Check_WMI_Plus error when no results from eventlog

This support forum board is for support questions relating to Nagios XI, our flagship commercial network monitoring solution.
User avatar
tgriep
Madmin
Posts: 9177
Joined: Thu Oct 30, 2014 9:02 am

Re: Check_WMI_Plus error when no results from eventlog

Post by tgriep »

The link below is for wmic commands information.
https://www.aldeid.com/wiki/Wmic-linux

When you run the wmic command, use the IP address and not the DNS name of the server, does that work?

In the /etc/resolve.conf file on the XI server, add the IP address of your Active Directory servers so lookups can fine the systems in AD.

Also, on the Windows host you are trying to run the check against, put the user account in the Local Administrators group and test to see if that works.
Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: Check_WMI_Plus error when no results from eventlog

Post by mcapra »

In addition to what @tgriep requested, I've actually been looking at alternatives to WMIC since the output it provides isn't always useful and the documentation is limited. Though I suspect the FQDN vs IP is the key.

With the understanding that this is in the early testing stages and doesn't come with a particular guarantee, you might try leveraging the python script I have attached to execute WQL queries by hand and get the results. This is an option we're exploring beyond WMIC due to the availability of better debugging tools within Python. On a regular Nagios XI installation, you'll need to install the following dependencies:

Code: Select all

pip install impacket
pip install pyasn1
pip install pycrypto
Usage examples:

Code: Select all

[root@xi-rev tmp]# python send_wql.py -h
usage: send_wql.py [-h] -H HOST -u USERNAME -p PASSWORD -q QUERY

Executes WQL queries and gets object descriptions using Windows Management
Instrumentation.

optional arguments:
  -h, --help            show this help message and exit
  -H HOST, --host HOST  The host name or logical address of the remote Windows
                        machine.
  -u USERNAME, --username USERNAME
                        The host name or logical address of the remote Windows
                        machine.
  -p PASSWORD, --password PASSWORD
                        The host name or logical address of the remote Windows
                        machine.
  -q QUERY, --query QUERY
                        The WQL query you wish to execute and get results for.

...

[root@xi-stable ~]# python send_wql.py -H 192.168.67.99 -u admin -p welcome123 -q 'select * from Win32_OperatingSystem'
{'MaxProcessMemorySize': 137438953344, 'WindowsDirectory': 'C:\\Windows', 'LastBootUpTime': '20170207132751.492051-360', 'SizeStoredInPagingFiles': 720896, 'MaxNumberOfProcesses': None, 'FreePhysicalMemory': 2201228, 'DataExecutionPrevention_Available': 'True', 'CSName': 'WIN-NFRUUIO4D46', 'MUILanguages': ['en-US'], 'SerialNumber': '00258-20571-39419-AA346', 'Distributed': 0, 'Primary': 'True', 'EncryptionLevel': 256, 'Debug': 0, 'SystemDrive': 'C:', 'Version': '6.3.9600', 'FreeSpaceInPagingFiles': 632944, 'NumberOfProcesses': 77, 'SystemDevice': '\\Device\\HarddiskVolume1', 'OSType': 18, 'CurrentTimeZone': -360, 'SystemDirectory': 'C:\\Windows\\system32', 'PlusProductID': 0, 'RegisteredUser': 'admin', 'Status': 'OK', 'ServicePackMajorVersion': 0, 'Description': 'My business server', 'CountryCode': '1', 'OSArchitecture': '64-bit', 'ForegroundApplicationBoost': 2, 'OperatingSystemSKU': 50, 'ServicePackMinorVersion': 0, 'SuiteMask': 305, 'OSProductSuite': 305, 'OSLanguage': 1033, 'DataExecutionPrevention_Drivers': 'True', 'TotalVirtualMemorySize': 4914608, 'NumberOfLicensedUsers': 0, 'DataExecutionPrevention_SupportPolicy': 3, 'TotalSwapSpaceSize': 0, 'Manufacturer': 'Microsoft Corporation', 'BuildType': 'Multiprocessor Free', 'CSDVersion': 0, 'FreeVirtualMemory': 2614940, 'Name': 'Microsoft Windows Server 2012 R2 Essentials|C:\\Windows|\\Device\\Harddisk0\\Partition1', 'InstallDate': '20160623112408.000000-300', 'NumberOfUsers': 8, 'Caption': 'Microsoft Windows Server 2012 R2 Essentials', 'TotalVisibleMemorySize': 4193712, 'LocalDateTime': '20170215113649.383000-360', 'OtherTypeDescription': 0, 'Organization': '', 'PortableOperatingSystem': 0, 'PAEEnabled': 0, 'PlusVersionNumber': 0, 'Locale': '0409', 'CSCreationClassName': 'Win32_ComputerSystem', 'BuildNumber': '9600', 'LargeSystemCache': 0, 'CodeSet': '1252', 'CreationClassName': 'Win32_OperatingSystem', 'DataExecutionPrevention_32BitApplications': 'True', 'BootDevice': '\\Device\\HarddiskVolume1', 'ProductType': 2}

