Windows default checks and policies

  • Release version: Xanadu
  • Updated August 1, 2024
  • 10 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Windows default checks and policies

    The Agent Client Collector offers a comprehensive set of default checks and policies designed for Windows health monitoring. These checks enable ServiceNow customers to monitor Windows operating system events, system metrics, and resource usage, helping to proactively identify and respond to performance and health issues.

    Show full answer Show less

    Windows Event Monitoring Checks

    These checks focus on gathering and analyzing Windows event logs and system resource usage, reporting statuses such as CRITICAL, WARNING, or OK based on configurable thresholds.

    • Event Log Count and Details: Measure event log entries filtered by log file, event level, provider, event ID, and time duration. Useful for tracking specific event occurrences and severity levels.
    • Processor Queue Length: Monitors the length of the processor queue to detect CPU bottlenecks.
    • System CPU Load: Measures CPU load percentage to identify high CPU utilization.
    • Disk Usage and Memory Checks: Monitor disk space usage, RAM usage, free physical and virtual memory against defined warning and critical thresholds.
    • Process Monitoring: Checks running processes by name or pattern, including CPU and memory usage of specific processes.
    • Directory Existence and Pagefile Usage: Verify if a directory exists and monitor pagefile usage for potential resource constraints.

    Each check supports command-line parameters to customize thresholds, filter criteria, and specify log files or processes, providing flexibility tailored to customer environments.

    Windows Metric Monitoring Checks

    Metric checks collect detailed performance data in numeric form, suitable for integration with monitoring dashboards and alerting systems.

    • Processor Queue Length and CPU Metrics: Collect processor queue length, average CPU load, and CPU core counts.
    • Disk Metrics: Gather disk usage in GB, percentage used, and disk I/O metrics such as read/write times and bytes per second.
    • Memory Metrics: Collect RAM usage percentages, free physical and virtual memory, and total memory capacity.
    • Network Metrics: Monitor network adapter statistics including bytes per second, packet counts, errors, and bandwidth.
    • System Uptime: Track the total uptime of the Windows system in seconds.
    • Process Status: Collect CPU and memory usage metrics for specified processes.

    All metric commands feature options to customize output formatting, such as replacing hostnames or process identifiers, enabling seamless integration into ServiceNow monitoring workflows.

    Practical Benefits for ServiceNow Customers

    • Gain detailed insights into Windows OS health and performance to support proactive issue detection and resolution.
    • Customize monitoring thresholds and filters to align with specific operational requirements and severity criteria.
    • Utilize both event-based and metric-based data to provide comprehensive monitoring coverage.
    • Integrate easily with ServiceNow event management and alerting to automate responses to critical Windows system conditions.
    • Enable efficient troubleshooting by accessing filtered event log details and process resource usage metrics.

    Agent Client Collector provides the following default checks and policies for Windows health monitoring.

    Windows event monitoring checks

    Table 1. Windows OS Events policy
    Check Description Usage and Example Output
    os.windows.check-event-log-count Measures the Windows event log against parameter thresholds and returns a CRITICAL\WARNING\OK event.

    Provides information on the number of events that have occurred within a specified duration for a single log file and a single ID. Also indicates the filters to be applied to retrieve events for a specific single-valued windows event level and provider name.

    Retrieving events from multiple log files is not supported. The number of events is provided, without details of each and every event.
    Usage:
    • -w warning - Triggers a WARNING event if the event log count matching the pattern is above the WARNING parameter value specified in the check parameter.
    • -c critical - Triggers a CRITICAL event if the event log count matching the pattern is above the CRITICAL parameter value specified in the check parameter.
    • -l log_file - The log file to be monitored. Name of the file is written in double quotation marks.
    • -r regex_pattern - The regex pattern which filters out the description in the event log. Written in double quotation marks.
    • -e event level - Specifies the severity level of the event. Possible values: Information, Verbose, Critical, Warning, Error.
    • -i id - Unique event ID
    • -d duration_hour - The duration of time, in hours, in which you want to retrieve events from the Windows event log. Decimal points can be used; for example, 30 minutes - 0.5.
    • -p provider_name - Source of the event, written in double quotation marks.

