Page 1 of 2
dcerpc_connect
Posted: Wed Mar 04, 2015 2:52 pm
by onegative
G'day Nagios XI Support,
I have a question about errors I am seeing...here is the scenario as I can best determine.
If I add a WMI host from the WMI Wizard and include all the monitoring I want within it from scratch the check_xi_service_wmiplus command functions as expected on all monitors.
But if I attempt to add an additional WMI monitor to the existing host I get the following error...
UNKNOWN - The WMI query had problems. The error text from wmic is: [librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_ncacn_ip_tcp_recv
If I run the command from the command line using the fqdn I get this error as well.
[root@csdev95 ~]# /usr/local/nagios/libexec/check_wmi_plus.pl -H its-bmc-app02.amc.uwmedicine.org -u 'www\myacct' -p mysecret' -m checkeventlog -a 'System' -o 1 -3 1 -w '10' -c '15'
UNKNOWN - The WMI query had problems. The error text from wmic is: [librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_ncacn_ip_tcp_recv
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_b_recv
But if I use the actual ipAddr using the same exact command on the command-line it functions as expected and correctly.
[root@csdev95 ~]# /usr/local/nagios/libexec/check_wmi_plus.pl -H 69.91.248.222 -u 'www\myacct' -p mysecret' -m checkeventlog -a 'System' -o 1 -3 1 -w '10' -c '15'
OK - 0 event(s) of at least Severity Level "Error", were recorded in the last 1 hours from the System Event Log.|'Event Count'=0;10;15;
That indicates to me that when you add a new host with all the WMI monitors you need everything works via its use of the ipAddr but once you start customizing and adding individual WMI monitors you get this issue because the new ones are using the fqdn????
I have verified the entry for the new service looks completely identical to the other existing wmi services... I am dumbfounded!
Can you please confirm whether or not you can duplicate this issue yourself on Nagiox XI 2014R2.6 running on Redhat 3.10.0-123.20.1.el7.x86_64
Please let me know and thanks,
Danny
Re: dcerpc_connect
Posted: Wed Mar 04, 2015 3:40 pm
by lmiltchev
Can you run the following command and show us the output?
Is the output "its-bmc-app02.amc.uwmedicine.org"?
Re: dcerpc_connect
Posted: Wed Mar 04, 2015 3:45 pm
by onegative
Yea that figures...we do not have reverse lookup...bummer dude!
Re: dcerpc_connect
Posted: Wed Mar 04, 2015 3:46 pm
by jolson
Hello,
I have just performed a test using my local lab on the same version of Nagios, and it came back successfully:
Code: Select all
[root@nagios libexec]# ./check_wmi_plus.pl -H jessetest -u 'wmiagent' -p 'wmiagent' -m checkeventlog -a 'System' -o 1 -3 1 -w '10' -c '15'
OK - 0 event(s) of at least Severity Level "Error", were recorded in the last 1 hours from the System Event Log.|'Event Count'=0;10;15;
I did notice that you have not wrapped your password field in quotes appropriately, I have modified your command and would like you to attempt running the following:
Code: Select all
./usr/local/nagios/libexec/check_wmi_plus.pl -H 'its-bmc-app02.amc.uwmedicine.org' -u 'www\myacct' -p 'mysecret' -m checkeventlog -a 'System' -o 1 -3 1 -w '10' -c '15'
If that still does not work properly, I have a few theories...
1. Try disabling SELinux temporarily. I like to recommend this because SELinux can impact systems in unexpected ways:
2. Add 'its-bmc-app02.amc.uwmedicine.org' to your hosts file and test again.
Code: Select all
echo "69.91.248.222 its-bmc-app02.amc.uwmedicine.org" >> /etc/hosts
Let us know the results. Thanks!
Re: dcerpc_connect
Posted: Wed Mar 04, 2015 3:46 pm
by onegative
[root@csdev95 ~]# nslookup its-bmc-app02.amc.uwmedicine.org
Server: 140.142.5.214
Address: 140.142.5.214#53
Non-authoritative answer:
Name: its-bmc-App02.amc.uwmedicine.org
Address: 69.91.248.222
[root@csdev95 ~]# nslookup 69.91.248.222
Server: 140.142.5.214
Address: 140.142.5.214#53
** server can't find 222.248.91.69.in-addr.arpa.: NXDOMAIN
Re: dcerpc_connect
Posted: Wed Mar 04, 2015 3:54 pm
by onegative
Yeppers added to /etc/hosts
[root@csdev95 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.146.20.181 csdev95.mcis.washington.edu
69.91.248.222 its-bmc-app02.amc.uwmedicine.org
Still fails...
