Check_WMI_Plus error when no results from eventlog

This board serves as an open discussion and support collaboration point for Nagios XI. NOTE: Nagios XI customers should use the Customer Support forum to obtain expedited support.

Re: Check_WMI_Plus error when no results from eventlog

Postby tgriep » Wed Feb 15, 2017 12:26 pm

The link below is for wmic commands information.
https://www.aldeid.com/wiki/Wmic-linux

When you run the wmic command, use the IP address and not the DNS name of the server, does that work?

In the /etc/resolve.conf file on the XI server, add the IP address of your Active Directory servers so lookups can fine the systems in AD.

Also, on the Windows host you are trying to run the check against, put the user account in the Local Administrators group and test to see if that works.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
tgriep
Madmin
 
Posts: 8596
Joined: Thu Oct 30, 2014 9:02 am

Re: Check_WMI_Plus error when no results from eventlog

Postby mcapra » Wed Feb 15, 2017 12:44 pm

In addition to what @tgriep requested, I've actually been looking at alternatives to WMIC since the output it provides isn't always useful and the documentation is limited. Though I suspect the FQDN vs IP is the key.

With the understanding that this is in the early testing stages and doesn't come with a particular guarantee, you might try leveraging the python script I have attached to execute WQL queries by hand and get the results. This is an option we're exploring beyond WMIC due to the availability of better debugging tools within Python. On a regular Nagios XI installation, you'll need to install the following dependencies:

Code: Select all
pip install impacket
pip install pyasn1
pip install pycrypto


Usage examples:

Code: Select all
[root@xi-rev tmp]# python send_wql.py -h
usage: send_wql.py [-h] -H HOST -u USERNAME -p PASSWORD -q QUERY

Executes WQL queries and gets object descriptions using Windows Management
Instrumentation.

optional arguments:
  -h, --help            show this help message and exit
  -H HOST, --host HOST  The host name or logical address of the remote Windows
                        machine.
  -u USERNAME, --username USERNAME
                        The host name or logical address of the remote Windows
                        machine.
  -p PASSWORD, --password PASSWORD
                        The host name or logical address of the remote Windows
                        machine.
  -q QUERY, --query QUERY
                        The WQL query you wish to execute and get results for.

...

[root@xi-stable ~]# python send_wql.py -H 192.168.67.99 -u admin -p welcome123 -q 'select * from Win32_OperatingSystem'
{'MaxProcessMemorySize': 137438953344, 'WindowsDirectory': 'C:\\Windows', 'LastBootUpTime': '20170207132751.492051-360', 'SizeStoredInPagingFiles': 720896, 'MaxNumberOfProcesses': None, 'FreePhysicalMemory': 2201228, 'DataExecutionPrevention_Available': 'True', 'CSName': 'WIN-NFRUUIO4D46', 'MUILanguages': ['en-US'], 'SerialNumber': '00258-20571-39419-AA346', 'Distributed': 0, 'Primary': 'True', 'EncryptionLevel': 256, 'Debug': 0, 'SystemDrive': 'C:', 'Version': '6.3.9600', 'FreeSpaceInPagingFiles': 632944, 'NumberOfProcesses': 77, 'SystemDevice': '\\Device\\HarddiskVolume1', 'OSType': 18, 'CurrentTimeZone': -360, 'SystemDirectory': 'C:\\Windows\\system32', 'PlusProductID': 0, 'RegisteredUser': 'admin', 'Status': 'OK', 'ServicePackMajorVersion': 0, 'Description': 'My business server', 'CountryCode': '1', 'OSArchitecture': '64-bit', 'ForegroundApplicationBoost': 2, 'OperatingSystemSKU': 50, 'ServicePackMinorVersion': 0, 'SuiteMask': 305, 'OSProductSuite': 305, 'OSLanguage': 1033, 'DataExecutionPrevention_Drivers': 'True', 'TotalVirtualMemorySize': 4914608, 'NumberOfLicensedUsers': 0, 'DataExecutionPrevention_SupportPolicy': 3, 'TotalSwapSpaceSize': 0, 'Manufacturer': 'Microsoft Corporation', 'BuildType': 'Multiprocessor Free', 'CSDVersion': 0, 'FreeVirtualMemory': 2614940, 'Name': 'Microsoft Windows Server 2012 R2 Essentials|C:\\Windows|\\Device\\Harddisk0\\Partition1', 'InstallDate': '20160623112408.000000-300', 'NumberOfUsers': 8, 'Caption': 'Microsoft Windows Server 2012 R2 Essentials', 'TotalVisibleMemorySize': 4193712, 'LocalDateTime': '20170215113649.383000-360', 'OtherTypeDescription': 0, 'Organization': '', 'PortableOperatingSystem': 0, 'PAEEnabled': 0, 'PlusVersionNumber': 0, 'Locale': '0409', 'CSCreationClassName': 'Win32_ComputerSystem', 'BuildNumber': '9600', 'LargeSystemCache': 0, 'CodeSet': '1252', 'CreationClassName': 'Win32_OperatingSystem', 'DataExecutionPrevention_32BitApplications': 'True', 'BootDevice': '\\Device\\HarddiskVolume1', 'ProductType': 2}

...

