history delete <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1013,,skip]<p>Update: 30s</p>  
Windows defender scan cancelled <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1002,,skip]<p>Update: 43s</p>  
Windows defender antispyware disabled <p>-</p> Zabbix agent (active) eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5010,,skip]<p>Update: 53s</p>  
Windows antimalware service state <p>-</p> Zabbix agent (active) service.info[MsMpSvc]<p>Update: 120s</p>  

Triggers

There are no triggers in this template.