monitoring Windows EventLog Events using wmic

This support forum board is for support questions relating to Nagios XI, our flagship commercial network monitoring solution.
thanks_st_ignucius
Posts: 12
Joined: Thu Sep 17, 2015 12:10 pm

Re: monitoring Windows EventLog Events using wmic

Post by thanks_st_ignucius »

tgriep wrote:Did you verify that the security settings for the root/cimv2 are setup with full administrator access?
Yes, but thank you. This is not an authentication issue. Authentication issues produce output.
User avatar
tgriep
Madmin
Posts: 9177
Joined: Thu Oct 30, 2014 9:02 am

Re: monitoring Windows EventLog Events using wmic

Post by tgriep »

I ran your command against my Windows 7 workstation and it returned information. Try adding the -d <Debug Level> to your command and see if you can get some errors messages that can help out on this issue.

Code: Select all

wmic -U user%password --namespace root/cimv2 //hostname "Select * From Win32_NTLogEvent where RecordNumber = 18166" -d 1
Increase the number to get more details if needed.
Be sure to check out our Knowledgebase for helpful articles and solutions!
thanks_st_ignucius
Posts: 12
Joined: Thu Sep 17, 2015 12:10 pm

Re: monitoring Windows EventLog Events using wmic

Post by thanks_st_ignucius »

Hi everyone, thanks for all your help with this!

I want to document the outcome of this issue, as it may be of interest to posterity AND the developer who wrote the nearly 7000 line Perl script used in the Wizard, because this will cause all sorts of false 'OK' results if uncorrected or undocumented.

The problem deals with WMI and user authentication, but it's very complicated. There is some pretty good documentation on the Microsoft website about WMI and authentication, but I will reiterate it here for the sake of total disclosure. The basic run-down is as follows:

When a Windows user is added to a group, that user is given an Authentication token. For each group a user is a member of, a separate token is issued. When a request to access an object is issued, the token containing the permissions level of the object is compared to that of the user.

With Windows Server 2003 and below, authenticating users automatically used the highest level of authentication available to them. This means that any user added to the Administrators group was authenticated at that level for every request.

Beginning with Windows Server 2008, things changed. Authenticating users automatically used the highest level of authentication when executing WMI queries locally, but when executing queries remotely, users are expected to use domain credentials to validate permissions. However, if the server is not part of a domain and is instead configured to use a workgroup, remotely authenticated users are given regular user-level permissions, despite existing in the Administrators group. There is no way to change this behavior.

The crux of the matter is this:

If a query is submitted via wmic to a Windows server running 2008 or above and false or incorrect credentials are supplied, an error message appears. The problem is that when a query is submitted with a correct set of credentials, but a user does not have access to the WMI class, absolutely NO output is returned by wmic.

This is a HUGE issue for people writing scripts built around the wmic binary, because every script I've seen assumes that "no news is good news," and that a lack of output indicates a successful result. In reality, a lack of any information means that the check has failed to retrieve the desired output. At the very least, there should be documentation that explicitly states that objects requiring Administrator level access requires Administrator credentials, and at best wmic should give some output indicating that the provided credentials have failed to access the requested object.

I hope this gets its way back to the devs, and helps anyone experiencing the same issues I have.

Thanks again!
User avatar
Box293
Too Basu
Posts: 5126
Joined: Sun Feb 07, 2010 10:55 pm
Location: Deniliquin, Australia
Contact:

Re: monitoring Windows EventLog Events using wmic

Post by Box293 »

I will add this as a troubleshooting article to the Nagios Knowledgebase.

In relation to getting better output from the plugin in these scenarios, it might help to contact the developer to see if they can improve the script.

http://www.edcint.co.nz/checkwmiplus/
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
Box293
Too Basu
Posts: 5126
Joined: Sun Feb 07, 2010 10:55 pm
Location: Deniliquin, Australia
Contact:

Re: monitoring Windows EventLog Events using wmic

Post by Box293 »

I wanted to follow up to say that we've added your information to a KB article here:

https://support.nagios.com/kb/article.php?id=476

Thanks very much to @thanks_st_ignucius for taking the time to report back their findings, this information will help future users.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
GeraldGeniaut
Posts: 7
Joined: Mon Apr 20, 2015 9:51 am

Re: monitoring Windows EventLog Events using wmic

Post by GeraldGeniaut »

Hi,

The problem is the same with Windows 2012 R2.

CU

Gérald
dwhitfield
Former Nagios Staff
Posts: 4583
Joined: Wed Sep 21, 2016 10:29 am
Location: NoLo, Minneapolis, MN
Contact:

Re: monitoring Windows EventLog Events using wmic

Post by dwhitfield »

GeraldGeniaut wrote: The problem is the same with Windows 2012 R2.
indeed. The document notes:
Beginning with Windows Server 2008
Do you feel we could address this in a better way?
Locked