...

[root@xi-rev ~]# python send_wql.py -H 192.168.67.99 -u admin -p welcome123 -q 'select PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfOS_Processor where Name="_Total";'
{'Timestamp_Sys100NS': 131316538434507891, 'PercentProcessorTime': 6172579140625}
You do not have the required permissions to view the files attached to this post.
Former Nagios employee
https://www.mcapra.com/
kgugerty
Posts: 42
Joined: Wed May 04, 2016 8:28 am

Re: Check_WMI_Plus error when no results from eventlog

Post by kgugerty »

@tgriep
The link below is for wmic commands information.
https://www.aldeid.com/wiki/Wmic-linux
Thanks, I will check this site out.
When you run the wmic command, use the IP address and not the DNS name of the server, does that work?
Yes, this works, but we are set up for DHCP not static, so this could lead to other issues down the road.
In the /etc/resolve.conf file on the XI server, add the IP address of your Active Directory servers so lookups can fine the systems in AD.
This did not solve the issue.
Also, on the Windows host you are trying to run the check against, put the user account in the Local Administrators group and test to see if that works.
The account is a member of the local admins.

@mcapra Thanks, I can look into this as well.
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: Check_WMI_Plus error when no results from eventlog

Post by mcapra »

You brought up the idea previously of changing the script to attempt to resolve the FQDN then use the IP. That doesn't require too many changes to the code actually.

In the modules section near the top, make sure to add the following:

Code: Select all

use Socket;
Around line 1980, change this:

Code: Select all

# now add the namespace, hostname and query arguments
push(@wmi_args,'--namespace',$wmi_namespace);
push(@wmi_args,"//$the_arguments{'_host'}");
push(@wmi_args,"$wmi_query");
To this:

Code: Select all

# now add the namespace, hostname and query arguments
push(@wmi_args,'--namespace',$wmi_namespace);

# resolve fqdn to ip address first 
my $address = inet_ntoa(inet_aton($the_arguments{'_host'}));
push(@wmi_args,"//$address");

push(@wmi_args,"$wmi_query");
See if that helps things a bit. Looks promising in my very limited tests:

Code: Select all

[root@xi-stable perfdata]# /usr/local/nagios/libexec/check_wmi_plus.pl -H 192.168.67.99 -u admin -p welcome123 -m checkcpu -d | grep wmic
QUERY: /usr/bin/wmic '-U' 'USER%PASS' '--namespace' 'root/cimv2' '//192.168.67.99' 'select PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfOS_Processor where Name="_Total"'

...

[root@xi-stable perfdata]# /usr/local/nagios/libexec/check_wmi_plus.pl -H mywmi.host.com -u admin -p welcome123 -m checkcpu -d | grep wmic
QUERY: /usr/bin/wmic '-U' 'USER%PASS' '--namespace' 'root/cimv2' '//192.168.67.99' 'select PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfOS_Processor where Name="_Total"'
Former Nagios employee
https://www.mcapra.com/
kgugerty
Posts: 42
Joined: Wed May 04, 2016 8:28 am

Re: Check_WMI_Plus error when no results from eventlog

Post by kgugerty »

@mcapra The last command " pip install pycrypto" produced an error message.

