Agent Client Collector provides the following default checks and policies for Windows health monitoring.

Windows event monitoring checks

Table 1. Windows OS Events policy
Check Description Usage and Example Output
os.windows.check-event-log Measures the Windows event log against parameter thresholds and returns a CRITICAL\WARNING\OK event.
Usage:
  • -w warning - Triggers a WARNING event if the event log count matching the pattern is above the WARNING parameter value specified in the check parameter.
  • -c critical - Triggers a CRITICAL event if the event log count matching the pattern is above the CRITICAL parameter value specified in the check parameter.
  • -e event level - Specifies the severity level of the event. Possible values: Information, Verbose, Critical, Warning, Error.
  • -i - Unique event ID
  • -d - The duration of time, in hours, in which you want to retrieve events from the Windows event log.

Usage example: winchecks check-windows-event-log -w 5 -c 10 -e "Information" -l "Application" -d 24

 Check Event Log OK: The Event Log that matches the pattern is <matched count>
os.windows.check-event-log-count Measures the Windows event log against parameter thresholds and returns a CRITICAL\WARNING\OK event.

Provides information on the number of events that have occurred within a specified duration for a single log file and a single ID. Also indicates the filters to be applied to retrieve events for a specific single-valued windows event level and provider name.

Retrieving events from multiple log files is not supported. The number of events is provided, without details of each and every event.
Usage:
  • -w warning - Triggers a WARNING event if the event log count matching the pattern is above the WARNING parameter value specified in the check parameter.
  • -c critical - Triggers a CRITICAL event if the event log count matching the pattern is above the CRITICAL parameter value specified in the check parameter.
  • -l log_file - The log file to be monitored. Name of the file is written in double quotation marks.
  • -r regex_pattern - The regex pattern which filters out the description in the event log. Written in double quotation marks.
  • -e event level - Specifies the severity level of the event. Possible values: Information, Verbose, Critical, Warning, Error.
  • -i id - Unique event ID
  • -d duration_hour - The duration of time, in hours, in which you want to retrieve events from the Windows event log. Decimal points can be used; for example, 30 minutes - 0.5.
  • -p provider_name - Source of the event, written in double quotation marks.

Usage example: winchecks check-windows-event-log -w 5 -c 10 -e "Information" -l "Application" -d 24

 Check Event Log OK: The Event Log that matches the pattern is <matched count>
os.windows.check-event-log-details

Collects and filters Windows Event logs based on the duration_hour, event_log_level and log_file values.

Retrieves and filters Windows event logs according to the provided parameters. It returns details about the events with CRITICAL, WARNING, or OK status, based on the specified severity level.
Usage:
  • -d duration_hour - Duration (in hours) from the current time to filter events (Default: 24).
  • -e event_log_level - Filter the events based on the event level. Possible values are: Information, Verbose, Critical, Warning, Error. Multiple values are comma-separated (Default: Information). For example: Information, Warning
  • -i id - Filters events based on the specified event IDs. For multiple IDs, values are comma-separated and enclosed in double quotation marks. For example: "1257, 1001"
  • -l log_file - Specifies the log file name to filter events. The name of the file is written in double quotation marks. Supports creating custom files and multiple values are comma-separated. (Default: Application). For example: "Application, System"
  • -p provider_name - The name of the event provider, enclosed in double quotation marks.
  • -r regex_pattern - Filters events by matching the event message with the specified pattern. Value must be enclosed in double quotation marks.
  • -s servicenow_event_severity - Creates a servicenow event with the value given in this parameter. Possible values are: Critical, Warning and OK.

Usage example: winchecks check-windows-event-log-details -d 24 -l Application -e Warning -r "*" -s Warning

Check Event Log Details WARNING:

Type: Information, Category: Application, Machine: ws19-inc0061393.LOCAL.LAB, Event_ID: 1704, Message: Security policy in the Group policy objects has been applied successfully., TimeCreated: 10/14/2024 12:09:35 AM.

Type: Information, Category: Application, Machine: ws19-inc0061393.LOCAL.LAB, Event_ID: 16384, Message: Successfully scheduled Software Protection service for restart at 2124-09-20T06:25:44Z. Reason: Rules Engine, TimeCreated: 10/13/2024 11:25:44 PM.

