Check_WMI_Plus error when no results from eventlog
Check_WMI_Plus error when no results from eventlog
Hello,
I've been working with the check_wmi_plus plugin for a bit of a while now. Most issues I came accross I was able to resolve using this forum and a variety of other sources. This one has me stumped though.
This is from the command line or from the 'Run Check Command' option in the Nagios XI UI.
# /usr/local/nagios/libexec/check_wmi_plus.pl -H HOSTNAME-u USERNAME -p PASSWORD -m checkeventlog -a system -o 2 -3 4 -w 1 -c 6
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_b_recv
This check should show me system warnings and errors for the past four hours and give a warning message if 1-6 results are found and a critical if > 6 results are found. -that part works. The issue I have is when there is NO messages returned I do not get an 'OK' result. I get the above error message.
I have tried the --nodatamode, --nodatamessage, and --nodataexit options in various combinations to see if anything would work.
I do not currently have this check setup in an ini file. Is that where the nodataexit code can be set? if so, does anyone have an example?
I've been working with the check_wmi_plus plugin for a bit of a while now. Most issues I came accross I was able to resolve using this forum and a variety of other sources. This one has me stumped though.
This is from the command line or from the 'Run Check Command' option in the Nagios XI UI.
# /usr/local/nagios/libexec/check_wmi_plus.pl -H HOSTNAME-u USERNAME -p PASSWORD -m checkeventlog -a system -o 2 -3 4 -w 1 -c 6
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_b_recv
This check should show me system warnings and errors for the past four hours and give a warning message if 1-6 results are found and a critical if > 6 results are found. -that part works. The issue I have is when there is NO messages returned I do not get an 'OK' result. I get the above error message.
I have tried the --nodatamode, --nodatamessage, and --nodataexit options in various combinations to see if anything would work.
I do not currently have this check setup in an ini file. Is that where the nodataexit code can be set? if so, does anyone have an example?
-
- Former Nagios Staff
- Posts: 4583
- Joined: Wed Sep 21, 2016 10:29 am
- Location: NoLo, Minneapolis, MN
- Contact:
Re: Check_WMI_Plus error when no results from eventlog
What's the output of ./check_wmi_plus.pl --version?
Also, what version of XI are you running?
It's almost certainly overkill, but if you want to be really thorough... can you PM me your Profile? You can download it by going to Admin > System Config > System Profile and click the Download Profile button towards the top. If for whatever reason you *cannot* download the profile, please put the output of View System Info (5.3.4+, Show Profile if older) in the thread (that will at least get us some info).
After you PM the profile, please update this thread (of course, you should do that with the two other questions I asked anyway). Updating this thread is the only way for it to show back up on our dashboard.
Also, what version of XI are you running?
It's almost certainly overkill, but if you want to be really thorough... can you PM me your Profile? You can download it by going to Admin > System Config > System Profile and click the Download Profile button towards the top. If for whatever reason you *cannot* download the profile, please put the output of View System Info (5.3.4+, Show Profile if older) in the thread (that will at least get us some info).
After you PM the profile, please update this thread (of course, you should do that with the two other questions I asked anyway). Updating this thread is the only way for it to show back up on our dashboard.
Re: Check_WMI_Plus error when no results from eventlog
./check_wmi_plus.pl --version
Version: 1.6
Nagios XI Version 5.3.3 WMWare installation.
System Profile:
System:
Nagios XI Version : 5.3.3
localhost.localdomain 2.6.32-504.16.2.el6.x86_64 x86_64
CentOS release 6.6 (Final)
Gnome is not installed
Apache Information
PHP Version: 5.3.3
Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36
Date/Time
PHP Timezone: US/Central
PHP Time: Fri, 06 Jan 2017 11:50:29 -0600
System Time: Fri, 06 Jan 2017 11:50:29 -0600
I have not yet PM'd the whole profile. Let me know if you think that is still needed.
Version: 1.6
Nagios XI Version 5.3.3 WMWare installation.
System Profile:
System:
Nagios XI Version : 5.3.3
localhost.localdomain 2.6.32-504.16.2.el6.x86_64 x86_64
CentOS release 6.6 (Final)
Gnome is not installed
Apache Information
PHP Version: 5.3.3
Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36
Date/Time
PHP Timezone: US/Central
PHP Time: Fri, 06 Jan 2017 11:50:29 -0600
System Time: Fri, 06 Jan 2017 11:50:29 -0600
I have not yet PM'd the whole profile. Let me know if you think that is still needed.
