Windows process Monitoring

[mindspring]

Ok I seem to getting this error now:

Code: Select all

Base Dir: /usr/local/nagios/libexec
Conf File Dir: /usr/local/nagios/libexec
Loaded Conf File /usr/local/nagios/libexec/check_wmi_plus.conf
Opening Ini Files ...
   opening first ini file: /usr/local/nagios/libexec/check_wmi_plus.ini
   checking ini dir /usr/local/nagios/libexec, found 1 file(s)
   opening ini file: check_wmi_plus.ini
Global Static Ini Variables: $VAR1 = {};
Found Group checkproc
GROUP MEMBERS $VAR1 = [
          'checkproc cmdline',
          'checkproc memory',
          'checkproc memoryabove',
          'checkproc memorytotals',
          'checkproc cpu',
          'checkproc cpuabove',
          'checkproc count',
          'checkproc info'
        ];
Found Member cpu
Processing INI Section: checkproc cpu
Settings for this section are:
-------------------------------------------------------------------
      aligndata => Name,IDProcess
    customfield => _AvgCPU,PERF_100NSEC_TIMER,PercentProcessorTime,%.1f,100
          delay => 5
        display => _AvgCPU|%|CPU_{Name}(PID={IDProcess})||||   
        inihelp => Check cpu details for individual processes
ARG1  The processname to look for. Use % for wildcards.
   The process name typically only includes the actual file name minus its suffix eg firefox, svchost
   If there are multiple instances eg svchost, then some versions of Windows have them named all the same while others
   such as Windows 2008 Server, have them numbered eg svchost#1, svchost#2, svchost#3. To get all svchost processes you
   need to set ARG1 to svchost%
   To view all processes set ARG1 to "%" and the full process list will be included in the plugin output.
Note:  Use --nodatamode and/or NODATAEXIT settings to control what happens if no matching process is found.
           perf => _ItemCount||Process Count
_AvgCPU|%|Avg Utilisation CPU_{Name}
     predisplay => _DisplayMsg||~|~| - ||
_ItemCount| Instance(s)|Found |~|. || of "{_arg1}" running
          query => select Name,IDProcess,PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfProc_Process WHERE Name like "{_arg1}"
       requires => 1.48
        samples => 2
           test => _AvgCPU
_ItemCount
-------------------------------------------------------------------
All Static Ini Variables: $VAR1 = {};
Query Extenstions: $VAR1 = [];
   Original Query:select Name,IDProcess,PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfProc_Process WHERE Name like "{_arg1}"
        New Query:select Name,IDProcess,PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfProc_Process WHERE Name like "{_arg1}"
Starting Keep State Mode
STATE FILE: /tmp/cwpss_checkproccpu_cpu_192168130252_scales__.state
Checking previous data's expiry - Timestamp 1513673960 vs Expiry After 1513670362 (Keep State Expiry setting is 3600sec)
Using Existing WMI DATA of:$VAR1 = [
          [
            {
              '_ItemCount' => '0',
              '_KeepStateCreateTimestamp' => 1513673960
            }
          ]
        ];
Round #2 of 2
QUERY: /usr/bin/wmic '-U' 'USER%PASS' '--namespace' 'root/cimv2' '//192.168.130.252' 'select Name,IDProcess,PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfProc_Process WHERE Name like "scales%"'
OUTPUT: 
WMI DATA:$VAR1 = [
          [
            {
              '_ChecksOK' => 1,
              '_KeepStateSamplePeriod' => 2,
              '_ItemCount' => '0',
              '_KeepStateCreateTimestamp' => 1513673960
            }
          ],
          [
            {
              '_ItemCount' => 0
            }
          ]
        ];
Storing new WMI results in the state file $VAR1 = [
          [
            {
              '_KeepStateCreateTimestamp' => 1513673963,
              '_ItemCount' => 0
            }
          ]
        ];
Copying predefined fields to the last WMI result set [0] to [1]
NEW WMI DATA:$VAR1 = [
          [
            {
              '_ItemCount' => '0'
            }
          ],
          [
            {
              '_KeepStateSamplePeriod' => 2,
              '_ChecksOK' => 1,
              '_KeepStateCreateTimestamp' => 1513673960,
              '_ItemCount' => 0
            }
          ]
        ];
JOIN PARAMETERS  $VAR1 = [];
$VAR2 = [];
$VAR3 = [
          [
            {
              '_ItemCount' => '0'
            }
          ],
          [
            {
              '_KeepStateSamplePeriod' => 2,
              '_ChecksOK' => 1,
              '_KeepStateCreateTimestamp' => 1513673960,
              '_ItemCount' => 0
            }
          ]
        ];
$VAR4 = 1;
WMI Query returned no data. The item you were looking for may NOT exist or the software that creates the WMI Class may not be running, or all data has been excluded.

