hiding password for WMI queries

[lavignp]

I already asked this question over in the general forum (before I got access to this one), and I recieved one idea to start with. Hopefully there is another way to address this question...

Is there a way to hide the password when using the WMI wizard to set up monitoring? After I configure the service, if I go in to edit it, I can clearly see the username and password in the command string. We're just trying to be thorough with our security, so we were hoping to not leave that as-is.

I have dug through as much documentation as I could find, and I do see an option to create an authentication file for the Check WMI Plus plugin. How in the world would I make these two work together, in terms of the syntax, which appears to be different from the command line options that are available? Plus, even the idea of having the password in plain text on the Nagios server is still not ideal, but better than the current setup.

[BanditBBS]

Use the -A option. Using -A and specify a file with the username, password and domain in it, in the following format:

Code: Select all

username=nagiosxi
password=xxxxxxx
domain=xxxxx

Also, I created one server with WMI checks, modify them to use the -A and then just clone those when needed to add a new server(s)

[abrist]

Nagios provides a locked down file for sensitive bit lits passwords and for strings that contain illegal macro characters:

Code: Select all

/usr/local/nagios/etc/resource.cfg 

Create a new user macro at the bottom or resource.cfg, we will use $USER9$ and $USER10$ for this example (replace <wmi user> and <wmi pass> with the actual username and password, respectively):

Code: Select all

$USER9$=<wmi user>
$USER10$=<wmi pass>

Now, edit the check to use the $USER9$ and $USER10$ macros in place of the actual credentials. Restart nagios and then you should be set!

EDIT: Bandit has a better answer - listen to him, ignore me

[lavignp]

Thank you both for the replies.

First of all the $USERX$ macro seems to work just fine when I put it into the GUI, so there's that (The WMI query for the event logs appears to be broken, but I can deal with that separately). This may save me the trouble of manually editing those files.

However, when I looked into editing each respective hostname.cfg file under /usr/local/nagios/etc/services, I noticed the comment in each one:

# --- DO NOT EDIT THIS FILE BY HAND ---
# Nagios QL will overwite all manual settings during the next update

So...how/where would I edit that command string?

[BanditBBS]

EDIT: Bandit has a better answer - listen to him, ignore me

Next time, make the text larger and brighter when you say something like that

First of all the $USERX$ macro seems to work just fine when I put it into the GUI, so there's that (The WMI query for the event logs appears to be broken, but I can deal with that separately). This may save me the trouble of manually editing those files.

That could be a DNS issue I just experience as well. In your resolv.conf file, make sure all DNS suffixes are listed it should be searching. Doing that fixed my issue.

However, when I looked into editing each respective hostname.cfg file under /usr/local/nagios/etc/services, I noticed the comment in each one:

Modify the services in the core config manager. Then when you apply configuration, those files will be over written

[lavignp]

Thanks Bandit, I looked in Core config, and saw what you were referring to in the services. Good to know..

Also, adding the additional search domain to resolv.conf fixed the issue. What's weird is that I specified the FQDN when I set up the host, so I don't know WHY that didn't work...

[BanditBBS]

Also, adding the additional search domain to resolv.conf fixed the issue. What's weird is that I specified the FQDN when I set up the host, so I don't know WHY that didn't work...

Those EXACT same words came out of my mouth when I ran into the issue here....it makes absolutely no sense!

[sreinhardt]

Unfortunately I had the same issues as well, the only thing I can figure is that wmic or perl wmi stuff does some very funky resolution stuff with how it expects fqdn's to work, that may not be the normal case in windows environments.

[sujitt]

Adding into a file should be a standard feature within the WMI wizard. it is a hassle to do this to every service to add a -A option in XI.

[abrist]

I have submitted an internal feature request for this wizard option.