Optimizing Zabbix Agent Monitoring for Linux and Windows: Best Practices

Zabbix uses the Zabbix agent by default to monitor operating systems; built‑in items cover most metrics, and additional data can be collected via system.run[command,<mode>] items.

Linux Monitoring

Operating‑system related items

The official manual lists all Zabbix‑agent keys, their parameters and OS applicability, including Windows‑specific items such as services and performance counters.

Active vs. passive mode

Passive (default) items are pulled by the server, while active items are pushed by the agent. In small environments (200‑500 hosts) passive mode is recommended; in medium‑large environments active mode reduces server load but can cause false alerts if host time differs.

Optimization of the Linux template

Set agent.ping, Host local time and all auto‑discovery rules to passive mode to avoid time‑drift issues. Adjust monitoring frequencies: CPU and memory items to 1 minute, informational items to 1 hour.

Alarm suppression and macro variables

Use trigger functions to suppress alerts, e.g., trigger only when {Template OS Linux:system.cpu.util[,iowait].min(5m)}>20 for five consecutive minutes. Define template macros such as {$CPUIOWAIT} to allow host‑specific threshold overrides.

LLD macro variables

For filesystem discovery, use LLD macros to set per‑filesystem thresholds, e.g.:

{host:vfs.fs.size[{#FSNAME},pfree].last()}<{$LOW_SPACE_LIMIT:"{#FSNAME}"}

Add a host macro {$LOW_SPACE_LIMIT:"/opt"}=95 to raise the limit for the /opt filesystem.

CPU, Memory and Filesystem metrics

Create a calculated item 100 - system.cpu.util[,idle] to represent total CPU usage. For memory, use vm.memory.size keys (total, free, active, inactive, wired, etc.) and prefer pavailable for alert thresholds. Reduce filesystem items to total size, used size, and used percentage to lower load.

Windows Monitoring

Service auto‑discovery

Disable the default Windows service discovery in the template; enable it per host when needed and apply filters to monitor specific services.

Performance counter monitoring

Use the perf_counter[<counter>,<interval>] key to collect Windows performance counters, such as Average disk read queue length.

Event log monitoring

Monitor Windows event logs with

eventlog[name,<regexp>,<severity>,<source>,<eventid>,<maxlines>,<mode>]

. All parameters must be supplied in English.