[root@xi-rev ~]# python send_wql.py -H 192.168.67.99 -u admin -p welcome123 -q 'select PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfOS_Processor where Name="_Total";'
{'Timestamp_Sys100NS': 131316538434507891, 'PercentProcessorTime': 6172579140625}
Attachments
send_wql.py
(4.48 KiB) Downloaded 305 times
Former Nagios employee
http://www.mcapra.com/
User avatar
mcapra
 
Posts: 3600
Joined: Thu May 05, 2016 3:54 pm

Re: Check_WMI_Plus error when no results from eventlog

Postby kgugerty » Wed Feb 15, 2017 4:11 pm

@tgriep

The link below is for wmic commands information.
https://www.aldeid.com/wiki/Wmic-linux

Thanks, I will check this site out.

When you run the wmic command, use the IP address and not the DNS name of the server, does that work?

Yes, this works, but we are set up for DHCP not static, so this could lead to other issues down the road.
In the /etc/resolve.conf file on the XI server, add the IP address of your Active Directory servers so lookups can fine the systems in AD.

This did not solve the issue.
Also, on the Windows host you are trying to run the check against, put the user account in the Local Administrators group and test to see if that works.

The account is a member of the local admins.

@mcapra Thanks, I can look into this as well.
kgugerty
 
Posts: 29
Joined: Wed May 04, 2016 8:28 am

Re: Check_WMI_Plus error when no results from eventlog

Postby mcapra » Wed Feb 15, 2017 5:38 pm

You brought up the idea previously of changing the script to attempt to resolve the FQDN then use the IP. That doesn't require too many changes to the code actually.

In the modules section near the top, make sure to add the following:

Code: Select all
use Socket;


Around line 1980, change this:
Code: Select all
# now add the namespace, hostname and query arguments
push(@wmi_args,'--namespace',$wmi_namespace);
push(@wmi_args,"//$the_arguments{'_host'}");
push(@wmi_args,"$wmi_query");


To this:


Code: Select all
# now add the namespace, hostname and query arguments
push(@wmi_args,'--namespace',$wmi_namespace);

# resolve fqdn to ip address first
my $address = inet_ntoa(inet_aton($the_arguments{'_host'}));
push(@wmi_args,"//$address");

push(@wmi_args,"$wmi_query");


See if that helps things a bit. Looks promising in my very limited tests:

Code: Select all
[root@xi-stable perfdata]# /usr/local/nagios/libexec/check_wmi_plus.pl -H 192.168.67.99 -u admin -p welcome123 -m checkcpu -d | grep wmic
QUERY: /usr/bin/wmic '-U' 'USER%PASS' '--namespace' 'root/cimv2' '//192.168.67.99' 'select PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfOS_Processor where Name="_Total"'

...

[root@xi-stable perfdata]# /usr/local/nagios/libexec/check_wmi_plus.pl -H mywmi.host.com -u admin -p welcome123 -m checkcpu -d | grep wmic
QUERY: /usr/bin/wmic '-U' 'USER%PASS' '--namespace' 'root/cimv2' '//192.168.67.99' 'select PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfOS_Processor where Name="_Total"'
Former Nagios employee
http://www.mcapra.com/
User avatar
mcapra
 
Posts: 3600
Joined: Thu May 05, 2016 3:54 pm

Re: Check_WMI_Plus error when no results from eventlog

Postby kgugerty » Wed Feb 15, 2017 5:52 pm

@mcapra The last command " pip install pycrypto" produced an error message.

Code: Select all
pip install impacket
pip install pyasn1
pip install pycrypto


Code: Select all
...
    error: command 'gcc' failed with exit status 1

    ----------------------------------------
Command "/usr/bin/python -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-o9VnZ3/pycrypto/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record /tmp/pip-41lRxn-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-build-o9VnZ3/pycrypto/

pip version
Code: Select all
# pip --version
pip 9.0.1 from /usr/lib/python2.6/site-packages (python 2.6)



I'd rather not dive in to another whole level of troubleshooting to get this to work. Particularly since after getting it to work, I'd have to go back in and redo all the WMI service checks we already have in place. It is something I could probably toy with on my own time to measure performance / reliability differences, but for our production servers, I really need the WMIC check to work.