[tgriep]

I ran the check from your example and the syntax checks out.

Code: Select all

/usr/local/nagios/libexec/check_wmi_plus.pl -H thepc -u 'domain/username' -p 'P@ssword' -m checkproc -s cpu -a explorer%

OK (Sample Period 143 sec) - Found 1 In ... rer'=0.1%;

But I am running version 1.62 of the plugin and you may want to upgrade to a newer version which you can get at the following URL.
http://www.edcint.co.nz/checkwmiplus/

I see the name of the service you are checking for but the system is not returning that it is found so it could be the permissions on the root/cimv2 account is not setup all of the way.

Go back through this document and verify the settings and see if that fixes the issue.
https://assets.nagios.com/downloads/nag ... ios-XI.pdf

[mindspring]

Ok I went through the WMI how to three times to ensure that all my settings are correct, and they are.
The windows firewall is also turned off on this server. I am using the local computer account instead of domain account and gave the wmiagent local user admin rights as well.

I now get the following message. Any other ideas please? This one really driving me a bit crazy

Code: Select all

[root]@nagiosxi /usr/local/nagios/libexec] $ ./check_wmi_plus.pl -H 192.168.130.252 -u wmiagent -p xxxxx-m checkproc -s cpu -a scales% -d
Command Line (v1.63): ./check_wmi_plus.pl -H 192.168.130.252 -u USER -p PASS -m checkproc -s cpu -a scales% -d
Base Dir: /usr/local/nagios/libexec
Conf File Dir: /usr/local/nagios/libexec
Loaded Conf File /usr/local/nagios/libexec/check_wmi_plus.conf
WMI Ini Dir: /usr/local/nagios/libexec
Opening Ini Files ...
   opening first ini file: /usr/local/nagios/libexec/check_wmi_plus.ini
   checking ini dir /usr/local/nagios/libexec, found 1 file(s)
   opening ini file: check_wmi_plus.ini
Global Static Ini Variables: $VAR1 = {};
Found Group checkproc
GROUP MEMBERS $VAR1 = [
          'checkproc cmdline',
          'checkproc memory',
          'checkproc memoryabove',
          'checkproc memorytotals',
          'checkproc cpu',
          'checkproc cpuabove',
          'checkproc count',
          'checkproc info'
        ];
Found Member cpu
Processing INI Section: checkproc cpu
Settings for this section are:
-------------------------------------------------------------------
      aligndata => Name,IDProcess
    customfield => _AvgCPU,PERF_100NSEC_TIMER,PercentProcessorTime,%.1f,100
          delay => 5
        display => _AvgCPU|%|CPU_{Name}(PID={IDProcess})||||   
        inihelp => Check cpu details for individual processes
ARG1  The processname to look for. Use % for wildcards.
   The process name typically only includes the actual file name minus its suffix eg firefox, svchost
   If there are multiple instances eg svchost, then some versions of Windows have them named all the same while others
   such as Windows 2008 Server, have them numbered eg svchost#1, svchost#2, svchost#3. To get all svchost processes you
   need to set ARG1 to svchost%
   To view all processes set ARG1 to "%" and the full process list will be included in the plugin output.
Note:  Use --nodatamode and/or NODATAEXIT settings to control what happens if no matching process is found.
           perf => _ItemCount||Process Count
_AvgCPU|%|Avg Utilisation CPU_{Name}
     predisplay => _DisplayMsg||~|~| - ||
_ItemCount| Instance(s)|Found |~|. || of "{_arg1}" running
          query => select Name,IDProcess,PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfProc_Process WHERE Name like "{_arg1}"
       requires => 1.48
        samples => 2
           test => _AvgCPU
_ItemCount