    Usage example: winchecks check-windows-event-log -w 5 -c 10 -e "Information" -l "Application" -d 24

    		 Check Event Log OK: The Event Log that matches the pattern is <matched count>
    os.windows.check-event-log-details

    Collects and filters Windows Event logs based on the duration_hour, event_log_level and log_file values.

    Retrieves and filters Windows event logs according to the provided parameters. It returns details about the events with CRITICAL, WARNING, or OK status, based on the specified severity level.
    Usage:
    • -d duration_hour - Duration (in hours) from the current time to filter events (Default: 24).
    • -e event_log_level - Filter the events based on the event level. Possible values are: Information, Verbose, Critical, Warning, Error. Multiple values are comma-separated (Default: Information). For example: Information, Warning
    • -i id - Filters events based on the specified event IDs. For multiple IDs, values are comma-separated and enclosed in double quotation marks. For example: "1257, 1001"
    • -l log_file - Specifies the log file name to filter events. The name of the file is written in double quotation marks. Supports creating custom files and multiple values are comma-separated. (Default: Application). For example: "Application, System"
    • -p provider_name - The name of the event provider, enclosed in double quotation marks.
    • -r regex_pattern - Filters events by matching the event message with the specified pattern. Value must be enclosed in double quotation marks.
    • -s servicenow_event_severity - Creates a servicenow event with the value given in this parameter. Possible values are: Critical, Warning and OK.

    Usage example: winchecks check-windows-event-log-details -d 24 -l Application -e Warning -r "*" -s Warning

    Check Event Log Details WARNING:

    Type: Information, Category: Application, Machine: ws19-inc0061393.LOCAL.LAB, Event_ID: 1704, Message: Security policy in the Group policy objects has been applied successfully., TimeCreated: 10/14/2024 12:09:35 AM.

    Type: Information, Category: Application, Machine: ws19-inc0061393.LOCAL.LAB, Event_ID: 16384, Message: Successfully scheduled Software Protection service for restart at 2124-09-20T06:25:44Z. Reason: Rules Engine, TimeCreated: 10/13/2024 11:25:44 PM.

    Type: Information, Category: Application, Machine: ws19-inc0061393.LOCAL.LAB, Event_ID: 16394, Message: Offline downlevel migration succeeded., TimeCreated: 10/13/2024 11:24:19 PM.

    Type: Information, Category: Application, Machine: ws19-inc0061393.LOCAL.LAB, Event_ID: 8224, Message: The VSS service is shutting down due to idle timeout., TimeCreated: 10/13/2024 11:51:36 AM.
    os.windows.check-processor-queue-length

    Measures the process queue length against thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
    Usage:
    • -w warning - Triggers a WARNING event if the processor queue length count matching the pattern is above the WARNING parameter value specified in the check parameter.
    • -c critical - Triggers a CRITICAL event if the processor queue length count matching the pattern is above the CRITICAL parameter value specified in the check parameter.

    Usage example: winchecks check-windows-processor-queue-length -w 5 -c 10

    		 Processor Queue Length OK: The Processor Queue length is 0.00
    os.windows.check-system-cpu-load

    Checks CPU Load by using typeperf. Measures the CPU load against configured thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
    Usage:
    • -w warning - Triggers a WARNING event if the CPU load count matching the pattern is above the WARNING parameter value specified in the check parameter.
    • -c critical - Triggers a CRITICAL event if the CPU load count matching the pattern is above the CRITICAL parameter value specified in the check parameter.