Code: Select all

pip install impacket
pip install pyasn1
pip install pycrypto

Code: Select all

...
    error: command 'gcc' failed with exit status 1

    ----------------------------------------
Command "/usr/bin/python -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-o9VnZ3/pycrypto/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record /tmp/pip-41lRxn-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-build-o9VnZ3/pycrypto/
pip version

Code: Select all

# pip --version
pip 9.0.1 from /usr/lib/python2.6/site-packages (python 2.6)

I'd rather not dive in to another whole level of troubleshooting to get this to work. Particularly since after getting it to work, I'd have to go back in and redo all the WMI service checks we already have in place. It is something I could probably toy with on my own time to measure performance / reliability differences, but for our production servers, I really need the WMIC check to work.

Back to @tgriep 's link https://www.aldeid.com/wiki/Wmic-linux is helpful, but pretty much is a web site containing the --help output with two very basic examples. I found entering the --kerberos="no" command suppresses the kinit command and I do not see the "unable to reach any KDC in realm..." error message. Unfortunately, I still see:

Code: Select all

[librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_ncacn_ip_tcp_recv
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_b_recv
The odd thing is, AFTER that error message, I see the results of the query:

Code: Select all

[wmi/wmic.c:196:main()] OK   : Login to remote object.
[wmi/wmic.c:200:main()] OK   : WMI query execute.
[wmi/wmic.c:203:main()] OK   : Reset result of WMI query.
[wmi/wmic.c:212:main()] OK   : Retrieve result data.
CLASS: Win32_OperatingSystem
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: Check_WMI_Plus error when no results from eventlog

Post by mcapra »

There's steps I can provide to work around the pycrypto error, but for the reasons you stated I think the changes for check_wmi_plus.pl I provided are probably a better lead to chase.
Former Nagios employee
https://www.mcapra.com/
kgugerty
Posts: 42
Joined: Wed May 04, 2016 8:28 am

Re: Check_WMI_Plus error when no results from eventlog

Post by kgugerty »

mcapra wrote:You brought up the idea previously of changing the script to attempt to resolve the FQDN then use the IP. That doesn't require too many changes to the code actually.

In the modules section near the top, make sure to add the following:

Code: Select all

use Socket;
Around line 1980, change this:

Code: Select all

# now add the namespace, hostname and query arguments
push(@wmi_args,'--namespace',$wmi_namespace);
push(@wmi_args,"//$the_arguments{'_host'}");
push(@wmi_args,"$wmi_query");
To this:

Code: Select all

# now add the namespace, hostname and query arguments
push(@wmi_args,'--namespace',$wmi_namespace);

# resolve fqdn to ip address first 
my $address = inet_ntoa(inet_aton($the_arguments{'_host'}));
push(@wmi_args,"//$address");

push(@wmi_args,"$wmi_query");
See if that helps things a bit. Looks promising in my very limited tests:

Code: Select all

[root@xi-stable perfdata]# /usr/local/nagios/libexec/check_wmi_plus.pl -H 192.168.67.99 -u admin -p welcome123 -m checkcpu -d | grep wmic
QUERY: /usr/bin/wmic '-U' 'USER%PASS' '--namespace' 'root/cimv2' '//192.168.67.99' 'select PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfOS_Processor where Name="_Total"'

...

[root@xi-stable perfdata]# /usr/local/nagios/libexec/check_wmi_plus.pl -H mywmi.host.com -u admin -p welcome123 -m checkcpu -d | grep wmic
QUERY: /usr/bin/wmic '-U' 'USER%PASS' '--namespace' 'root/cimv2' '//192.168.67.99' 'select PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfOS_Processor where Name="_Total"'

This appears to be working! Thanks so much!
dwhitfield
Former Nagios Staff
Posts: 4583
Joined: Wed Sep 21, 2016 10:29 am
Location: NoLo, Minneapolis, MN
Contact:

Re: Check_WMI_Plus error when no results from eventlog

Post by dwhitfield »

It sounds like this issue has been resolved. Is it okay if we lock this thread? Thanks for choosing the Nagios forums!
kgugerty
Posts: 42
Joined: Wed May 04, 2016 8:28 am

Re: Check_WMI_Plus error when no results from eventlog

Post by kgugerty »

Yes, this can be locked. Thank you very much for your help getting through this.
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Check_WMI_Plus error when no results from eventlog

Post by cdienger »

Glad we could help. We'll close this.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Locked