[root@csdev95 ~]# /usr/local/nagios/libexec/check_wmi_plus.pl -H its-bmc-app02.amc.uwmedicine.org -u 'www\myacct' -p 'mysecret' -m checkeventlog -a 'System' -o 1 -3 1 -w '10' -c '15'
UNKNOWN - The WMI query had problems. The error text from wmic is: [librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_ncacn_ip_tcp_recv
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_b_recv
[root@csdev95 ~]# /usr/local/nagios/libexec/check_wmi_plus.pl -H 69.91.248.222 -u 'www\myacct' -p 'mysecret' -m checkeventlog -a 'System' -o 1 -3 1 -w '10' -c '15'
OK - 0 event(s) of at least Severity Level "Error", were recorded in the last 1 hours from the System Event Log.|'Event Count'=0;10;15;
Re: dcerpc_connect
Posted: Wed Mar 04, 2015 3:58 pm
by onegative
[root@csdev95 ~]# sestatus
SELinux status: disabled
Re: dcerpc_connect
Posted: Wed Mar 04, 2015 4:29 pm
by tgriep
Are you running Microsoft Active Directory to authenticate to the server?
Did you follow these instructions to enable WMI on your windows server?
Code: Select all
http://assets.nagios.com/downloads/nagiosxi/docs/Monitoring-Windows-Using-WMI-and-Nagios-XI.pdf
Re: dcerpc_connect
Posted: Wed Mar 04, 2015 4:31 pm
by jolson
Interesting. I made an edit to my hosts file as follows:
Code: Select all
[root@nagios /]# cat /etc/hosts
192.168.1.1 jessetest.something.something.com
[root@nagios /]#
Pinging the server works fine:
Code: Select all
[root@nagios /]# ping jessetest.something.something.com
PING jessetest.something.something.com (192.168.1.1) 56(84) bytes of data.
64 bytes from jessetest.something.something.com (192.168.1.1): icmp_seq=1 ttl=128 time=3.83 ms
64 bytes from jessetest.something.something.com (192.168.1.1): icmp_seq=2 ttl=128 time=1.85 ms
Check_wmi however fails, unless I use the IP instead of hostname:
Code: Select all
[root@nagios /]# ./usr/local/nagios/libexec/check_wmi_plus.pl -H 'jessetest.something.something.com' -u 'wmiagent' -p 'wmiagent' -m checkeventlog -a 'System' -o 1 -3 1 -w '10' -c '15'
UNKNOWN - Plugin Timed out (15 sec)
Code: Select all
[root@nagios /]# ./usr/local/nagios/libexec/check_wmi_plus.pl -H '192.168.1.1' -u 'wmiagent' -p 'wmiagent' -m checkeventlog -a 'System' -o 1 -3 1 -w '10' -c '15'
OK - 0 event(s) of at least Severity Level "Error", were recorded in the last 1 hours from the System Event Log.|'Event Count'=0;10;15;
It looks like check_wmi_plus.pl will not work if the hostname of the endpoint does not match exactly. Please check your capitalization and attempt to use the shortname if possible (whatever the 'Computer Name' is).
The only option I can get working from the command line is 'jessetest' as opposed to 'jessetest.testcompany.local'.
Let me know if that helps solve your problem!
Re: dcerpc_connect
Posted: Wed Mar 04, 2015 4:38 pm
by onegative
I think you are missing the point...if I add this host and include eventlog monitoring initially it works...with no issue.
If I add the eventlog monitoring after the fact or any other wmi service for that matter it does not.
If I look at the difference between how the WMI Wizard adds the service definition when eventlog monitoring is included initially and the way it looks added afterwards there is a difference...why? Is it possible this is the difference in the way its working?
This one works when I add the eventlog monitoring with the initial host...the only difference is highlighted in RED.
define service {
host_name its-bmc-app02.amc.uwmedicine.org
service_description System Log Critical Errors
use xiwizard_windowswmi_service
check_command check_xi_service_wmiplus!'www\myacct'!'mysecret'!checkeventlog!-a 'System' -o 1 -3 1 -w '10' -c '15'
max_check_attempts 5
check_interval 5
retry_interval 1
check_period xi_timeperiod_24x7
notification_interval 60
notification_period xi_timeperiod_24x7
contacts dg0123
_xiwizard windowswmi
register 1
}
This is how it looks if you add the eventlog monitor after the host already exists...missing the "use xiwizard_windowswmi_service" pairing
define service {
host_name its-bmc-app02.amc.uwmedicine.org
service_description System Log Critical Errors
check_command check_xi_service_wmiplus!'www\myacct'!'mysecret'!checkeventlog!-a 'System' -o 1 -3 1 -w '10' -c '15'!!!!
max_check_attempts 5
check_interval 5
retry_interval 1
check_period xi_timeperiod_24x7
notification_interval 60
notification_period xi_timeperiod_24x7
contacts dg0123
_xiwizard windowswmi
register 1
}