Excluding Windows service alerts from Zabbix

By | December 19, 2024

Zabbix is a fantastic open-source application for monitoring your network attached devices. In regard to monitoring Windows endpoints, there are many Windows services that you will not want to see alerts for in your Zabbix dashboard. You can add exclusions to the template so that this excess clutter is not shown. This is a question that is asked a lot in the Zabbix forums, and the answers do not always seem to clearly give a beginner to Zabbix easy to follow steps for this. So, here it is.

From your main dashboard, go into, “Data collection“, then select, “Templates“. Almost to the end of the list of templates, you will see a template named, “Windows services by Zabbix agent“. Select that template.

Now select the MACROS tab within the template. Look for the section for, “{SERVICE.NAME.NOT_MATCHES}“. In the box, enter the service names you would like to exclude from detection. The list must begin with a ^ character and is separated by a | pipe character. The end of the list must be a $ dollar sign. An example would be:

^BITS|cplspcon|DolbyDAXAPI|edgeupdate|SysmonLogTrustedInstaller$

Click on UPDATE and your changes will be saved.

The exclusions will not be immediate. Normally the changes will only happen after the current lifecycle of the alerts history you have set. If you want the changes to be immediate and the services that you want to exclude removed from the dashboard immediately, then you will need to temporarily unlink and clear the windows services template from the, “Windows by Zabbix agent”, template, then add the template back in.

Using the same method to find the previous template, search for, “Windows by Zabbix agent” and open the template. Look for the, “Windows services by Zabbix agent“, and click on the link to the righ that says, “Unlink and clear“. Then click UPDATE. After several moments, the template will be removed. Now you can use the select function below to search and add the, “Windows services by Zabbix agent“, back into the template. Once you update the temaplate after adding the, “Windows services by Zabbix agent” back in, the alerts will be cleared out and now only be populated moving forward with the alerts you want.

All existing alerts are now cleared from dashboard and all future alerts will be shown except the ones you added to be excluded.

Best text message this morning

By | November 22, 2024

I received this text message a few minutes ago. It must be in regards to that box of cash I am waiting for from the prince of Nigeria. I better click on this to be sure.

I also noticed how clever the USPS is by using Cuttly for URL shortening.

BrightTALK the obnoxious spammer

By | July 3, 2024

BrightTALK is an organization that is supposed to be a media company providing technology webinars you can watch. The problem is they are one of the most obnoxious spammers on the planet. If your email addresse gets on one of their lists, you are screwed! Their unsubscribe options do not work and seem to actually sign you up for more SPAM from them. The only way to deal with them is to reject their email and protect everyone in your organization. I do this by creating a rule in Exchange online.

I highly recommend everyone to add this rule to their mail server settings. After an hour of creating this rule, I have already blocked over a dozen emails from these bastards.

Hide installed application in Windows

By | May 17, 2024

There may be a time when you need to hide an installed application so that it will not be uninstalled. An easy way to keep an application from being uninstalled is to just hide it from appearing in Windows add/remove programs. This is easily achieved by adding the SystemComponent value DWORD in the uninstall section of the registry for that specific application.

Let’s say I want to hide the Zoom application from appearing in Windows. Currently, you can see it listed in the control panel

I can run the following powershell command to add the SystemComponent entry to the registry and set the value to 1 to hide the application:

New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{57D6B477-1B0C-4C4B-8479-A89ACFDFD875}' -Name SystemComponent -Value 1

Now the application will no longer appear in the installed Applications section of Control panel.

To make the item visible again, just delete the SystemComponent from the registry.

Powershell .ToString()

By | April 22, 2024

I’m posting this as I spent too much time on figuring out how to convert the current IP of a machine and turn the IP address into an array. I needed this so I can change the last octet to a couple of other values that I would set later in the script. Powershell has an odd way of outputting data into different types such as objects. Objects can be frustrating when you just want a string output, but objects do give you all types of other possible information from the data you are querying.

The output of my variable $ipv4 is an object.

I mean there is quite a bit of data to choose from, but I just wanted the IP address. So, after digging around, I realized I needed to pass a PSObject .ToString() to my variable which will return the string representation for this object.

Finally! My variable only outputting the string value.

Now that I can get the actual string value I need, I can then use split(‘.’) to split the string at each period character to an array. For some reason, getting just the string value on this one stumped me longer than it should have. So, here it is for anyone that ever needs this (Or myself for future reference). Splitting your IP address into an array.

$ipV4 = (Test-Connection -ComputerName (hostname) -Count 1).IPV4Address
$ipArray =  ($ipV4.ToString()).Split(".")

Write-Host("IPV4 Output :" + $ipV4)
Write-Host("Octect1 [0] :" + $ipArray[0])
Write-Host("Octect2 [1] :" + $ipArray[1])
Write-Host("Octect3 [2] :" + $ipArray[2])
Write-Host("Octect4 [3] :" + $ipArray[3])

Replacing apt with Nala

By | April 19, 2024

Nala is an improved front-end for the apt package manager in Ubuntu/Debian Linux. It adds many features and a better visual representation to the activity of the command. A really good article about Nala can be found here at ItsFoss. There are many more features and arguments to nala than the normal apt command offers.

