Check_WMI_Plus error when no results from eventlog

This board serves as an open discussion and support collaboration point for Nagios XI. NOTE: Nagios XI customers should use the Customer Support forum to obtain expedited support.

Re: Check_WMI_Plus error when no results from eventlog

Postby kgugerty » Mon Jan 09, 2017 4:15 pm

I get an unknown
Code: Select all
wmic --version
Version 4.0.0tp4-SVN-build-UNKNOWN


I am fairly new to Linux and have not dabbled much into troubleshooting builds.

I also found this command: check_wmi_plus.pl -d -d | head -n 20

Code: Select all
--------------------- Module Versions ---------------------
Warning - one or more of your Perl Modules are out of date and this may cause plugin problems. If you are having any problems with Check WMI Plus you must upgrade your Perl Modules before contacting support (since they'll just tell you to upgrade!). You can override this warning at your peril by using the --IgnoreMyOutDatedPerlModuleVersions command line option or the "$ignore_my_outdated_perl_module_versions" setting in the conf file (/usr/local/nagios/libexec/check_wmi_plus.conf). Version Information on the next line.
MODULE_NAME           INSTALLED_VERSION  STATUS DESIRED_VERSION
Config::IniFiles                   2.94      ok       2.58
Perl Version                   5.010001      ok       5.01
Getopt::Long                       2.38      ok       2.38
DateTime                           0.53     BAD       0.66
Number::Format                     1.75      ok       1.73
Data::Dumper                      2.124     BAD      2.125
Scalar::Util                       1.47      ok       1.22
Storable                           2.20     BAD       2.22
Net::DNS -
--------------------- Environment ---------------------
ENV=$VAR1 = {
          'HOME' => '/root',


Using cpan to update DateTime I get some errors:
Code: Select all
#   Failed test '$DateTime::IsPurePerl is true'
#   at t/39no-so.t line 33.
Can't locate object method "new" via package "DateTime" at t/39no-so.t line 35.
# Tests were run but no plan was declared and done_testing() was not seen.
# Looks like your test exited with 2 just after 2.
t/39no-so.t .............. Dubious, test returned 2 (wstat 512, 0x200)
Failed 2/2 subtests
kgugerty
 
Posts: 29
Joined: Wed May 04, 2016 8:28 am

Re: Check_WMI_Plus error when no results from eventlog

Postby dwhitfield » Mon Jan 09, 2017 4:40 pm

You might get updates to some of those perl modules simply by running yum -y update

If you're concerned about disk space, or compatibility issues, you could run yum update and then get a list of what's going to be installed, but since it sounds like time is of the essence, the -y will speed things up a bit for you.
Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
dwhitfield
The Doctor
 
Posts: 3107
Joined: Wed Sep 21, 2016 10:29 am
Location: Nagios Enterprises, LLC

Re: Check_WMI_Plus error when no results from eventlog

Postby kgugerty » Wed Jan 11, 2017 4:00 pm

So, this might actually be a setting on the Windows side. I ran the tests against a different set of servers and came up with the expected results. I didn't think to look at the Windows side because it DOES work when there are events discovered. In any case. I will compare the settings and post what I find here.
kgugerty
 
Posts: 29
Joined: Wed May 04, 2016 8:28 am

Re: Check_WMI_Plus error when no results from eventlog

Postby dwhitfield » Wed Jan 11, 2017 5:27 pm

Let's start with the basics. Are all the Windows versions the same? If not, what versions? Also, what version of WMI are they all running?
Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
dwhitfield
The Doctor
 
Posts: 3107
Joined: Wed Sep 21, 2016 10:29 am
Location: Nagios Enterprises, LLC

Re: Check_WMI_Plus error when no results from eventlog

Postby kgugerty » Thu Jan 12, 2017 5:49 pm

Both Servers are Windows 2008R2 Enterprise SP1 servers. Both Versions of WMI are 7601.17514.

It turns out -- ALL of my WMI commands return this error:
OUTPUT: [librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_ncacn_ip_tcp_recv
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_b_recv
CLASS: Win32_ComputerSystem

running the -d -d options any of the WMI check commands show this error, in ADDITION to the results found. It only shows through in the UI on the CheckEventLog results when there are no OTHER results to display. My research on the c00000b5 error code points to either a DNS issue or a Firewall issue. I will look into these with my network team and see if there is an issue here. I assumed no because I was able to ping the FQDN and since the other queries receive results I was not looking for error messages in them. It Appears WMI communicates intitially on 135, then chooses a random high numbered port to send data.
I will post the results here.
kgugerty
 
Posts: 29
Joined: Wed May 04, 2016 8:28 am

Re: Check_WMI_Plus error when no results from eventlog

Postby dwhitfield » Thu Jan 12, 2017 5:57 pm

kgugerty wrote:I will post the results here.


