Check_WMI_Plus error when no results from eventlog

This support forum board is for support questions relating to Nagios XI, our flagship commercial network monitoring solution.
kgugerty
Posts: 42
Joined: Wed May 04, 2016 8:28 am

Check_WMI_Plus error when no results from eventlog

Post by kgugerty »

Hello,
I've been working with the check_wmi_plus plugin for a bit of a while now. Most issues I came accross I was able to resolve using this forum and a variety of other sources. This one has me stumped though.
This is from the command line or from the 'Run Check Command' option in the Nagios XI UI.

# /usr/local/nagios/libexec/check_wmi_plus.pl -H HOSTNAME-u USERNAME -p PASSWORD -m checkeventlog -a system -o 2 -3 4 -w 1 -c 6
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_b_recv


This check should show me system warnings and errors for the past four hours and give a warning message if 1-6 results are found and a critical if > 6 results are found. -that part works. The issue I have is when there is NO messages returned I do not get an 'OK' result. I get the above error message.
I have tried the --nodatamode, --nodatamessage, and --nodataexit options in various combinations to see if anything would work.

I do not currently have this check setup in an ini file. Is that where the nodataexit code can be set? if so, does anyone have an example?
dwhitfield
Former Nagios Staff
Posts: 4583
Joined: Wed Sep 21, 2016 10:29 am
Location: NoLo, Minneapolis, MN
Contact:

Re: Check_WMI_Plus error when no results from eventlog

Post by dwhitfield »

What's the output of ./check_wmi_plus.pl --version?

Also, what version of XI are you running?

It's almost certainly overkill, but if you want to be really thorough... can you PM me your Profile? You can download it by going to Admin > System Config > System Profile and click the Download Profile button towards the top. If for whatever reason you *cannot* download the profile, please put the output of View System Info (5.3.4+, Show Profile if older) in the thread (that will at least get us some info).

After you PM the profile, please update this thread (of course, you should do that with the two other questions I asked anyway). Updating this thread is the only way for it to show back up on our dashboard.
kgugerty
Posts: 42
Joined: Wed May 04, 2016 8:28 am

Re: Check_WMI_Plus error when no results from eventlog

Post by kgugerty »

./check_wmi_plus.pl --version
Version: 1.6
Nagios XI Version 5.3.3 WMWare installation.

System Profile:

System:

Nagios XI Version : 5.3.3
localhost.localdomain 2.6.32-504.16.2.el6.x86_64 x86_64
CentOS release 6.6 (Final)
Gnome is not installed
Apache Information

PHP Version: 5.3.3
Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36
Date/Time

PHP Timezone: US/Central
PHP Time: Fri, 06 Jan 2017 11:50:29 -0600
System Time: Fri, 06 Jan 2017 11:50:29 -0600

I have not yet PM'd the whole profile. Let me know if you think that is still needed.
dwhitfield
Former Nagios Staff
Posts: 4583
Joined: Wed Sep 21, 2016 10:29 am
Location: NoLo, Minneapolis, MN
Contact:

Re: Check_WMI_Plus error when no results from eventlog

Post by dwhitfield »

What's the output of sestatus? I know that seems weird, but with dcerpc we've seen SELinux issues in the past.

Also, do you have your quotes set appropriately in the command? I know you are just using variables here, but there's nothing quoted. If you could give us something a little closer like the actual host name and username that might help. You can just PM me the full check minus the password if you like.

Full profile is probably not necessary. I just hate to get 3 pages into these things and think "hmm, maybe it's time for the profile" :)

UPDATE: profile received and shared with techs
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: Check_WMI_Plus error when no results from eventlog

Post by mcapra »

I would also be interested in seeing the debug output from the WMI query (when it's failing and throwing the error) using the -d argument like so:

Code: Select all

/usr/local/nagios/libexec/check_wmi_plus.pl -H HOSTNAME-u USERNAME -p PASSWORD -m checkeventlog -a system -o 2 -3 4 -w 1 -c 6 -d
I've been unable to replicate this so far against check_wmi_plus 1.6:

Code: Select all

[root@xi-stable ~]# /usr/local/nagios/libexec/check_wmi_plus.pl -H 192.168.67.99 -u admin -p welcome123@ -m checkeventlog -a system -o 2 -3 4 -w 4 -c 6
OK - 0 event(s) of Severity Level: "Error,Warning", were recorded in the last 4 hours from the system Event Log.|'Event Count'=0;4;6;
[root@xi-stable ~]# /usr/local/nagios/libexec/check_wmi_plus.pl -version
Version: 1.6
Former Nagios employee
https://www.mcapra.com/
kgugerty
Posts: 42
Joined: Wed May 04, 2016 8:28 am

Re: Check_WMI_Plus error when no results from eventlog

Post by kgugerty »

Below is an execution with the debug option.

