check_wmi_plus and check_win_eventlog showing no events

[mclark]

We have been using this password with $USER8$ and $USER9$ variables without issue on other checks.

To eliminate the special characters problem I changed the password to remove the special characters and still getting a login error.

Code: Select all

[******@nagios ~]$ sudo /usr/local/nagios/bin/plugins/check_wmi_plus/check_wmi_plus.pl -H "********" -u "******\****" -p "********" -m checkeventlog -a application,system -o 2 -3 24
UNKNOWN - The WMI query had problems. You might have your username/password wrong or the user's access level is too low. Wmic error text on the next line.
[wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied

[rkennedy]

There was an issue recently where this was failing because of a locked out account in AD -- could this be the case at all? Are other checks working using this domain account?

Are you able to check the logs to see if the credentials are getting validated or not on the AD side?

[mclark]

I don't see any login attempts in the Security log for the domain account.

So, the domain account is not working for any checks. I tried the checks from the command line as well with no success. Every attempt gets the same login error as shown previously.

The local account is working for all checks, Disk Space, RAM Utilitzation, Uptime, etc. The event viewer check returns no events using the local account. The check is configured to return any events in the last 24 hours, so it should show something.

[Box293]

What version of the plugin are you running?

Code: Select all

grep -i '$version=' check_wmi_plus.pl

[mclark]

We're running v1.59. I looked at the changelog for the newer versions and didn't anything specific to our issue, so I haven't upgraded.


/usr/local/nagios/bin/plugins/check_wmi_plus/check_wmi_plus.pl -d -d | head -n 20
Command Line (v1.59): /usr/local/nagios/bin/plugins/check_wmi_plus/check_wmi_plus.pl -d -d
Conf File Dir: /usr/local/nagios/bin/plugins/check_wmi_plus
Loaded Conf File /usr/local/nagios/bin/plugins/check_wmi_plus/check_wmi_plus.conf
======================================== SYSTEM INFO =====================================================
--------------------- Module Versions ---------------------
MODULE_NAME INSTALLED_VERSION STATUS DESIRED_VERSION
Config::IniFiles 2.83 ok 2.58
Perl Version 5.010001 ok 5.01
Getopt::Long 2.45 ok 2.38
DateTime 1.18 ok 0.66
Number::Format 1.73 ok 1.73
Data::Dumper 2.154 ok 2.125
Scalar::Util 1.41 ok 1.22
Storable 2.51 ok 2.22

[tgriep]

Try using a forward slash in the user name and not a back slash and see of that works.

domain/username

[ssax]

In additional to the post above, please run the command with the -d option so that we can see if it will give us more details:

Code: Select all

sudo /usr/local/nagios/bin/plugins/check_wmi_plus/check_wmi_plus.pl -H "********" -u "******\****" -p "********" -m checkeventlog -a application,system -o 2 -3 24 -d

Thank you

[mclark]

Code: Select all

[***** ~]$sudo /usr/local/nagios/bin/plugins/check_wmi_plus/check_wmi_plus.pl -H "********" -u "******\****" -p "********" -m checkeventlog -a application,system -o 2 -3 24 -d
Command Line (v1.59): /usr/local/nagios/bin/plugins/check_wmi_plus/check_wmi_plus.pl -H "********" -u USER -p PASS -m checkeventlog -a application,system -o 2 -3 24 -d
Conf File Dir: /usr/local/nagios/bin/plugins/check_wmi_plus
Loaded Conf File /usr/local/nagios/bin/plugins/check_wmi_plus/check_wmi_plus.conf
Round #1 of 1
QUERY: /bin/wmic '-U' 'USER%PASS' '--namespace' 'root/cimv2' '//rightfax.qdinc.net' 'Select EventCode,EventIdentifier,Type,LogFile,SourceName,Message,TimeGenerated from Win32_NTLogEvent where ( Logfile="application" OR Logfile="system" ) and EventType<=2 and EventType>0 and TimeGenerated > "20160619141400.00000000"'
OUTPUT: [wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied

Could not find the CLASS: line - an error occurred
WMI DATA:$VAR1 = [];
UNKNOWN - The WMI query had problems. You might have your username/password wrong or the user's access level is too low. Wmic error text on the next line.
[wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied

Thanks again for your assistance!

[mclark]

@tgriep

I've tried \ and / single quotes, double quotes, no quotes and various combinations of these. None have been successful.

Thanks for the suggestion!

[tgriep]

This is the format of the command that I ran on my system which worked for me from the command line.

Code: Select all

/usr/local/nagios/libexec/check_wmi_plus.pl -H 192.168.1.1 -u domain/username -p password -m checkeventlog -a application,system -o 2 -3 24

In the service check itself, I have the username and password with single quotes around them.

Is the login account you are using part of the local Administrator group for that server?
If not, add it and see if it works for you.