-
- Former Nagios Staff
- Posts: 4583
- Joined: Wed Sep 21, 2016 10:29 am
- Location: NoLo, Minneapolis, MN
- Contact:
Re: Check_WMI_Plus error when no results from eventlog
What's the output of sestatus? I know that seems weird, but with dcerpc we've seen SELinux issues in the past.
Also, do you have your quotes set appropriately in the command? I know you are just using variables here, but there's nothing quoted. If you could give us something a little closer like the actual host name and username that might help. You can just PM me the full check minus the password if you like.
Full profile is probably not necessary. I just hate to get 3 pages into these things and think "hmm, maybe it's time for the profile"
UPDATE: profile received and shared with techs
Also, do you have your quotes set appropriately in the command? I know you are just using variables here, but there's nothing quoted. If you could give us something a little closer like the actual host name and username that might help. You can just PM me the full check minus the password if you like.
Full profile is probably not necessary. I just hate to get 3 pages into these things and think "hmm, maybe it's time for the profile"
UPDATE: profile received and shared with techs
Re: Check_WMI_Plus error when no results from eventlog
I would also be interested in seeing the debug output from the WMI query (when it's failing and throwing the error) using the -d argument like so:
I've been unable to replicate this so far against check_wmi_plus 1.6:
Code: Select all
/usr/local/nagios/libexec/check_wmi_plus.pl -H HOSTNAME-u USERNAME -p PASSWORD -m checkeventlog -a system -o 2 -3 4 -w 1 -c 6 -d
Code: Select all
[root@xi-stable ~]# /usr/local/nagios/libexec/check_wmi_plus.pl -H 192.168.67.99 -u admin -p welcome123@ -m checkeventlog -a system -o 2 -3 4 -w 4 -c 6
OK - 0 event(s) of Severity Level: "Error,Warning", were recorded in the last 4 hours from the system Event Log.|'Event Count'=0;4;6;
[root@xi-stable ~]# /usr/local/nagios/libexec/check_wmi_plus.pl -version
Version: 1.6
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
Re: Check_WMI_Plus error when no results from eventlog
Below is an execution with the debug option.
This is the same command executed over a 24 hour period (without the debug option)
Code: Select all
Command Line (v1.6): /usr/local/nagios/libexec/check_wmi_plus.pl -H HOST -u USER -p PASS -m checkeventlog -a system -o 2 -3 4 -w 1 -c 6 -d
Base Dir: /usr/local/nagios/libexec
Conf File Dir: /usr/local/nagios/libexec
Loaded Conf File /usr/local/nagios/libexec/check_wmi_plus.conf
Round #1 of 1
QUERY: /usr/bin/wmic '-U' 'USER%PASS' '--namespace' 'root/cimv2' '//HOST' 'Select EventCode,EventIdentifier,Type,LogFile,SourceName,Message,TimeGenerated from Win32_NTLogEvent where ( Logfile="system" ) and EventType<=2 and EventType>0 and TimeGenerated > "20170106180100.00000000"'
OUTPUT: [librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_ncacn_ip_tcp_recv
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_b_recv
Could not find the CLASS: line - an error occurred
WMI DATA:$VAR1 = [];
UNKNOWN - The WMI query had problems. The error text from wmic is: [librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_ncacn_ip_tcp_recv
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_b_recv
Code: Select all
CRITICAL - [Triggered by _ItemCount>6] - 7 event(s) of Severity Level: "Error,Warning", were recorded in the last 24 hours from the system Event Log. (List is on next line. Fields shown are - Logfile:TimeGenerated:EventId:EventCode:SeverityLevel:Type:SourceName:Message)|'Event Count'=7;1;6;
System:20170106023934.000000-000:1111:1111:Error:Microsoft-Windows-TerminalServices-Printers:Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.
System:20170106023934.000000-000:1111:1111:Error:Microsoft-Windows-TerminalServices-Printers:Driver SHARP UD2 PCL6 required for printer SHARP UD2 PCL6 is unknown. Contact the administrator to install the driver before you log in again.
