Problems with WMI service checks

[crystal.then]

The account is allowed to log on to "All Computers"

The query that works is:

Code: Select all

wmic /NAMESPACE:"root/cimv2" /USER:"domain\user" /PASSWORD:"password" /NODE:"hostname" OS get Caption

I'm running this from a Windows server in the same domain as the target machine.

The wmic query to get the same information from nagios fails:

Code: Select all

wmic -A authfile --namespace root/cimv2 //hostname "select Caption from Win32_ComputerSystem"

I know these commands aren't exactly like for like, however I don't have access to a linux machine in the customer's environment with wmic installed.
The second command I've found always works when the check_wmi_plus plugin works.

[cdienger]

Looking at the last packet trace that you PM'd me there appears to be some packet loss. You can see it if you apply the filter "tcp.stream eq 34" to the dump in wireshark. Authentication looks to be good and there is clearly back and forth, but you can see all the retransmissions at the end. This is a retransmission of a request/packet from the XI system. It is retransmitting because it doesn't get an acknowledgement to one of it's requests/packets sent to the Windows machine. Eventually the plugin will timeout when it doesn't get a response.

Would it be possible to get a wireshark trace taken on the Windows machine at the same time another tcpdump was taken on XI and you run the plugin? This will at least confirm if we should be looking outside of the two machines at a possible firewall/network issue causing packets to drop.

[crystal.then]

Hi, thanks for the reply, that sounds promising. I will organise the trace with the customer.

[cdienger]

Sounds good. Please update us with your findings.

[crystal.then]

Thanks for your guidance on this one. The customer's network resource managed to idenfity that packets are being dropped at a certain hop, so they will continue investigating for that one.

Could we please take a look at server #2 next?
For this one I suspect an issue with WMI on the host.

From my original post:

Code: Select all

    # /usr/local/nagios/libexec/check_wmi_plus.pl -d -H <host address> -A <authfile> -m checkdrivesize -a 'C': -t 30 -w '90' -c '99.9'             Command Line (v1.6): /usr/local/nagios/libexec/check_wmi_plus.pl -d -H <host address> -A <authfile> -m checkdrivesize -a C: -t 30 -w 90 -c 99.9
    Base Dir: /usr/local/nagios/libexec
    Conf File Dir: /usr/local/nagios/libexec
    Loaded Conf File /usr/local/nagios/libexec/check_wmi_plus.conf
    Round #1 of 1
    QUERY: /usr/bin/wmic '-A' '<authfile>' '--namespace' 'root/cimv2' '//<host address>' 'Select DeviceID,freespace,Size,VolumeName from Win32_LogicalDisk where DriveType=3'
    OUTPUT: [wmi/wmic.c:196:main()] ERROR: Login to remote object.
    NTSTATUS: NT code 0x800706cc - NT code 0x800706cc

    Could not find the CLASS: line - an error occurred
    WMI DATA:$VAR1 = [
              [
                {
                  '_ColSum_Size' => 0,
                  '_QuerySum_Size' => 0,
                  '_ColSum_FreeSpace' => 0,
                  '_QuerySum_FreeSpace' => 0
                }
              ]
            ];
    UNKNOWN - The WMI query had problems. The error text from wmic is: [wmi/wmic.c:196:main()] ERROR: Login to remote object.
    NTSTATUS: NT code 0x800706cc - NT code 0x800706cc

    [root@a1c-nxi01 libexec]# /usr/bin/wmic '-A' '<authfile>' '--namespace' 'root/cimv2' '//<host address>' 'Select DeviceID,freespace,Size,VolumeName from Win32_LogicalDisk where DriveType=3'
    [wmi/wmic.c:196:main()] ERROR: Login to remote object.
    NTSTATUS: NT code 0x800706cc - NT code 0x800706cc

Testing the connection to that server from another Windows machine in the same environment, we get the following:

Code: Select all

C:\Users\Administrator>wmic /NAMESPACE:"root/cimv2" /USER:"<username>" /PASSWORD:"<password>" /NODE:"<hostname>" OS get Caption
Node - <hostname>
ERROR:
Description = The endpoint is a duplicate.

[ssax]

Is the user a local admin on that system? If not, did you set permissions on the windows system like the guide below shows starting on page 4?

https://assets.nagios.com/downloads/nag ... ios-XI.pdf

[crystal.then]

Hi ssax,

Yes the account is local admin of the target server. This is the same account that we use to monitor other servers in the environment, and the setup is the same.

[ssax]

Is this server connected to a domain?

Can you test from another windows machine with the same credentials following this guide:

Code: Select all

https://community.broadcom.com/enterprisesoftware/communities/community-home/librarydocuments/viewdocument?DocumentKey=025d5291-a260-4a4a-8cf5-b5dc7c20aa3b&CommunityKey=cb959643-2b9f-4caa-a7a3-42f40f1aef91&tab=librarydocuments

What error is displayed (if any)?

[crystal.then]

Yes, the server belongs to the same domain as the account.

Here are the results from wbemtest:

wmi-troubleshooting.png

[ssax]

Do you see any entries in the windows event log?

If you run this in a powershell admin prompt, does it work?

Code: Select all

Get-WmiObject -class Win32_OperatingSystem | select Caption

If you run a powershell prompt as the user in question (SHIFT+Right Click the powershell link > Run as different user, enter user/pass) and then run the same command, does it work?

Please post all output.