    Usage example: winchecks check-windows-cpu-load -w 85 -c 95

    		 CPU Load OK: The total CPU utilization is 26.92%
    os.windows.check-system-disk

    Measures the free physical memory against thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
    Usage:
    • -w warning - Triggers a WARNING event if the event log percentage matching the pattern is above the WARNING parameter value specified in the check parameter.
    • -c critical - Triggers a CRITICAL event if the event log percentage matching the pattern is above the CRITICAL parameter value specified in the check parameter.

    Usage example: winchecks check-windows-disk -w 85 -c 95

    		 Disk Usage Check OK: The disk usage is %
    os.windows.check-system-memory-percent

    Collects the RAM usage. Measures the memory usage against configured thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.

    		 Usage:
    • -w warning - Triggers a WARNING event if the memory use percentage matching the pattern is above the WARNING parameter value specified in the check parameter.
    • -c critical - Triggers a CRITICAL event if the memory use percentage matching the pattern is above the CRITICAL parameter value specified in the check parameter.

    Usage example: winchecks check-windows-ram -w 85 -c 95

    		 RAM Usage OK: The total memory utilization is 84%
    os.windows.check-system-process

    Query running processes to find running processes that match the given arguments (pattern, name, both pattern and name. At least one must be given). Measures the running processes against configured thresholds and filters, returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
    Usage:
    • -n name - Process executable name to check the process execution.
    • -p pattern - Pattern (sub string) to search for in the command that invoked the process. Produces valid results only if the user running the Agent owns the queried process has view permissions for the queried process.
    • -w warnover - Triggers a WARNING status if the query returns more processes than those specified by the argument.
    • -W warnunder - Triggers a WARNING status if the query returns fewer processes than those specified by the argument.
    • -c critover - Triggers a CRITICAL event if the query returns more processes than those specified by the argument.
    • -C critunder - Triggers a CRITICAL event if the query returns fewer processes than those specified by the argument.

    Usage example: winchecks check-windows-processes -n explorer

    Check Process OK:

    OK Found 1 matching running processes named explorer
    os.windows.check-directory Verifies whether a Windows directory exists.

    Usage: -d --directory Path to the relevant directory; use '\' for separation.

    Usage example: winchecks check-windows-directory -d dir_path

    		 Check Directory OK: The directory 'C:/Users/Public' exists
    os.windows.check-pagefile

    Collects the Pagefile usage and compares it against the WARNING and CRITICAL thresholds.
    Usage:
    • -w warning - Triggers a WARNING event if the Pagefile usage is above the WARNING parameter value specified in the check parameter.
    • -c critical - Triggers a CRITICAL event if the Pagefile usage is above the CRITICAL parameter value specified in the check parameter.

    Usage example: winchecks check-windows-pagefile -w 75 -c 85

    		 Check Windows Page File OK: Page file usage at 31.63%
    os.windows.check-free-physical-memory

    Measures the free physical memory against configured thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
    Usage:
    • -w warning - Triggers a WARNING event if the free physical memory is under the WARNING parameter value specified in the check parameter.
    • -c critical - Triggers a CRITICAL event if the free physical memory is under the CRITICAL parameter value specified in the check parameter.

    Usage example: winchecks check-windows-free-physical-memory -w 10 -c 5

    		 Free Physical Memory OK: The Free Physical Memory is 20.25%
    os.windows.check-free-virtual-memory

    Measures the free virtual memory against configured thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
    Usage:
    • -w warning - Triggers a WARNING event if the free virtual memory is above the WARNING parameter value specified in the check parameter.
    • -c critical - Triggers a CRITICAL event if the free virtual memory is above the CRITICAL parameter value specified in the check parameter.

    Usage example: winchecks check-windows-free-virtual-memory -w 10 -c 5

    		Free Virtual Memory OK: The Free Virtual Memory is 25.66%
    os.windows.check-process-cpu

    Processes CPU usage against configured thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
    Usage:
    • -p processname - Process name to collect CPU usage.
    • -w warning - Triggers a WARNING event if the CPU usage is above the WARNING parameter value specified in the check parameter.
    • -c critical - Triggers a CRITICAL event if the CPU usage is above the CRITICAL parameter value specified in the check parameter.