Code: Select all

Command Line (v1.6): /usr/local/nagios/libexec/check_wmi_plus.pl -H HOST -u USER -p PASS -m checkeventlog -a system -o 2 -3 4 -w 1 -c 6 -d
Base Dir: /usr/local/nagios/libexec
Conf File Dir: /usr/local/nagios/libexec
Loaded Conf File /usr/local/nagios/libexec/check_wmi_plus.conf
Round #1 of 1
QUERY: /usr/bin/wmic '-U' 'USER%PASS' '--namespace' 'root/cimv2' '//HOST' 'Select EventCode,EventIdentifier,Type,LogFile,SourceName,Message,TimeGenerated from Win32_NTLogEvent where ( Logfile="system" ) and EventType<=2 and EventType>0 and TimeGenerated > "20170106180100.00000000"'
OUTPUT: [librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_ncacn_ip_tcp_recv
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_b_recv

Could not find the CLASS: line - an error occurred
WMI DATA:$VAR1 = [];
UNKNOWN - The WMI query had problems. The error text from wmic is: [librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_ncacn_ip_tcp_recv
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_b_recv
This is the same command executed over a 24 hour period (without the debug option)

Code: Select all

CRITICAL - [Triggered by _ItemCount>6] - 7 event(s) of Severity Level: "Error,Warning", were recorded in the last 24 hours from the system Event Log. (List is on next line. Fields shown are - Logfile:TimeGenerated:EventId:EventCode:SeverityLevel:Type:SourceName:Message)|'Event Count'=7;1;6;
System:20170106023934.000000-000:1111:1111:Error:Microsoft-Windows-TerminalServices-Printers:Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.
System:20170106023934.000000-000:1111:1111:Error:Microsoft-Windows-TerminalServices-Printers:Driver SHARP UD2 PCL6 required for printer SHARP UD2 PCL6 is unknown. Contact the administrator to install the driver before you log in again.
System:20170106023933.000000-000:1111:1111:Error:Microsoft-Windows-TerminalServices-Printers:Driver PDF-XChange 4.0 required for printer PDF-XChange 4.0 is unknown. Contact the administrator to install the driver before you log in again.
System:20170106023930.000000-000:1111:1111:Error:Microsoft-Windows-TerminalServices-Printers:Driver PDF-XChange 3.0 required for printer PDF-XChange 3.0 is unknown. Contact the administrator to install the driver before you log in again.
System:20170106023928.000000-000:1111:1111:Error:Microsoft-Windows-TerminalServices-Printers:Driver Dell Open Print Driver (PCL XL) required for printer !!SERVER!PRINTER is unknown. Contact the administrator to install the driver before you log in again.
System:20170106023926.000000-000:1111:1111:Error:Microsoft-Windows-TerminalServices-Printers:Driver Microsoft XPS Document Writer v4 required for printer Microsoft XPS Document Writer is unknown. Contact the administrator to install the driver before you log in again.
System:20170106023925.000000-000:1111:1111:Error:Microsoft-Windows-TerminalServices-Printers:Driver Xerox WorkCentre 5845 V4 PS required for printer Xerox WorkCentre 5845 PS is unknown. Contact the administrator to install the driver before you log in again.
kgugerty
Posts: 42
Joined: Wed May 04, 2016 8:28 am

Re: Check_WMI_Plus error when no results from eventlog

Post by kgugerty »

dwhitfield wrote:What's the output of sestatus? I know that seems weird, but with dcerpc we've seen SELinux issues in the past.

Also, do you have your quotes set appropriately in the command? I know you are just using variables here, but there's nothing quoted. If you could give us something a little closer like the actual host name and username that might help. You can just PM me the full check minus the password if you like.

Full profile is probably not necessary. I just hate to get 3 pages into these things and think "hmm, maybe it's time for the profile" :)
Hi dwhitfield, I appologize I missed this entirely earlier!

SELinux is disabled

Code: Select all

 sestatus
SELinux status:                 disabled
I will pm the check info and the full system info shortly.
kgugerty
Posts: 42
Joined: Wed May 04, 2016 8:28 am

Re: Check_WMI_Plus error when no results from eventlog

Post by kgugerty »

mcapra wrote:z
I've been unable to replicate this so far against check_wmi_plus 1.6:

Code: Select all

[root@xi-stable ~]# /usr/local/nagios/libexec/check_wmi_plus.pl -H 192.168.67.99 -u admin -p welcome123@ -m checkeventlog -a system -o 2 -3 4 -w 4 -c 6
OK - 0 event(s) of Severity Level: "Error,Warning", were recorded in the last 4 hours from the system Event Log.|'Event Count'=0;4;6;
[root@xi-stable ~]# /usr/local/nagios/libexec/check_wmi_plus.pl -version
Version: 1.6
Hi mcapra,
Did you make any modifications to check_wmi_plus.ini or check_wmi_plus.conf?
kgugerty
Posts: 42
Joined: Wed May 04, 2016 8:28 am

Re: Check_WMI_Plus error when no results from eventlog

Post by kgugerty »

Keeping everyone informed:
--I supplied dwhitfield with the profile export and unmodified check command.

Also, as mcapra was unable to replicate I decided to re-import a fresh install from the VMWare OVA template in a test environment. I installed the WMI Client following the instructions at:
https://assets.nagios.com/downloads/nag ... 1433350835
and had no issues. I even applied the mod_gearman updates for load balancing and still see no issues.
So it is definitely something I did. At this point I am not certain which would be more time consuming. Figuring out what I did? or rebuilding the system.
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: Check_WMI_Plus error when no results from eventlog

Post by mcapra »

I did not make any modifications to the aforementioned files. If you can provide copies of the following files:

Code: Select all

check_wmi_plus.ini
check_wmi_plus.conf
check_wmi_plus.pl
I can test them on my working machine to see if it's strictly a wmic problem or an issue with the plugin's various dependencies. My best guess is that wmic wasn't built correctly on the problematic system. Can you also share the output of:

Code: Select all

/usr/bin/wmic --version
Former Nagios employee
https://www.mcapra.com/
Locked