check_wmi_plus and check_win_eventlog showing no events

[mclark]

I have tried making the account a local admin on the server with no success.

[tgriep]

You said earlier that if you use a local account, some of the checks work, can you use that account for this command and post the output?
/usr/local/nagios/libexec/check_wmi_plus.pl -H 192.168.1.1 -u domain/username -p password -m checkeventlog -d

[mclark]

@tgriep,

The output is below. Since this call was accurate, there are no errors found in the System log, it appears that my command definition is wrong. Yes?

=====================================================================================================================================================================

Code: Select all

Command Line (v1.59): /usr/local/nagios/bin/plugins/check_wmi_plus/check_wmi_plus.pl -H 10.3.1.211 -u USER -p PASS -m checkeventlog -d
Conf File Dir: /usr/local/nagios/bin/plugins/check_wmi_plus
Loaded Conf File /usr/local/nagios/bin/plugins/check_wmi_plus/check_wmi_plus.conf
Round #1 of 1
QUERY: /bin/wmic '-U' 'USER%PASS' '--namespace' 'root/cimv2' '//10.3.1.211' 'Select EventCode,EventIdentifier,Type,LogFile,SourceName,Message,TimeGenerated from Win32_NTLogEvent where ( Logfile="System" ) and EventType<=1 and EventType>0 and TimeGenerated > "20160621163800.00000000"'
OUTPUT:
WMI DATA:$VAR1 = [
          [
            {
              '_ChecksOK' => 1,
              '_ItemCount' => 0
            }
          ]
        ];
No In/Exclusions defined
Testing TEST VALUES $VAR1 = {
          '_ChecksOK' => 1,
          '_SeverityType' => 'Error',
          '_EventList' => '',
          '_ItemCount' => 0
        };
WARNING SPECS: $VAR1 = undef;
CRITICAL SPECS: $VAR1 = undef;
------------ Critical Check ------------
------------ Warning Check ------------
------------ End Check ------------
Data Passed back from check: $VAR1 = {
          '_DisplayMsg' => 'OK',
          '_EventList' => '',
          '_TestResult' => 0,
          '_ChecksOK' => 1,
          '_SeverityType' => 'Error',
          '_StatusType' => 'OK',
          '_ItemCount' => 0,
          '_Triggers' => ''
        };
---------- Building Up Display
Incoming Data $VAR1 = {
          '_submode' => '',
          '_nodatastring' => 'WMI Query returned no data. The item you were looking for may NOT exist or the software that creates the WMI Class may not be running, or all data has been excluded.
',
          '_TestResult' => 0,
          '_arg5' => '',
          '_ChecksOK' => 1,
          '_host' => '10.3.1.211',
          '_nodatamode' => '',
          '_mode' => 'checkeventlog',
          '_savedbytefactor' => '',
          '_ItemCount' => 0,
          '_arg3' => 1,
          '_EventList' => '',
          '_DisplayMsg' => 'OK',
          '_arg1' => 'System',
          '_arg2' => '',
          '_timeout' => '',
          '_StatusType' => 'OK',
          '_SeverityType' => 'Error',
          '_delay' => '',
          '_bytefactor' => 1024,
          '_arg4' => 'eventdefault',
          '_nodataexit' => '',
          '_Triggers' => ''
        };
------- Processing _DisplayMsg||~|~| - ||
Complex Format:_DisplayMsg,,~,~, - ,,
_DisplayMsg||~|~| - || ----> OK -
------- Processing _ItemCount| event(s)|~|~| ||
Complex Format:_ItemCount, event(s),~,~, ,,
_ItemCount| event(s)|~|~| || ----> 0 event(s)
------- Processing _SeverityType||~|~||of Severity Level: "|"
Complex Format:_SeverityType,,~,~,,of Severity Level: ","
_SeverityType||~|~||of Severity Level: "|" ----> of Severity Level: "Error",
------- Processing _arg3| hours|~|~|~|were recorded in the last |
Complex Format:_arg3, hours,~,~,~,were recorded in the last ,
_arg3| hours|~|~|~|were recorded in the last | ----> were recorded in the last 1 hours
------- Processing _arg1||~|~|~| from the | Event Log.
Complex Format:_arg1,,~,~,~, from the , Event Log.
_arg1||~|~|~| from the | Event Log. ---->  from the System Event Log.
------- Processing _EventList||~|~|~||
Complex Format:_EventList,,~,~,~,,
_EventList||~|~|~|| ---->
---------- Building Up Performance Data
------- Processing _ItemCount||Event Count
Complex Format:_ItemCount,,Event Count
_ItemCount||Event Count (Field=_ItemCount) ----> 'Event Count'=0;;;
---------- Done
OUT:OK - 0 event(s) of Severity Level: "Error", were recorded in the last 1 hours from the System Event Log.|'Event Count'=0;

OK - 0 event(s) of Severity Level: "Error", were recorded in the last 1 hours from the System Event Log.|'Event Count'=0;

[tgriep]

That was a default check that only looked at the System Log file for errors and it looks like that account has the permissions to do so.
Now run this to see if we get a response out of the application log file.

Code: Select all

/usr/local/nagios/bin/plugins/check_wmi_plus/check_wmi_plus.pl -H 10.3.1.211 -u USER -p PASS -m checkeventlog -a application -o 2 -3 4 -d

If this fails, then that account doesn't have permissions to that log.

[mclark]

Before I tried using "-a application" I tried the system log as below. It still returned nothing. I'm not getting a login error now, which is a step forward.

Code: Select all

/usr/local/nagios/bin/plugins/check_wmi_plus/check_wmi_plus.pl -H HOST -u USER -p PASS -m checkeventlog -o 3 -3 24 -d

output of command
============

Code: Select all

OK - 0 event(s) of Severity Level: "Error,Warning,Information", were recorded in the last 24 hours from the System Event Log.|'Event Count'=0;

Now I know that the call is not working properly as there are plenty of Information messages in the system log from the last 24 hours. I did try using "-a application" and it returned the same results. I have tried this on different servers, 2008, 2008r2, and 2012r2. All with the same results--0 events returned.

[tgriep]

It could be a bug in the plugin. I am running version 1.60 and It works for me.
Try upgrading the plugin and see if that works for you. See the link below.
http://www.edcint.co.nz/checkwmiplus/

[mclark]

Good idea. I'll try that.

[tgriep]

Let us know how it works out.

[mclark]

That didn't go as planned. I followed the upgrade steps to go from 1.59 to 1.61.

After I did that and reloaded nagios all the check_wmi_plus checks stopped working. I had to revert to the previous version.

Given the resource constraints I need to put this on hold for now. We'll look for a different method to monitor the windows event logs.

Thanks for everyone's help on this! It is truly appreciated.

[tgriep]

What types of errors did you get after doing the upgrade?
You could try just upgrading the check_wmi_plus.pl script and leave everything else alone and see if that works.