    Usage example: winchecks check-windows-process-cpu-p acc -c 95 -w 85

    		 Check Process CPU OK: Process CPU usage is 0.0000%
    os.windows.check-process-memory

    Processes memory usage against thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
    Usage:
    • -p processname - Process name to collect memory usage.
    • -w warning - Triggers a WARNING event if the process memory usage is above the WARNING parameter value specified in the check parameter.
    • -c critical - Triggers a CRITICAL event if the process memory usage is above the CRITICAL parameter value specified in the check parameter.

    Usage example: winchecks check-windows-process-memory-p acc -c 95 -w 85

    		 Check Process Memory OK: Process Memory usage is 0.0149%

    Windows metric monitoring checks

    Table 2. Windows OS Metrics policy
    Check Description Usage and Example Output
    os.windows.check-processor-queue-length Measures the processor queue length.

    Usage: -s scheme - Replaces output's hostname + process with the given value (example: hostname.process)

    Usage example: command: winchecks metric-windows-processor-queue-length --scheme hostname.proc

    		 win2019-dc-64bit.cpu.queuelength 0.00 1645371109
    os.windows.check-system-cpu-load Collects average CPU load per second.

    Usage: -s scheme - Replaces output's hostname + process with the given value (example: hostname.process)

    Usage example: command: winchecks metric-windows-cpu-load -scheme hostname.proc

    		 win2019-dc-64bit.cpu.loadavgsec 15.07 1645371561
    os.windows.check-system-cpu Collects the CPU core metric.

    Usage: -s , scheme Replaces output's hostname+process with the given value (example: hostname.process)

    Usage example: command: winchecks metric-windows-cpu -scheme hostname.proc

    		 win2019-dc-64bit.cpu.cpu0.cores 2 1645371681
    os.windows.check-system-disk-usage
    Collects the following disk usage metrics usage:
    • total in GB
    • usage in GB
    • avail in GB
    • used percentage
    Usage:
    • -i , ignore_mnt: Comma separated list of mount points to ignore (:C)
    • -I, include_mnt: Comma separated list of mount points to include.
    • —scheme, scheme: Replaces output's hostname+process with the given value (example: hostname.process).

    Usage example: command: winchecks metric-windows-disk-usage-scheme hostname.proc

    win2019-dc-64bit.disk_usage.disk_C.total(GB) 99.40 1645371774

    win2019-dc-64bit.disk_usage.disk_C.used(GB) 50.72 1645371774

    win2019-dc-64bit.disk_usage.disk_C.avail(GB) 48.68 1645371774

    win2019-dc-64bit.disk_usage.disk_C.used_percentage 51.02 1645371774
    os.windows.check-system-memory-percent

    Collects RAM percentage usage, Free Physical Memory percentage and Free Virtual Memory percentage.

    Usage: -s, scheme - Replaces output's hostname+process with the given value (example: hostname.process)

    Usage example: command: winchecks metric-windows-disk-usage-scheme hostname.proc

    win2019-dc-64bit.mem.free_physical_percentage 13.30 1645371856

    win2019-dc-64bit.mem.free_virtual_percentage 13.93 1645371856

    win2019-dc-64bit.ram.usage_percentage 86.07 1645371856
    os.windows.check-system-network Collects the following active network adapter metrics:
    • Total bytes per sec
    • Packets/sec
    • Packets Received per sec
    • Packets Sent per sec
    • Current Bandwidth
    • Bytes Received per sec
    • Packets Received Unicast per sec
    • Packets Received Non-Unicast per sec
    • Packets Received Discarded
    • Packets ReceivedErrors
    • Packets Received Unknown
    • Bytes sent per sec
    • Packets sent unicast per sec
    • Packets sent non-unicast per sec
    • Packets outbound discarded
    • Packets outbound errors
    • Output queue length
    • Offloaded connections
    • TCP Active RSC Connections
    • TCP RSC Coalesced Packets per sec
    • TCP RSC Exceptions per sec