System:20170106023933.000000-000:1111:1111:Error:Microsoft-Windows-TerminalServices-Printers:Driver PDF-XChange 4.0 required for printer PDF-XChange 4.0 is unknown. Contact the administrator to install the driver before you log in again.
System:20170106023930.000000-000:1111:1111:Error:Microsoft-Windows-TerminalServices-Printers:Driver PDF-XChange 3.0 required for printer PDF-XChange 3.0 is unknown. Contact the administrator to install the driver before you log in again.
System:20170106023928.000000-000:1111:1111:Error:Microsoft-Windows-TerminalServices-Printers:Driver Dell Open Print Driver (PCL XL) required for printer !!SERVER!PRINTER is unknown. Contact the administrator to install the driver before you log in again.
System:20170106023926.000000-000:1111:1111:Error:Microsoft-Windows-TerminalServices-Printers:Driver Microsoft XPS Document Writer v4 required for printer Microsoft XPS Document Writer is unknown. Contact the administrator to install the driver before you log in again.
System:20170106023925.000000-000:1111:1111:Error:Microsoft-Windows-TerminalServices-Printers:Driver Xerox WorkCentre 5845 V4 PS required for printer Xerox WorkCentre 5845 PS is unknown. Contact the administrator to install the driver before you log in again.
Re: Check_WMI_Plus error when no results from eventlog
Hi dwhitfield, I appologize I missed this entirely earlier!dwhitfield wrote:What's the output of sestatus? I know that seems weird, but with dcerpc we've seen SELinux issues in the past.
Also, do you have your quotes set appropriately in the command? I know you are just using variables here, but there's nothing quoted. If you could give us something a little closer like the actual host name and username that might help. You can just PM me the full check minus the password if you like.
Full profile is probably not necessary. I just hate to get 3 pages into these things and think "hmm, maybe it's time for the profile"
SELinux is disabled
Code: Select all
sestatus
SELinux status: disabled
Re: Check_WMI_Plus error when no results from eventlog
Hi mcapra,mcapra wrote:z
I've been unable to replicate this so far against check_wmi_plus 1.6:
Code: Select all
[root@xi-stable ~]# /usr/local/nagios/libexec/check_wmi_plus.pl -H 192.168.67.99 -u admin -p welcome123@ -m checkeventlog -a system -o 2 -3 4 -w 4 -c 6 OK - 0 event(s) of Severity Level: "Error,Warning", were recorded in the last 4 hours from the system Event Log.|'Event Count'=0;4;6; [root@xi-stable ~]# /usr/local/nagios/libexec/check_wmi_plus.pl -version Version: 1.6
Did you make any modifications to check_wmi_plus.ini or check_wmi_plus.conf?
Re: Check_WMI_Plus error when no results from eventlog
Keeping everyone informed:
--I supplied dwhitfield with the profile export and unmodified check command.
Also, as mcapra was unable to replicate I decided to re-import a fresh install from the VMWare OVA template in a test environment. I installed the WMI Client following the instructions at:
https://assets.nagios.com/downloads/nag ... 1433350835
and had no issues. I even applied the mod_gearman updates for load balancing and still see no issues.
So it is definitely something I did. At this point I am not certain which would be more time consuming. Figuring out what I did? or rebuilding the system.
--I supplied dwhitfield with the profile export and unmodified check command.
Also, as mcapra was unable to replicate I decided to re-import a fresh install from the VMWare OVA template in a test environment. I installed the WMI Client following the instructions at:
https://assets.nagios.com/downloads/nag ... 1433350835
and had no issues. I even applied the mod_gearman updates for load balancing and still see no issues.
So it is definitely something I did. At this point I am not certain which would be more time consuming. Figuring out what I did? or rebuilding the system.
Re: Check_WMI_Plus error when no results from eventlog
I did not make any modifications to the aforementioned files. If you can provide copies of the following files:
I can test them on my working machine to see if it's strictly a wmic problem or an issue with the plugin's various dependencies. My best guess is that wmic wasn't built correctly on the problematic system. Can you also share the output of:
Code: Select all
check_wmi_plus.ini
check_wmi_plus.conf
check_wmi_plus.pl
Code: Select all
/usr/bin/wmic --version
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/