Nala upgrade in use.

I’ve decided to create an alias to stop me from using the apt command to using nala. To make sure the alias is persistent after every session or login, I needed to add the following alias commands to the bottom of my .bashrc file.

# Added alias for nala to be used instead of apt.
alias apt='\nala'
alias dapt='\apt'
# For aliases to work with sudo:
alias sudo='sudo '

Now save and exit the shell. Enter back into your terminal and when I run sudo apt update, I get nala running instead.

Running sudo apt upgrade runs through nala now.

Monthly patching schedule

By | October 6, 2023

I am often asked how I perform security and third-party patching for an entire company. Below, I have outlined the basic strategy I use, and this has not varied much in the past 15 years from every company where I have been responsible for maintaining the patching in regard to Windows servers and workstations. First off, I always test patching before roll-out. Period! I never assume every update installs without issue. Patching processes these days are much more reliable than they used to be, but sometimes a patch or an updated application can cause issues. Testing first doesn’t hurt anything and ensures the patching doesn’t have any conflicts with applications and operations, which could save you a major headaches in the long run.

To explain my reason for testing is to ensure no disruption to business. For example, if many of the endpoints that you are patching are located in restaurants, such as the point-of-sale system or other critical machines required for business to operate, you will want to make sure those endpoints are always available, and that a patch or update does not cause problems for those devices to operate. If those endpoints are not running, that can cause an immediate loss of business to a location(s) financially. You don’t want to find out a patch or an updated application doesn’t play nice until too late.

I’ve been using Action1 as my patching platform for the past couple of years and have been impressed with the flexibility and ease of keeping the entire company up to date. The below details will be shown from the Action1 configuration I use, but the scheduling will match to my normal overall strategy.

With all that I mentioned about testing updates before deployment, I do have a small handful of application updates that I will deploy as soon as they are available. These are mostly workstation applications for users and not OS security or production applications for business-critical needs.

Workstations – Automated patching. Daily. 6am. No reboot. Low risk to workstation users.

  • 1Password
  • Adobe Acrobat Reader*
  • Microsoft Edge*
  • Microsoft Teams*
  • Teams Machine-Wide Installer*
  • VLC*
  • *Webex*
  • XNView*
  • Zoom*

Workstations and Servers – Automated patching. Daily. 6:15am. No reboot.

  • *Defender Antivirus*
  • Windows Malicious Software Removal Tool*

Monthly Patching – Servers and workstations.

All updates are manually approved. Reboots allowed. Patching is done manually, no automated schedules.

  • Updates deployed to lab/dev/qa system endpoints first. Verify no issues with functionality for 24 hours.
  • If no issues from lab endpoint patching. Update to pilot group of live sites for 24 hours. Pilot workstation group includes IT department workstations.
  • If no issues from pilot group. Deploy to all workstation endpoints.
  • If multiple endpoints at remote sites, do not deploy to all endpoints, break up patching into groups to ensure not all endpoints will be affected at same time during patching/reboots.

Server considerations

  • Do not deploy to a master domain controller first. Apply to a secondary domain controllers, then patch master domain controller on following day.
  • Server patching done outside business hours. Must have IT staff monitoring patching to ensure all servers operational after patching.
  • Snapshot all VM’s before patching or patch after backup routines to ensure quick rollback if needed.

I hope this provides some visibility into my patching strategy and helps you with coming up with your own patching cycle. Every patching cycle should be strict and consistent to minimize risk to any organization, but yet flexible to work around business needs.

Reformatting a flash drive formatted as ISO

By | October 4, 2023

Typically, when a flash drive is formatted from an ISO image, the flash drive will be formatted as an ISO9660 type and not want to be re-formatted or erased easily. Take a look at Gparted showing a flash drive below with the Linux Mint ISO on it.

When I attempt to delete the Partition in GParted, it is greyed out. If you try to format it, you will also get an error. The proper method is to use a command like:

sudo dd status=progress if=/dev/zero of=/dev/sde bs=4k && sync

The problem is this takes forever to run and zero out the entire flash drive. What I do is probably considered some hillbilly method but it works and works fairly quickly. I only seem to need to use this method when I want to reformat a flash drive shown as an ISO format. I run the shred -v command and let it run for about 10% to 15% (Which takes only a couple of minutes typically). I then hit CTRL C to cancel the operation.

Remove the flash drive and re-insert it. Now go into Gparted and create a partition table and format the flash drive any way you want.

Now I format the flash drive however I want. In this case, I formatted it as a Fat32.

Formatted to Fat32 and ready to be used.

Maybe I’ll post a more proper method later, but the above is down and really dirty but works quickly.

Using Powershell to read registry HKEY_USERS

By | August 30, 2023
Script execution. Shows the wallpaper path and file used for each user account in HKEY_USERS of the Windows registry.