Page 1 of 1
Any point to monitoring explorer.exe?
Posted: Fri Jun 10, 2016 12:57 pm
by jriker1
So I have explorer.exe being monitored on one of my windows systems because it was just one of those default things you saw in samples. I noticed explorer.exe is not technically running unless at some point someone has logged into the desktop directly or thru remote desktop. So system may be fine but just because someone hasn't logged in, it complains. Am I missing something, am I right on? Is there a reason to be monitoring explorer.exe?
Thanks.
JR
Re: Any point to monitoring explorer.exe?
Posted: Fri Jun 10, 2016 1:31 pm
by rkennedy
It really depends on the use case, as it distinguishes if someone is logged in the computer or not. To confirm what you said, you are right, it will only return OK when a session is in progress. (local, RDP or 'locked') To some, this might be useful, to others, it may not matter to you.
Locked / Open session -
Code: Select all
[root@localhost libexec]# ./check_nrpe -H 192.168.3.221 -c check_process -a "process=explorer.exe"
OK: all processes are ok.|'explorer.exe state'=1;0;0 'count'=1;0;0
Logged out -
Code: Select all
[root@localhost libexec]# ./check_nrpe -H 192.168.3.221 -c check_process -a "process=explorer.exe"
CRITICAL: explorer.exe=stopped|'explorer.exe state'=0;0;0 'count'=1;0;0
Re: Any point to monitoring explorer.exe?
Posted: Mon Jun 13, 2016 2:52 pm
by LinearTechs
Greetings,
I have a consideration for this one: What if you want to monitor for the existance of explorer.exe, but want it to be a Warning if it is running and Okay if it isn't?
I think it's a good idea to monitor the servers that nobody should be logging into directly without prior authorization.
So, how do I reverse the specifications/standards of the explorer.exe check?
TIA and I look forward to your reply.
Re: Any point to monitoring explorer.exe?
Posted: Mon Jun 13, 2016 4:49 pm
by bwallace
There are more efficient plugins / ways for monitoring logged in users on Windows rather than deferring to explorer.exe. Have you considered some of these options:
http://john.wesorick.com/2011/03/nagios ... ndows.html
https://exchange.nagios.org/directory/P ... ck/details
https://exchange.nagios.org/directory/P ... er/details
Re: Any point to monitoring explorer.exe?
Posted: Mon Jun 13, 2016 5:38 pm
by LinearTechs
Well,
It seems each of those has the same issue I was describing earlier, namely they all look for users to be logged in, and give Warning/Critical if no one is logged in.
I need to reverse the behavior such that it is Warning if one person is logged in, Critical if more than one is logged in and Okay if no one is logged in.
And, in that regard, it doesn't seem like running the negate plugin over these would quite get what I am looking for either.
It does seem that Wesorick's might work if I can figure out how to define a range of "0 users" as being the Okay state. Unfortunately, I'm unfamiliar with AutoIT scripting, but I will see if I can grok it.
Thanks for the info.
Re: Any point to monitoring explorer.exe?
Posted: Tue Jun 14, 2016 9:13 am
by mcapra
Let us know if you have additional questions pertaining to this use-case!
Re: Any point to monitoring explorer.exe?
Posted: Tue Jun 14, 2016 9:13 am
by rkennedy
I believe @bwallace is correct in other plugins will be more efficient.
I meant to do this yesterday, but here's a use case if you did want to go the explorer.exe route with negate.
Explorer open -
Code: Select all
[root@localhost libexec]# ./check_nrpe -H 192.168.3.221 -c check_process -a "process=explorer.exe"
OK: all processes are ok.|'explorer.exe state'=1;0;0 'count'=1;0;0
[root@localhost libexec]# echo $?
0
Now, let's use negate -
Code: Select all
[root@localhost libexec]# ./negate -o CRITICAL ./check_nrpe -H 192.168.3.221 -c check_process -a "process=explorer.exe"
OK: all processes are ok.|'explorer.exe state'=1;0;0 'count'=1;0;0
[root@localhost libexec]# echo $?
2
We can flip CRIT -> OK as well -
Code: Select all
[root@localhost libexec]# ./negate -o CRITICAL -c OK ./check_nrpe -H 192.168.3.221 -c check_process -a "process=explorer.exe"
CRITICAL: explorer.exe=stopped|'explorer.exe state'=0;0;0 'count'=1;0;0
[root@localhost libexec]# echo $?
0
While it still shows the original wording, the exit codes are what matter. This plugin will effectively reverse what check_nrpe is doing.
Re: Any point to monitoring explorer.exe?
Posted: Tue Aug 02, 2016 8:12 pm
by LinearTechs
I am sorry for the long delay on this response, but I got hit with one of those "has to be done yesterday" projects...
@rkennedy & @bwallace: Thanks for your help. I did finally get the new command into my commands.cfg, and it seems to be working as expected.
Thanks again for your time and efforts in getting me on the right path.
Re: Any point to monitoring explorer.exe?
Posted: Wed Aug 03, 2016 9:10 am
by mcapra
@jriker1 Is it alright if we lock this thread and mark the issue as resolved?
Re: Any point to monitoring explorer.exe?
Posted: Tue Aug 16, 2016 7:35 am
by jriker1
Yes, please close.