dcerpc_connect

[onegative]

G'day Nagios XI Support,

I have a question about errors I am seeing...here is the scenario as I can best determine.

If I add a WMI host from the WMI Wizard and include all the monitoring I want within it from scratch the check_xi_service_wmiplus command functions as expected on all monitors.

But if I attempt to add an additional WMI monitor to the existing host I get the following error...

UNKNOWN - The WMI query had problems. The error text from wmic is: [librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_ncacn_ip_tcp_recv

If I run the command from the command line using the fqdn I get this error as well.

[root@csdev95 ~]# /usr/local/nagios/libexec/check_wmi_plus.pl -H its-bmc-app02.amc.uwmedicine.org -u 'www\myacct' -p mysecret' -m checkeventlog -a 'System' -o 1 -3 1 -w '10' -c '15'

UNKNOWN - The WMI query had problems. The error text from wmic is: [librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_ncacn_ip_tcp_recv
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_b_recv

But if I use the actual ipAddr using the same exact command on the command-line it functions as expected and correctly.

[root@csdev95 ~]# /usr/local/nagios/libexec/check_wmi_plus.pl -H 69.91.248.222 -u 'www\myacct' -p mysecret' -m checkeventlog -a 'System' -o 1 -3 1 -w '10' -c '15'

OK - 0 event(s) of at least Severity Level "Error", were recorded in the last 1 hours from the System Event Log.|'Event Count'=0;10;15;

That indicates to me that when you add a new host with all the WMI monitors you need everything works via its use of the ipAddr but once you start customizing and adding individual WMI monitors you get this issue because the new ones are using the fqdn????

I have verified the entry for the new service looks completely identical to the other existing wmi services... I am dumbfounded!

Can you please confirm whether or not you can duplicate this issue yourself on Nagiox XI 2014R2.6 running on Redhat 3.10.0-123.20.1.el7.x86_64

Please let me know and thanks,
Danny

[lmiltchev]

Can you run the following command and show us the output?

Code: Select all

nslookup 69.91.248.222

Is the output "its-bmc-app02.amc.uwmedicine.org"?

[onegative]

Yea that figures...we do not have reverse lookup...bummer dude!

[jolson]

Hello,

I have just performed a test using my local lab on the same version of Nagios, and it came back successfully:

Code: Select all

[root@nagios libexec]# ./check_wmi_plus.pl -H jessetest -u 'wmiagent' -p 'wmiagent' -m checkeventlog -a 'System' -o 1 -3 1 -w '10' -c '15'
OK - 0 event(s) of at least Severity Level "Error", were recorded in the last 1 hours from the System Event Log.|'Event Count'=0;10;15;

I did notice that you have not wrapped your password field in quotes appropriately, I have modified your command and would like you to attempt running the following:

Code: Select all

./usr/local/nagios/libexec/check_wmi_plus.pl -H 'its-bmc-app02.amc.uwmedicine.org' -u 'www\myacct' -p 'mysecret' -m checkeventlog -a 'System' -o 1 -3 1 -w '10' -c '15'

If that still does not work properly, I have a few theories...

1. Try disabling SELinux temporarily. I like to recommend this because SELinux can impact systems in unexpected ways:

Code: Select all

sestatus
setenforce 0

2. Add 'its-bmc-app02.amc.uwmedicine.org' to your hosts file and test again.

Code: Select all

echo "69.91.248.222 its-bmc-app02.amc.uwmedicine.org" >> /etc/hosts

Let us know the results. Thanks!

[onegative]

[root@csdev95 ~]# nslookup its-bmc-app02.amc.uwmedicine.org
Server: 140.142.5.214
Address: 140.142.5.214#53

Non-authoritative answer:
Name: its-bmc-App02.amc.uwmedicine.org
Address: 69.91.248.222


[root@csdev95 ~]# nslookup 69.91.248.222
Server: 140.142.5.214
Address: 140.142.5.214#53

** server can't find 222.248.91.69.in-addr.arpa.: NXDOMAIN

[onegative]

Yeppers added to /etc/hosts

[root@csdev95 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.146.20.181 csdev95.mcis.washington.edu
69.91.248.222 its-bmc-app02.amc.uwmedicine.org

Still fails...