Type: Information, Category: Application, Machine: ws19-inc0061393.LOCAL.LAB, Event_ID: 16394, Message: Offline downlevel migration succeeded., TimeCreated: 10/13/2024 11:24:19 PM.

Type: Information, Category: Application, Machine: ws19-inc0061393.LOCAL.LAB, Event_ID: 8224, Message: The VSS service is shutting down due to idle timeout., TimeCreated: 10/13/2024 11:51:36 AM.
os.windows.check-disk-name Takes the storage drive name as input and verifies if the drive is present. Returns a CRITICAL\WARNING\OK value based on the parameter provided.

winchecks check-windows-disk-name <options>

-d : Disk name (Default = C)

Usage example:winchecks check-windows-disk-name -d C

 Windows Checks OK: Disk storage C is present.
os.windows.check-processor-queue-length

Measures the process queue length against thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
Usage:
  • -w warning - Triggers a WARNING event if the processor queue length count matching the pattern is above the WARNING parameter value specified in the check parameter.
  • -c critical - Triggers a CRITICAL event if the processor queue length count matching the pattern is above the CRITICAL parameter value specified in the check parameter.

Usage example: winchecks check-windows-processor-queue-length -w 5 -c 10

 Processor Queue Length OK: The Processor Queue length is 0.00
os.windows.check-system-cpu-load

Checks CPU Load by using typeperf. Measures the CPU load against configured thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
Usage:
  • -w warning - Triggers a WARNING event if the CPU load count matching the pattern is above the WARNING parameter value specified in the check parameter.
  • -c critical - Triggers a CRITICAL event if the CPU load count matching the pattern is above the CRITICAL parameter value specified in the check parameter.

Usage example: winchecks check-windows-cpu-load -w 85 -c 95

 CPU Load OK: The total CPU utilization is 26.92%
os.windows.check-system-disk

Measures the free physical memory against thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
Usage:
  • -w warning - Triggers a WARNING event if the event log percentage matching the pattern is above the WARNING parameter value specified in the check parameter.
  • -c critical - Triggers a CRITICAL event if the event log percentage matching the pattern is above the CRITICAL parameter value specified in the check parameter.

Usage example: winchecks check-windows-disk -w 85 -c 95

 Disk Usage Check OK: The disk usage is %
os.windows.check-system-memory-percent

Collects the RAM usage. Measures the memory usage against configured thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.

 Usage:
  • -w warning - Triggers a WARNING event if the memory use percentage matching the pattern is above the WARNING parameter value specified in the check parameter.
  • -c critical - Triggers a CRITICAL event if the memory use percentage matching the pattern is above the CRITICAL parameter value specified in the check parameter.

Usage example: winchecks check-windows-ram -w 85 -c 95

 RAM Usage OK: The total memory utilization is 84%
os.windows.check-system-process

Query running processes to find running processes that match the given arguments (pattern, name, both pattern and name. At least one must be given). Measures the running processes against configured thresholds and filters, returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
Usage:
  • -n name - Process executable name to check the process execution.
  • -p pattern - Pattern (sub string) to search for in the command that invoked the process. Produces valid results only if the user running the Agent owns the queried process has view permissions for the queried process.
  • -w warnover - Triggers a WARNING status if the query returns more processes than those specified by the argument.
  • -W warnunder - Triggers a WARNING status if the query returns fewer processes than those specified by the argument.
  • -c critover - Triggers a CRITICAL event if the query returns more processes than those specified by the argument.
  • -C critunder - Triggers a CRITICAL event if the query returns fewer processes than those specified by the argument.

Usage example: winchecks check-windows-processes -n explorer

Check Process OK:

OK Found 1 matching running processes named explorer
os.windows.check-directory Verifies whether a Windows directory exists.

Usage: -d --directory Path to the relevant directory; use '\' for separation.

Usage example: winchecks check-windows-directory -d dir_path

 Check Directory OK: The directory 'C:/Users/Public' exists
os.windows.check-pagefile

Collects the Pagefile usage and compares it against the WARNING and CRITICAL thresholds.
Usage:
  • -w warning - Triggers a WARNING event if the Pagefile usage is above the WARNING parameter value specified in the check parameter.
  • -c critical - Triggers a CRITICAL event if the Pagefile usage is above the CRITICAL parameter value specified in the check parameter.