    • TCP RSC Average Packet Size

    Usage: -s scheme: Replaces output's hostname + process with the given value (example: hostname.process)

    Usage name: command: winchecks metric-windows-network --scheme hostname.proc

    win2019-dc-64bit.system.network.Network_Interface(Intel[R]_82574L_Gigabit_Network_Connection).<metric name><metric value>Bytes_Total/sec 98742.67 1645372042

    For example: win2019-dc-64bit.system.network.Network_Interface(Intel[R]_82574L_Gigabit_Network_Connection).Bytes_Total/sec 98742.67 1645372042
    os.windows.check-system-uptime Collects system uptime.

    Usage: -s, scheme - Replaces output's hostname+process with the given value (example: hostname.process)

    Usage example: command: winchecks metric-windows-uptime --scheme hostname.proc

    		 win2019-dc-64bit.system.uptime(sec) 4614142.06 1645372124
    os.windows.check-system-disk Collects the following disk metrics:
    • AvgDiskSecPerRead
    • AvgDiskSecPerWrite
    • DiskReadBytesPerSec
    • DiskWriteBytesPerSec

    Usage:

    • -i, ignore_mnt - Comma separated list of mount points to ignore (:C)
    • -I, include_mnt - Comma separated list of mount points to include.
    • —scheme, scheme - Replaces output's hostname+process with the given value (example: hostname.process).

    Usage example: command: winchecks metric-windows-disk

    win2019-dc-64bit.disk._total.AvgDisksec/Read 0.000000 1645372198

    win2019-dc-64bit.disk._total.AvgDisksec/Write 0.000608 1645372198

    win2019-dc-64bit.disk._total.DiskReadBytes/sec 0.000000 1645372198

    win2019-dc-64bit.disk._total.DiskWriteBytes/sec 34941.692255 1645372198

    win2019-dc-64bit.disk.C.AvgDisksec/Read 0.000000 1645372200

    win2019-dc-64bit.disk.C.AvgDisksec/Write 0.000000 1645372200

    win2019-dc-64bit.disk.C.DiskReadBytes/sec 0.000000 1645372200

    win2019-dc-64bit.disk.C.DiskWriteBytes/sec 0.000000 1645372200
    os.windows.check-system-memory Collects the following disk metrics:
    • FreePhysicalMemory
    • TotalPhysicalMemory
    • FreeVirtualMemory
    • TotalVirtualMemorySize
    • AvailableMemory
    • TotalVisibleMemorySize

    Usage: -s, scheme - Replaces output's hostname+process with the given value (example: hostname.process)

    Usage example: command: winchecks metric-windows-memory --scheme hostname.proc

    win2019-dc-64bit.mem.free_physical(KB) 1175440.00 1645372274

    win2019-dc-64bit.mem.total_physical(KB) 8588898304.00 1645372274

    win2019-dc-64bit.mem.free_virtual(KB) 1747636.00 1645372274

    win2019-dc-64bit.mem.total_virtual(KB) 12263156.00 1645372274

    win2019-dc-64bit.mem.available(KB) 1202032640.00 1645372274

    win2019-dc-64bit.mem.total_visible(KB) 8387596.00 1645372274
    os.windows.check-process-status Collects windows process status with CPU and memory data used by the process.

    Usage:

    • -n, process - Process name to collect status metric.
    • —scheme, scheme - Replaces output's hostname+process with the given value (example: hostname.process).

    win2019-dc-64bit.Process.Status 67 1645372421

    win2019-dc-64bit.Process.CpuPercent 0 1645372421

    win2019-dc-64bit.Process.Memory(KB) 1226444 1645372421