-------------------------------------------------------------------
All Static Ini Variables: $VAR1 = {};
Query Extensions: $VAR1 = [];
   Original Query:select Name,IDProcess,PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfProc_Process WHERE Name like "{_arg1}"
        New Query:select Name,IDProcess,PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfProc_Process WHERE Name like "{_arg1}"
Starting Keep State Mode
STATE FILE: /tmp/cwpss_checkproccpu_cpu_192168130252_scales__.state
Checking previous data's expiry - Timestamp 1513854683 vs Expiry After 1513851085 (Keep State Expiry setting is 3600sec)
Using Existing WMI DATA of:$VAR1 = [
          [
            {
              '_ItemCount' => '0',
              '_KeepStateCreateTimestamp' => 1513854683
            }
          ]
        ];
Round #2 of 2
QUERY: /usr/bin/wmic '-U' 'USER%PASS' '--namespace' 'root/cimv2' '//192.168.130.252' 'select Name,IDProcess,PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfProc_Process WHERE Name like "scales%"'
OUTPUT: 
WMI DATA:$VAR1 = [
          [
            {
              '_ChecksOK' => 1,
              '_KeepStateSamplePeriod' => 2,
              '_ItemCount' => '0',
              '_KeepStateCreateTimestamp' => 1513854683
            }
          ],
          [
            {
              '_ItemCount' => 0
            }
          ]
        ];
Storing new WMI results in the state file $VAR1 = [
          [
            {
              '_ItemCount' => 0
            }
          ]
        ];
Copying predefined fields to the last WMI result set [0] to [1]
NEW WMI DATA:$VAR1 = [
          [
            {
              '_ItemCount' => '0'
            }
          ],
          [
            {
              '_KeepStateSamplePeriod' => 2,
              '_ChecksOK' => 1,
              '_KeepStateCreateTimestamp' => 1513854683,
              '_ItemCount' => 0
            }
          ]
        ];
JOIN PARAMETERS  $VAR1 = [];
$VAR2 = [];
$VAR3 = [
          [
            {
              '_ItemCount' => '0'
            }
          ],
          [
            {
              '_KeepStateSamplePeriod' => 2,
              '_ChecksOK' => 1,
              '_KeepStateCreateTimestamp' => 1513854683,
              '_ItemCount' => 0
            }
          ]
        ];
$VAR4 = 1;
WMI Query returned no data. The item you were looking for may NOT exist or the software that creates the WMI Class may not be running, or all data has been excluded.

[tgriep]

If looks like the plugin is connecting to the server but it cannot find a process with scales in the name.
Try running this example twice. If it works, it will return all of the processes that are running on that server.

Code: Select all

./check_wmi_plus.pl -H 192.168.130.252 -u wmiagent -p xxxxx -m checkproc -s cpu -a % -d

Also, lets see if any other options can be checked by the plugin, run these examples to see if you can get any response from the server.

Code: Select all

./check_wmi_plus.pl -H 192.168.130.252 -u wmiagent -p xxxxx -m checkmem -s physical
./check_wmi_plus.pl -H 192.168.130.252 -u wmiagent -p xxxxx -m checkdrivesize -a 'C':

To test WMI from the Windows host, try this
Login to the Windows server as an administrator and follow these steps.

Code: Select all

    Launch the wbemtest program.
    Click Connect...
    Change root\default to root\cimv2, then click Connect.
    Click Query...
    Enter Select * from Win32_Product, then click Apply.

This should return a list of products. If it does, then WMI is probably fine, if not, try the following at a Command Prompt:

Code: Select all

regsvr32 wbemdisp.dll

then run the wbemtest query again.