Usage example: winchecks check-windows-pagefile -w 75 -c 85

 Check Windows Page File OK: Page file usage at 31.63%
os.windows.check-free-physical-memory

Measures the free physical memory against configured thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
Usage:
  • -w warning - Triggers a WARNING event if the free physical memory is under the WARNING parameter value specified in the check parameter.
  • -c critical - Triggers a CRITICAL event if the free physical memory is under the CRITICAL parameter value specified in the check parameter.

Usage example: winchecks check-windows-free-physical-memory -w 10 -c 5

 Free Physical Memory OK: The Free Physical Memory is 20.25%
os.windows.check-free-virtual-memory

Measures the free virtual memory against configured thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
Usage:
  • -w warning - Triggers a WARNING event if the free virtual memory is above the WARNING parameter value specified in the check parameter.
  • -c critical - Triggers a CRITICAL event if the free virtual memory is above the CRITICAL parameter value specified in the check parameter.

Usage example: winchecks check-windows-free-virtual-memory -w 10 -c 5

Free Virtual Memory OK: The Free Virtual Memory is 25.66%
os.windows.check-process-cpu

Processes CPU usage against configured thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
Usage:
  • -p processname - Process name to collect CPU usage.
  • -w warning - Triggers a WARNING event if the CPU usage is above the WARNING parameter value specified in the check parameter.
  • -c critical - Triggers a CRITICAL event if the CPU usage is above the CRITICAL parameter value specified in the check parameter.

Usage example: winchecks check-windows-process-cpu-p acc -c 95 -w 85

Check Process CPU OK: Process CPU usage is 0.0000%
os.windows.check-process-memory

Processes memory usage against thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
Usage:
  • -p processname - Process name to collect memory usage.
  • -w warning - Triggers a WARNING event if the process memory usage is above the WARNING parameter value specified in the check parameter.
  • -c critical - Triggers a CRITICAL event if the process memory usage is above the CRITICAL parameter value specified in the check parameter.

Usage example: winchecks check-windows-process-memory-p acc -c 95 -w 85

Check Process Memory OK: Process Memory usage is 0.0149%

Windows metric monitoring checks

Table 2. Windows OS Metrics policy
Check Description Usage and Example Output
os.windows.check-processor-queue-length Measures the processor queue length.

Usage: -s scheme - Replaces output's hostname + process with the given value (example: hostname.process)

Usage example: command: winchecks metric-windows-processor-queue-length --scheme hostname.proc

 win2019-dc-64bit.cpu.queuelength 0.00 1645371109
os.windows.check-system-cpu-load Collects average CPU load per second.

Usage: -s scheme - Replaces output's hostname + process with the given value (example: hostname.process)

Usage example: command: winchecks metric-windows-cpu-load -scheme hostname.proc

 win2019-dc-64bit.cpu.loadavgsec 15.07 1645371561
os.windows.check-system-cpu Collects the CPU core metric.

Usage: -s , scheme Replaces output's hostname+process with the given value (example: hostname.process)

Usage example: command: winchecks metric-windows-cpu -scheme hostname.proc

 win2019-dc-64bit.cpu.cpu0.cores 2 1645371681
os.windows.check-system-disk-usage
Collects the following disk usage metrics usage:
  • total in GB
  • usage in GB
  • avail in GB
  • used percentage
Usage:
  • -i , ignore_mnt: Comma separated list of mount points to ignore (:C)
  • -I, include_mnt: Comma separated list of mount points to include.
  • ā€”scheme, scheme: Replaces output's hostname+process with the given value (example: hostname.process).

Usage example: command: winchecks metric-windows-disk-usage-scheme hostname.proc

win2019-dc-64bit.disk_usage.disk_C.total(GB) 99.40 1645371774

win2019-dc-64bit.disk_usage.disk_C.used(GB) 50.72 1645371774

win2019-dc-64bit.disk_usage.disk_C.avail(GB) 48.68 1645371774

win2019-dc-64bit.disk_usage.disk_C.used_percentage 51.02 1645371774
os.windows.check-system-memory-percent

Collects RAM percentage usage, Free Physical Memory percentage and Free Virtual Memory percentage.