Excellent. We will await.
Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
dwhitfield
The Doctor
 
Posts: 3107
Joined: Wed Sep 21, 2016 10:29 am
Location: Nagios Enterprises, LLC

Re: Check_WMI_Plus error when no results from eventlog

Postby kgugerty » Wed Jan 18, 2017 12:30 pm

I have not been able to figure this one out. The Network team states there are no restrictions placed between the networks that would prevent WMI communication.

Running a simple WMIC query from the command line produces the same results.
Code: Select all
wmic -U DOMAIN/USERNAME%PASSWORD --namespace="root\cimv2" //SERVER.FQDN "select * from Win32_OperatingSystem"
[librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_ncacn_ip_tcp_recv
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_b_recv
CLASS: Win32_OperatingSystem
BootDevice|BuildNumber|BuildType|Caption|CodeSet|CountryCode|CreationClassName|CSCreationClassName|CSDVersion|CSName|CurrentTimeZone|DataExecutionPrevention_32BitApplications|DataExecutionPrevention_Available|DataExecutionPrevention_Drivers|DataExecutionPrevention_SupportPolicy|Debug|Description|Distributed|EncryptionLevel|ForegroundApplicationBoost|FreePhysicalMemory|FreeSpaceInPagingFiles|FreeVirtualMemory|InstallDate|LargeSystemCache|LastBootUpTime|LocalDateTime|Locale|Manufacturer|MaxNumberOfProcesses|MaxProcessMemorySize|MUILanguages|Name|NumberOfLicensedUsers|NumberOfProcesses|NumberOfUsers|OperatingSystemSKU|Organization|OSArchitecture|OSLanguage|OSProductSuite|OSType|OtherTypeDescription|PAEEnabled|PlusProductID|PlusVersionNumber|Primary|ProductType|RegisteredUser|SerialNumber|ServicePackMajorVersion|ServicePackMinorVersion|SizeStoredInPagingFiles|Status|SuiteMask|SystemDevice|SystemDirectory|SystemDrive|TotalSwapSpaceSize|TotalVirtualMemorySize|TotalVisibleMemorySize|Version|WindowsDirectory
RESULTS


Actual system results have been removed. If I run the same command with an IP instead of an FQDN, the query executes normally.

I have not been able to trace down the exact cause of the error, but as a work around for now we will likely set Nagios to not notify on the Unknown state of this check. Later, If I get time I might try to update the script to resolve the FQDN to an IP before executing the WMIC query.
kgugerty
 
Posts: 29
Joined: Wed May 04, 2016 8:28 am

Re: Check_WMI_Plus error when no results from eventlog

Postby rkennedy » Wed Jan 18, 2017 3:36 pm

If the IP is working, but FQDN is not - I would look to see if it's defaulting to IPv6, or perhaps a bad resolution of the DNS name. Does a nslookup <hostname> show anything? Are you able to run it through an strace and post the result? This might show us some useful information as to why it's failing.
rkennedy
 
Posts: 6562
Joined: Mon Oct 05, 2015 11:45 am

Re: Check_WMI_Plus error when no results from eventlog

Postby kgugerty » Wed Jan 18, 2017 6:01 pm

NSLookup resolves the host to an IP and Pinging the FQDN resolves to an IP as well.

Are you able to run it through an strace and post the result?


not sure what strace is?

but I have some interesting results from traceroute....
Code: Select all

2  * * *
3  * * *
4  * * *
5  * * *
6  * * *
7  * * *
8  * * *
9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *


So it looks like a traceroute times out.
kgugerty
 
Posts: 29
Joined: Wed May 04, 2016 8:28 am

Re: Check_WMI_Plus error when no results from eventlog

Postby rkennedy » Thu Jan 19, 2017 11:50 am

Does ping run successfully? Can you show us the result of a nmap <IP> and nmap <FQDN>?

To run a strace, you'll just need to install it first. yum install strace - this will output more of the process that's actually happening internal to the command you run.

Then, run the checks with 'strace' in front of the, for example, 'strace uptime'. Post the output for the IP, and FQDN.
rkennedy
 
Posts: 6562
Joined: Mon Oct 05, 2015 11:45 am

PreviousNext

Return to Nagios XI

Who is online

Users browsing this forum: Yahoo [Bot] and 19 guests