You may want to run this on the Windows server as an administrator.

Code: Select all

winrm quickconfig

Type y to configure LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.
This will reset the permissions to allow remote users to access the system using WMI.

[mindspring]

Excellent, thank you so much!

I think the upgrade to the latest version did the trick as I am not getting responses. I am battling with something specific now though
I am trying to get memory totals for all these processes and to generate an alert for warning at 500MB and critical for 1000MB
I created my own check command like such called check_scales:

Code: Select all

$USER1$/check_wmi_plus.pl -H $HOSTADDRESS$ -u wmiagent -p $ARG1$ -m checkproc -s $ARG2$ -a scales% $ARG3$ $ARG4$

I then created a probe as such with 100 and 110 as play values

nag1.PNG

The probe just says ok though no matter what I try to set as the cumulative total of memory used. I tried the _ColSum_PrivateBytes=1000 to get private bytes of 1000MB and tested it below on the command line, but I am not sure If I am doing it properly. It tried these variations on it but they all just say ok on the command line and no warning or critical from within Nagios.

./check_wmi_plus.pl -H 192.168.130.252 -u wmiagent -p xxx-m checkproc -s memorytotals -a scales% _ColSum_PrivateBytes=1000

./check_wmi_plus.pl -H 192.168.130.252 -u wmiagent -p xxx-m checkproc -s memorytotals -a scales% -w 500 -c 1000 _ColSum_PrivateBytes=1000

[mindspring]

Sorry, I was being dumb here. i think I figured the syntax out. This seems to have done the trick

Code: Select all

[root]@nagiosxi /usr/local/nagios/libexec] $ ./check_wmi_plus.pl -H 192.168.130.252 -u wmiagent -p xxxx-m checkproc -s memorytotals -a scales% -w _ColSum_PrivateBytes=1000 
WARNING - [Triggered by _ColSum_PrivateBytes>1000] - Found 1 Instance(s) of "scales%" running. Total Private Memory=73.957MB, Total Working Set=97.906MB, Total Virtual Memory=391.012MB|'Process Count'=1; 'Total Private Memory'=77549568Bytes;1000; 'Total Working Set'=102662144Bytes; 'Total Virtual Memory'=410005504Bytes; 

[kyang]

Glad to see that it's working now!

Any more questions or are we okay to lock this up?

[mindspring]

Not yet unfortunately. I have been trying to replicate this to other servers and I am getting various errors again.

Let's start with this one.

Code: Select all

./check_wmi_plus.pl -H xxx -u wmiagent -p xxxx -m checkproc -s memorytotals -a scales% -w -d
WMI Query returned no data. The item you were looking for may NOT exist or the software that creates the WMI Class may not be running, or all data has been excluded.

I run the exact same command with the domain admin account and it works. It doesn't even work with the local admin account, which is highly confusing.

Code: Select all

[root]@nagiosxi.sam.cpt /usr/local/nagios/libexec] $ ./check_wmi_plus.pl -H philippi.sam.cpt -u xxx -p xxx -m checkproc -s memorytotals -a scales% -w -d
Use of uninitialized value in exponentiation (**) at ./check_wmi_plus.pl line 5890.
Argument "-" isn't numeric in multiplication (*) at ./check_wmi_plus.pl line 5890.
WARNING - [Triggered by _ItemCount>-d] - Found 5 Instance(s) of "scales%" running. Total Private Memory=1.216GB, Total Working Set=1.387GB, Total Virtual Memory=2.949GB|'Process Count'=5;0; 'Total Private Memory'=1305509888Bytes; 'Total Working Set'=1489387520Bytes; 'Total Virtual Memory'=3166601216Bytes; 

I tried doing the permissions in the article below but I am too fearful of running that sc command
https://support.nagios.com/forum/viewto ... 35&t=31641


Can you please help? This WMI thing is a nightmare.

[kyang]

Could we possibly move this into a ticket and possibly a remote?

[mindspring]

Yes sure - how do we go about doing that?

Could you use Teamviewer into my machine at a certain time? I am in GMT+2 time zone.