[root@csdev95 ~]# /usr/local/nagios/libexec/check_wmi_plus.pl -H its-bmc-app02.amc.uwmedicine.org -u 'www\myacct' -p 'mysecret' -m checkeventlog -a 'System' -o 1 -3 1 -w '10' -c '15'
UNKNOWN - The WMI query had problems. The error text from wmic is: [librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_ncacn_ip_tcp_recv
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_b_recv

[root@csdev95 ~]# /usr/local/nagios/libexec/check_wmi_plus.pl -H 69.91.248.222 -u 'www\myacct' -p 'mysecret' -m checkeventlog -a 'System' -o 1 -3 1 -w '10' -c '15'
OK - 0 event(s) of at least Severity Level "Error", were recorded in the last 1 hours from the System Event Log.|'Event Count'=0;10;15;

[onegative]

[root@csdev95 ~]# sestatus
SELinux status: disabled

[tgriep]

Are you running Microsoft Active Directory to authenticate to the server?

Did you follow these instructions to enable WMI on your windows server?

Code: Select all

http://assets.nagios.com/downloads/nagiosxi/docs/Monitoring-Windows-Using-WMI-and-Nagios-XI.pdf

[jolson]

Interesting. I made an edit to my hosts file as follows:

Code: Select all

[root@nagios /]# cat /etc/hosts
192.168.1.1 jessetest.something.something.com
[root@nagios /]#

Pinging the server works fine:

Code: Select all

[root@nagios /]# ping jessetest.something.something.com
PING jessetest.something.something.com (192.168.1.1) 56(84) bytes of data.
64 bytes from jessetest.something.something.com (192.168.1.1): icmp_seq=1 ttl=128 time=3.83 ms
64 bytes from jessetest.something.something.com (192.168.1.1): icmp_seq=2 ttl=128 time=1.85 ms

Check_wmi however fails, unless I use the IP instead of hostname:

Code: Select all

[root@nagios /]# ./usr/local/nagios/libexec/check_wmi_plus.pl -H 'jessetest.something.something.com' -u 'wmiagent' -p 'wmiagent' -m checkeventlog -a 'System' -o 1 -3 1 -w '10' -c '15'
UNKNOWN - Plugin Timed out (15 sec)

Code: Select all

[root@nagios /]# ./usr/local/nagios/libexec/check_wmi_plus.pl -H '192.168.1.1' -u 'wmiagent' -p 'wmiagent' -m checkeventlog -a 'System' -o 1 -3 1 -w '10' -c '15'
OK - 0 event(s) of at least Severity Level "Error", were recorded in the last 1 hours from the System Event Log.|'Event Count'=0;10;15;

It looks like check_wmi_plus.pl will not work if the hostname of the endpoint does not match exactly. Please check your capitalization and attempt to use the shortname if possible (whatever the 'Computer Name' is).

The only option I can get working from the command line is 'jessetest' as opposed to 'jessetest.testcompany.local'.

Let me know if that helps solve your problem!

[onegative]

I think you are missing the point...if I add this host and include eventlog monitoring initially it works...with no issue.

If I add the eventlog monitoring after the fact or any other wmi service for that matter it does not.

If I look at the difference between how the WMI Wizard adds the service definition when eventlog monitoring is included initially and the way it looks added afterwards there is a difference...why? Is it possible this is the difference in the way its working?

This one works when I add the eventlog monitoring with the initial host...the only difference is highlighted in RED.
define service {
host_name its-bmc-app02.amc.uwmedicine.org
service_description System Log Critical Errors
use xiwizard_windowswmi_service
check_command check_xi_service_wmiplus!'www\myacct'!'mysecret'!checkeventlog!-a 'System' -o 1 -3 1 -w '10' -c '15'
max_check_attempts 5
check_interval 5
retry_interval 1
check_period xi_timeperiod_24x7
notification_interval 60
notification_period xi_timeperiod_24x7
contacts dg0123
_xiwizard windowswmi
register 1
}

This is how it looks if you add the eventlog monitor after the host already exists...missing the "use xiwizard_windowswmi_service" pairing
define service {
host_name its-bmc-app02.amc.uwmedicine.org
service_description System Log Critical Errors
check_command check_xi_service_wmiplus!'www\myacct'!'mysecret'!checkeventlog!-a 'System' -o 1 -3 1 -w '10' -c '15'!!!!
max_check_attempts 5
check_interval 5
retry_interval 1
check_period xi_timeperiod_24x7
notification_interval 60
notification_period xi_timeperiod_24x7
contacts dg0123
_xiwizard windowswmi
register 1
}