Photo by Mr Cup / Fabien Barral on Unsplash

Monitor registry keys with Zabbix

Using monitoring of 7-Zip version as an example

Zabbix 6.2+ update

A lot has changed in Zabbix after realising this article. One of those things is native monitoring or registry keys with Zabbix Agent2, which makes everything a lot simpler. There are two new keys:

• regitsry.data — used to get a single property value of a key
• registry.get — used to get all properties and their values in JSON format

So, if you’re lucky enough to use Zabbix Agent 2 newer than 6.2, you can monitor the version of 7-Zip with the following key: registry.data[“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip”,DisplayVersion]. As always, you can test it in the shell:

zabbix_agent2.exe -t registry.data["HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip",DisplayVersion]
registry.data[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip,DisplayVersion][s|22.01]

If for some reason you’re unable to use this solution, then the original answer might be of help.

Original article

Zabbix is a very versatile tool containing loads of built-in functions. However, not everything is possible out of the box and some things need custom solutions backed up by clever scripts.

One of these things is getting values from the Windows Registry, thou some might argue that can be done with Zabbix Agent 4.4 and its WMI queries. Those, however, are designed to be used with Low Level Discovery and not single items. Then again you could filter out that single item, but I digress.

What you can do instead, is to create a custom UserParameter that will use Powershell to query a specified key and maybe transform some data. In the following example i will do just that — use Powershell to extract 7-Zip version from a specific key in the registry.

Firstly let’s assume we are using 7-Zip. It is a nice utility that can unpack just about any archive file. But like any other piece of software it comes with some bugs, some of which are a security vulnerability. For a complete list of those you can go to the CVE database. Every vulnerability report contains information about 7-zip affected versions.

Some information about 7-Zip can be found in Windows registry, to be more specific, under this registry path:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip. A fast Powershell one-liner will show us what can be found there.

> Get-Item -Path Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Name                           Property
----                           --------
7-Zip                          DisplayName     : 7-Zip 19.00 (x64)
                               DisplayVersion  : 19.00
                               DisplayIcon     : C:\Program Fil(...)
                               InstallLocation : C:\Program Fil(...)
                               UninstallString : C:\Program Fil(...)
                               NoModify        : 1
                               NoRepair        : 1
                               EstimatedSize   : 5082
                               VersionMajor    : 19
                               VersionMinor    : 0
                               Publisher       : Igor Pavlovs

What we have is a nice object with some properties (some of which were truncated for readability). Among them is the version of 7-Zip. Let’s just update our one-liner so it can extract the relevant property and pack it into fancy UserParameter syntax.

UserParameter=7zip.version,powershell.exe (Get-Item -Path Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip).GetValue('DisplayVersion')

The above line should be added to the Zabbix Agent configuration file. If you prefer keeping UserParameters in separate config files you could do that or just append it to the main config file.

Once the Zabbix Agent is configured and restarted, the key 7zip.version will be usable by Zabbix. Just remember to repeat those steps on every server with 7-Zip installed. Since data isn’t worth much if it is not being analysed, so creating some triggers is in place. With this data it makes sense to do one of two things. One can either check if the installed version is different than the newest one available or check if the installed version matches any of those with known vulnerabilities. Since only the former can be exported as a stand-alone XML file I did just that. You can check and download the code here.

In this article I showed how to get a value from a specific registry key and store it in Zabbix monitoring system. Hopefully you will find it useful. If you have any questions, please ask away.