Back to @tgriep 's link https://www.aldeid.com/wiki/Wmic-linux is helpful, but pretty much is a web site containing the --help output with two very basic examples. I found entering the --kerberos="no" command suppresses the kinit command and I do not see the "unable to reach any KDC in realm..." error message. Unfortunately, I still see:
Code: Select all
[librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_ncacn_ip_tcp_recv
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_b_recv

The odd thing is, AFTER that error message, I see the results of the query:
Code: Select all
[wmi/wmic.c:196:main()] OK   : Login to remote object.
[wmi/wmic.c:200:main()] OK   : WMI query execute.
[wmi/wmic.c:203:main()] OK   : Reset result of WMI query.
[wmi/wmic.c:212:main()] OK   : Retrieve result data.
CLASS: Win32_OperatingSystem
kgugerty
 
Posts: 29
Joined: Wed May 04, 2016 8:28 am

Re: Check_WMI_Plus error when no results from eventlog

Postby mcapra » Wed Feb 15, 2017 5:54 pm

There's steps I can provide to work around the pycrypto error, but for the reasons you stated I think the changes for check_wmi_plus.pl I provided are probably a better lead to chase.
Former Nagios employee
http://www.mcapra.com/
User avatar
mcapra
 
Posts: 3600
Joined: Thu May 05, 2016 3:54 pm

Re: Check_WMI_Plus error when no results from eventlog

Postby kgugerty » Thu Feb 16, 2017 11:03 am

mcapra wrote:You brought up the idea previously of changing the script to attempt to resolve the FQDN then use the IP. That doesn't require too many changes to the code actually.

In the modules section near the top, make sure to add the following:

Code: Select all
use Socket;


Around line 1980, change this:
Code: Select all
# now add the namespace, hostname and query arguments
push(@wmi_args,'--namespace',$wmi_namespace);
push(@wmi_args,"//$the_arguments{'_host'}");
push(@wmi_args,"$wmi_query");


To this:


Code: Select all
# now add the namespace, hostname and query arguments
push(@wmi_args,'--namespace',$wmi_namespace);

# resolve fqdn to ip address first
my $address = inet_ntoa(inet_aton($the_arguments{'_host'}));
push(@wmi_args,"//$address");

push(@wmi_args,"$wmi_query");


See if that helps things a bit. Looks promising in my very limited tests:

Code: Select all
[root@xi-stable perfdata]# /usr/local/nagios/libexec/check_wmi_plus.pl -H 192.168.67.99 -u admin -p welcome123 -m checkcpu -d | grep wmic
QUERY: /usr/bin/wmic '-U' 'USER%PASS' '--namespace' 'root/cimv2' '//192.168.67.99' 'select PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfOS_Processor where Name="_Total"'

...

[root@xi-stable perfdata]# /usr/local/nagios/libexec/check_wmi_plus.pl -H mywmi.host.com -u admin -p welcome123 -m checkcpu -d | grep wmic
QUERY: /usr/bin/wmic '-U' 'USER%PASS' '--namespace' 'root/cimv2' '//192.168.67.99' 'select PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfOS_Processor where Name="_Total"'



This appears to be working! Thanks so much!
kgugerty
 
Posts: 29
Joined: Wed May 04, 2016 8:28 am

Re: Check_WMI_Plus error when no results from eventlog

Postby dwhitfield » Thu Feb 16, 2017 11:27 am

It sounds like this issue has been resolved. Is it okay if we lock this thread? Thanks for choosing the Nagios forums!
Need additional support for CentOS or ubuntu? Try OpenLogic: https://www.openlogic.com/talk-to-expert

We can write Nagios plugins for you!

We are hiring: https://www.perforce.com/careers
dwhitfield
Former Nagios Staff
 
Posts: 4577
Joined: Wed Sep 21, 2016 10:29 am
Location: NoLo, Minneapolis, MN

Re: Check_WMI_Plus error when no results from eventlog

Postby kgugerty » Sat Mar 04, 2017 8:35 am

Yes, this can be locked. Thank you very much for your help getting through this.
kgugerty
 
Posts: 29
Joined: Wed May 04, 2016 8:28 am

Re: Check_WMI_Plus error when no results from eventlog

Postby cdienger » Mon Mar 06, 2017 10:47 am

Glad we could help. We'll close this.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
cdienger
Support Tech
 
Posts: 3913
Joined: Tue Feb 07, 2017 11:26 am

Previous

Return to Nagios XI

Who is online

Users browsing this forum: No registered users and 12 guests