Usage: -s, scheme - Replaces output's hostname+process with the given value (example: hostname.process)

Usage example: command: winchecks metric-windows-disk-usage-scheme hostname.proc

win2019-dc-64bit.mem.free_physical_percentage 13.30 1645371856

win2019-dc-64bit.mem.free_virtual_percentage 13.93 1645371856

win2019-dc-64bit.ram.usage_percentage 86.07 1645371856
os.windows.check-system-network Collects the following active network adapter metrics:
  • Total bytes per sec
  • Packets/sec
  • Packets Received per sec
  • Packets Sent per sec
  • Current Bandwidth
  • Bytes Received per sec
  • Packets Received Unicast per sec
  • Packets Received Non-Unicast per sec
  • Packets Received Discarded
  • Packets ReceivedErrors
  • Packets Received Unknown
  • Bytes sent per sec
  • Packets sent unicast per sec
  • Packets sent non-unicast per sec
  • Packets outbound discarded
  • Packets outbound errors
  • Output queue length
  • Offloaded connections
  • TCP Active RSC Connections
  • TCP RSC Coalesced Packets per sec
  • TCP RSC Exceptions per sec
  • TCP RSC Average Packet Size

Usage: -s scheme: Replaces output's hostname + process with the given value (example: hostname.process)

Usage name: command: winchecks metric-windows-network --scheme hostname.proc

win2019-dc-64bit.system.network.Network_Interface(Intel[R]_82574L_Gigabit_Network_Connection).<metric name><metric value>Bytes_Total/sec 98742.67 1645372042

For example: win2019-dc-64bit.system.network.Network_Interface(Intel[R]_82574L_Gigabit_Network_Connection).Bytes_Total/sec 98742.67 1645372042
os.windows.check-system-uptime Collects system uptime.

Usage: -s, scheme - Replaces output's hostname+process with the given value (example: hostname.process)

Usage example: command: winchecks metric-windows-uptime --scheme hostname.proc

 win2019-dc-64bit.system.uptime(sec) 4614142.06 1645372124
os.windows.check-system-disk Collects the following disk metrics:
  • AvgDiskSecPerRead
  • AvgDiskSecPerWrite
  • DiskReadBytesPerSec
  • DiskWriteBytesPerSec

Usage:

  • -i, ignore_mnt - Comma separated list of mount points to ignore (:C)
  • -I, include_mnt - Comma separated list of mount points to include.
  • ā€”scheme, scheme - Replaces output's hostname+process with the given value (example: hostname.process).

Usage example: command: winchecks metric-windows-disk

win2019-dc-64bit.disk._total.AvgDisksec/Read 0.000000 1645372198

win2019-dc-64bit.disk._total.AvgDisksec/Write 0.000608 1645372198

win2019-dc-64bit.disk._total.DiskReadBytes/sec 0.000000 1645372198

win2019-dc-64bit.disk._total.DiskWriteBytes/sec 34941.692255 1645372198

win2019-dc-64bit.disk.C.AvgDisksec/Read 0.000000 1645372200

win2019-dc-64bit.disk.C.AvgDisksec/Write 0.000000 1645372200

win2019-dc-64bit.disk.C.DiskReadBytes/sec 0.000000 1645372200

win2019-dc-64bit.disk.C.DiskWriteBytes/sec 0.000000 1645372200
os.windows.check-system-memory Collects the following disk metrics:
  • FreePhysicalMemory
  • TotalPhysicalMemory
  • FreeVirtualMemory
  • TotalVirtualMemorySize
  • AvailableMemory
  • TotalVisibleMemorySize

Usage: -s, scheme - Replaces output's hostname+process with the given value (example: hostname.process)

Usage example: command: winchecks metric-windows-memory --scheme hostname.proc

win2019-dc-64bit.mem.free_physical(KB) 1175440.00 1645372274

win2019-dc-64bit.mem.total_physical(KB) 8588898304.00 1645372274

win2019-dc-64bit.mem.free_virtual(KB) 1747636.00 1645372274

win2019-dc-64bit.mem.total_virtual(KB) 12263156.00 1645372274

win2019-dc-64bit.mem.available(KB) 1202032640.00 1645372274

win2019-dc-64bit.mem.total_visible(KB) 8387596.00 1645372274
os.windows.check-process-status Collects windows process status with CPU and memory data used by the process.

