Check WMI issue

[CFT6Server]

Kind of similar to this thread, WMI checks are not working.
http://support.nagios.com/forum/viewtop ... 8&start=10

So I've confirmed that the DCOM permissions are set and the ROOT/CIMv2 permissions are set for Enable Account and Remote Enable.
Some checks work while some doesn't.....

CPU using checkcpu returns
OK (Sample Period 3598 sec) - Average CPU Utilisation Need at least 2 WMI samples% (even tho I run this multiple times)

CPU Queue using checkcpuq returns
OK - Average CPU Queue Length 0.0 (3 points with 1 sec delay gives values: , , )

Disk / Pagefile / Memory returns proper values

checkservice doesn't seem to work at all....

wmi results.JPG

running wmic via console also works fine...

Code: Select all

# wmic -U DOMAIN/sa-nagios //SERVER "select * from Win32_ComputerSystem"
Password for [DOMAIN\sa-nagios]:
CLASS: Win32_ComputerSystem
AdminPasswordStatus|AutomaticManagedPagefile|AutomaticResetBootOption|AutomaticResetCapability|BootOptionOnLimit|Bo                                                                                   otOptionOnWatchDog|BootROMSupported|BootupState|Caption|ChassisBootupState|CreationClassName|CurrentTimeZone|Daylig                                                                                   htInEffect|Description|DNSHostName|Domain|DomainRole|EnableDaylightSavingsTime|FrontPanelResetStatus|InfraredSuppor                                                                                   ted|InitialLoadInfo|InstallDate|KeyboardPasswordStatus|LastLoadInfo|Manufacturer|Model|Name|NameFormat|NetworkServe                                                                                   rModeEnabled|NumberOfLogicalProcessors|NumberOfProcessors|OEMLogoBitmap|OEMStringArray|PartOfDomain|PauseAfterReset                                                                                   |PCSystemType|PowerManagementCapabilities|PowerManagementSupported|PowerOnPasswordStatus|PowerState|PowerSupplyStat                                                                                   e|PrimaryOwnerContact|PrimaryOwnerName|ResetCapability|ResetCount|ResetLimit|Roles|Status|SupportContactDescription                                                                                   |SystemStartupDelay|SystemStartupOptions|SystemStartupSetting|SystemType|ThermalState|TotalPhysicalMemory|UserName|                                                                                   WakeUpType|Workgroup
(Some result/info removed here but all values shows)

The service checks are simple. username/pw removed. all the service checks are configured similar with the exception of $ARG3$

servicecheck.JPG

[Box293]

Have a read of this post:
http://support.nagios.com/forum/viewtop ... 88#p130651

That command should resolve your problem.

[CFT6Server]

Thanks I will take a look at this. I am trying to see what exact permissions that command set. Ultimately pushing this out to over 1000 machines via GPO means I have to know exactly what it is doing. In the meantime, I can spin up a test VM to test this out.

[lmiltchev]

Let us know if running the command Box293 suggested solved your issue. I will keep this topic open for a while.

[CFT6Server]

In our testing, I've added the permissions specified in the article. However, looks like we only have certain access, but not too all services. For testing I have a service account sa-nagios with limited privileges and another account with local admin rights. The command was ran to provide specified permissions.

To confirm the permission on windows

Code: Select all

sc sdshow SCMANAGER
D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Then tested with sa-nagios account

Code: Select all

]# /usr/local/nagios/libexec/check_wmi_plus.pl -H kdcveeam07 -u sa-nagios -p <password> -m checkservice -a BITS
OK - Found 0 Services(s), 0 OK and 0 with problems (0 excluded). |'Total Service Count'=0; 'Service Count OK State'=0; 'Service Count Problem State'=0; 'Excluded Service Count'=0;

Then tested with account w/ local admin

Code: Select all

# /usr/local/nagios/libexec/check_wmi_plus.pl -H kdcveeam07 -u adminaccount -p <password> -m checkservice -a BITS
OK - Found 1 Services(s), 1 OK and 0 with problems (0 excluded). 'Background Intelligent Transfer Service' (BITS) is Running.|'Total Service Count'=1; 'Service Count OK State'=1; 'Service Count Problem State'=0; 'Excluded Service Count'=0;

It looks like each service can have it's own security descripter and just doing SCManager isn't enough to view all services.

[ssax]

For the first command, read this:

This allows connecting to the SCM and enumerating services. However, if the DACL on the individual services only allows administrators access to the services, then they still won’t be accessible. You’ll need to run specific 'sc sdset' commands against particular services, or use subinacl to change all services with one command.

For individual services, you could then allow query and interrogate with the following command:

Code: Select all

subinacl /service \\server\* /grant=domain\user=QSI

Or if you wanted to add specific services:

Code: Select all

sc sdset <name of the service> D:(A;;CCLCSWRPWPDTLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Quote taken from:

http://waynes-world-it.blogspot.com/200 ... y-for.html

[CFT6Server]

I am still trying to figure out how to deploy WMI checks in a least privileged model. Having to do this for 1000+ servers is not feasible at this point. Also there is a risk of potentially overwriting exiting any permissions that might render cause issues with the services.

I did more research on this and looks like you can obtain the permissions of each services and then append additional permissions. Again, on an enterprise scale, this method does not work and is a nightmare to manage. I am guessing people that are using WMI checks are giving local administrators rights or have specific services that are monitoring?

One thing I wanted to add - check WMI requires a username and password, which is shown in plain text in the services config. If there is anyway to use an auth file or something that doesn't require a PW shown in the configuration, then the least privileged issue will be less of a concern. But don't know if that's possible at this point.

[tgriep]

Here is a document that describes how to hide sensitive login information used in plugins.
http://assets.nagios.com/downloads/nagi ... Macros.pdf
Take a look at it.

[CFT6Server]

Thanks. This helps. We managed to get the services we want but a weird message is showing.

OK - Found 7 Services(s), 2 OK and 5 with problems (0 excluded). 'BITS' (BITS) is Running, 'DNS Client' (Dnscache) is Running, 'gpsvc' (gpsvc) is Running, 'LanmanServer' (LanmanServer) is Running, 'Netlogon' (Netlogon) is Running, 'Remote Procedure Call (RPC)' (RpcSs) is Running, 'W32Time' (W32Time) is Running.
Performance Data: 'Total Service Count'=7; 'Service Count OK State'=2; 'Service Count Problem State'=5; 'Excluded Service Count'=0;

So it found the 7 services but 5 are showing problems even though it is showing as running.

[jdalrymple]

Agreed - weird.

From there I'd probably run your check from the command line with the -d flag (for debug) to see what check_wmi_plus.pl has going on under the hood. You could run it from the Web UI, but I'm not sure how readable it would be.