Page 2 of 4
Re: check_wmi_plus and check_win_eventlog showing no events
Posted: Mon Jun 13, 2016 2:54 pm
by mclark
We have been using this password with $USER8$ and $USER9$ variables without issue on other checks.
To eliminate the special characters problem I changed the password to remove the special characters and still getting a login error.
Code: Select all
[******@nagios ~]$ sudo /usr/local/nagios/bin/plugins/check_wmi_plus/check_wmi_plus.pl -H "********" -u "******\****" -p "********" -m checkeventlog -a application,system -o 2 -3 24
UNKNOWN - The WMI query had problems. You might have your username/password wrong or the user's access level is too low. Wmic error text on the next line.
[wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
Re: check_wmi_plus and check_win_eventlog showing no events
Posted: Tue Jun 14, 2016 9:06 am
by rkennedy
There was an issue recently where this was failing because of a locked out account in AD -- could this be the case at all? Are other checks working using this domain account?
Are you able to check the logs to see if the credentials are getting validated or not on the AD side?
Re: check_wmi_plus and check_win_eventlog showing no events
Posted: Thu Jun 16, 2016 3:25 pm
by mclark
I don't see any login attempts in the Security log for the domain account.
So, the domain account is not working for any checks. I tried the checks from the command line as well with no success. Every attempt gets the same login error as shown previously.
The local account is working for all checks, Disk Space, RAM Utilitzation, Uptime, etc. The event viewer check returns no events using the local account. The check is configured to return any events in the last 24 hours, so it should show something.
Re: check_wmi_plus and check_win_eventlog showing no events
Posted: Thu Jun 16, 2016 4:41 pm
by Box293
What version of the plugin are you running?
Code: Select all
grep -i '$version=' check_wmi_plus.pl
Re: check_wmi_plus and check_win_eventlog showing no events
Posted: Fri Jun 17, 2016 7:27 am
by mclark
We're running v1.59. I looked at the changelog for the newer versions and didn't anything specific to our issue, so I haven't upgraded.
/usr/local/nagios/bin/plugins/check_wmi_plus/check_wmi_plus.pl -d -d | head -n 20
Command Line (v1.59): /usr/local/nagios/bin/plugins/check_wmi_plus/check_wmi_plus.pl -d -d
Conf File Dir: /usr/local/nagios/bin/plugins/check_wmi_plus
Loaded Conf File /usr/local/nagios/bin/plugins/check_wmi_plus/check_wmi_plus.conf
======================================== SYSTEM INFO =====================================================
--------------------- Module Versions ---------------------
MODULE_NAME INSTALLED_VERSION STATUS DESIRED_VERSION
Config::IniFiles 2.83 ok 2.58
Perl Version 5.010001 ok 5.01
Getopt::Long 2.45 ok 2.38
DateTime 1.18 ok 0.66
Number::Format 1.73 ok 1.73
Data::Dumper 2.154 ok 2.125
Scalar::Util 1.41 ok 1.22
Storable 2.51 ok 2.22
Re: check_wmi_plus and check_win_eventlog showing no events
Posted: Fri Jun 17, 2016 1:42 pm
by tgriep
Try using a forward slash in the user name and not a back slash and see of that works.
domain/username
Re: check_wmi_plus and check_win_eventlog showing no events
Posted: Fri Jun 17, 2016 1:44 pm
by ssax
In additional to the post above, please run the command with the -d option so that we can see if it will give us more details:
Code: Select all
sudo /usr/local/nagios/bin/plugins/check_wmi_plus/check_wmi_plus.pl -H "********" -u "******\****" -p "********" -m checkeventlog -a application,system -o 2 -3 24 -d
Thank you
Re: check_wmi_plus and check_win_eventlog showing no events
Posted: Mon Jun 20, 2016 9:21 am
by mclark
Code: Select all
[***** ~]$sudo /usr/local/nagios/bin/plugins/check_wmi_plus/check_wmi_plus.pl -H "********" -u "******\****" -p "********" -m checkeventlog -a application,system -o 2 -3 24 -d
Command Line (v1.59): /usr/local/nagios/bin/plugins/check_wmi_plus/check_wmi_plus.pl -H "********" -u USER -p PASS -m checkeventlog -a application,system -o 2 -3 24 -d
Conf File Dir: /usr/local/nagios/bin/plugins/check_wmi_plus
Loaded Conf File /usr/local/nagios/bin/plugins/check_wmi_plus/check_wmi_plus.conf
Round #1 of 1
QUERY: /bin/wmic '-U' 'USER%PASS' '--namespace' 'root/cimv2' '//rightfax.qdinc.net' 'Select EventCode,EventIdentifier,Type,LogFile,SourceName,Message,TimeGenerated from Win32_NTLogEvent where ( Logfile="application" OR Logfile="system" ) and EventType<=2 and EventType>0 and TimeGenerated > "20160619141400.00000000"'
OUTPUT: [wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
Could not find the CLASS: line - an error occurred
WMI DATA:$VAR1 = [];
UNKNOWN - The WMI query had problems. You might have your username/password wrong or the user's access level is too low. Wmic error text on the next line.
[wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
Thanks again for your assistance!
Re: check_wmi_plus and check_win_eventlog showing no events
Posted: Mon Jun 20, 2016 9:51 am
by mclark
@tgriep
I've tried \ and / single quotes, double quotes, no quotes and various combinations of these. None have been successful.
Thanks for the suggestion!
Re: check_wmi_plus and check_win_eventlog showing no events
Posted: Mon Jun 20, 2016 3:45 pm
by tgriep
This is the format of the command that I ran on my system which worked for me from the command line.
Code: Select all
/usr/local/nagios/libexec/check_wmi_plus.pl -H 192.168.1.1 -u domain/username -p password -m checkeventlog -a application,system -o 2 -3 24
In the service check itself, I have the username and password with single quotes around them.
Is the login account you are using part of the local Administrator group for that server?
If not, add it and see if it works for you.