Usage:

  • -n, process - Process name to collect status metric.
  • ā€”scheme, scheme - Replaces output's hostname+process with the given value (example: hostname.process).

win2019-dc-64bit.Process.Status 67 1645372421

win2019-dc-64bit.Process.CpuPercent 0 1645372421

win2019-dc-64bit.Process.Memory(KB) 1226444 1645372421

Windows OS event checks - Extended

Runs Windows extended checks on operational Windows servers. To run this policy, activate one of the checks and provide a CI filter on the policy's Monitored CIs tab to run these checks on selected CIs.
Table 3. Windows OS Events - Extended policy
Check Description Usage Example Output
os.windows.check-env-variables Checks the environmental variables using a regular expression and returns either a WARNING or OK value.

If a new system variable is created after agent installation, you must restart the agent. This check can access only those user variables that are associated with the current user (used during agent installation).

 winchecks check-windows-env-variables (options)
  • -e , --env Environment variable to be matched.
  • -f , --regex Regular expression pattern to match against the environment variable.
 env_variable_name as TEMP

Verify the value of a specific environment variable. For example, to check the value of the TEMP variable, replace env_variable_name with the desired variable.

winchecks check-windows-env-variables -e TEMP -f ^[_C:/windows/TEMP_]*$

Utilize regular expressions (regex) to match variable values. In this example, the regex ^[_C:/windows/TEMP_]*$ checks whether the variable value contains C:\windows\TEMP. Adjust the regex pattern as needed for your specific matching criteria.

Environment variable PATH matches the regular expression, ^[_C:/windows/TEMP_]*$
os.windows.check-system-patch Verifies system patch installation. Returns either a WARNING or OK value. winchecks check-windows-system-patch (options)

-p name of the system patch to be checked

 winchecks check-windows-system-patch -p windows_11_patch_1

Use this parameter to verify if a specific patch (in this case, windows_11_patch_1) is installed. The program executes a command which retrieves installed patches and verifies if the specified patch is present. Adjust the "patch" value according to the patch you want to verify. Adapt this example to your specific use case, replacing placeholders with actual values.

 Patch windows_11_patch_1 is installed
os.windows.check-modules This check verifies whether the list of modules is present. winchecks check-windows-modules (options)

-m : comma separated list of module names

 winchecks check-windows-modules -m ServerManager,SmbShare

Windows Checks OK: Module is installed: ServerManager

Module is installed: SmbShare
os.windows.check-user-account Takes the list of user names as an input and verifies whether the user account is active. Returns a CRITICAL, WARNING, or OK value. winchecks check-windows-user-disabled (options)

-u : Comma separated List of User Name

 winchecks check-windows-user-disabled- u Administrator,Guest

User Name and Status
os.windows.check-file-update Takes the file's path and interval as an input and verifies whether file content has been modified. Returns a CRITICAL, WARNING, or OK value.

Read permissions are required on the monitored file.

 winchecks check-windows-file-update (options)
  • -f : File path, Path of the monitored file.
  • -i: Time period by default is 120 seconds.
 winchecks check-windows-file-update -f C:\user\fileName -i 120 CheckWindowsFileUpdate OK: File has not been updated in last <time_period> seconds
os.windows.check-file-hashcode-update Takes the file's path and MD5 hashcode as an input and verifies whether file content has been modified. Returns a CRITICAL, WARNING, or OK value.

Read permissions are required on the monitored file.

 winchecks check-windows-file-hashcode-update (options)
  • -f : File path, Path of the monitored file.
  • -c : Hashcode of the file to compare to in MD5 hashing.
 winchecks check-windows-file-hashcode-update -c d41d8cd98f00b204e9800998ecf8427e -f C:\temp\fileName CheckKernelParameter OK: Kernel parameter : {parameter_name} value is as expected.