check_wmi_plus checkeventlog response is 0 entries

[Chris Hardick]

Hi

I am running Nagios XI 5.6.2, using the check_wmi_plus plugin (v1.6) to interrogate a Windows 10 PC
We have set up a minimal permission account on the Windows PC for the remote monitoring.
Most service checks set up are working perfectly, but checkeventlog always returns 0 entries when I know there are entries present
the service parameters are:
-a system,application, security -o 1,2,3,4,5 -3 24

I have run the query from the Nagios XI VM command line with /d option and it still returns no errors, but 0 entries.

If I run powershell on the Win 10 PC (logged in with minimal permission account), and interrogate WMIC using the query that can be seen at the start of the VM command line /d output I get the expected entries returned

Any ideas why I am not getting anything returned?

Thanks for any help
Chris

[lmiltchev]

Can you run the following command from the CLI, and show the output? (Hide/obfuscate sensitive data)

Code: Select all

/usr/local/nagios/libexec/check_wmi_plus.pl -H <ip address> -u '<username>' -p '<password>' -m checkeventlog -a system,application, security -o 1,2,3,4,5 -3 24 --extrawmicarg "--debuglevel=4"

[Chris Hardick]

Hi

Thanks for helping, here is the output

[lmiltchev]

It seems like you are using kerberos. I am not sure if this is what is causing the issue. Can you try to set check_wmi_plus to use NTLMv2 and see if this is going to fix the issue?

https://www.rootusers.com/implement-ntl ... rver-2016/

Some users reported that adding the following option to their command fixed similar issues:

Code: Select all

--extrawmicarg --option"client ntlmv2 auth"=yes

Hope this helps.

[Chris Hardick]

Hi
I tried your suggestion though as written it came up with an error with the query usage, i had to use

Code: Select all

--extrawmicarg "--option=client ntlmv2 auth=yes"

but this didnt change the result when I used the debuglevel=4 option. Maybe I have still got the argument wrong?

I have read that kerberos doesnt work with IP addresses, but I assume the check will automatically then use NTLM

Thanks for your help

Chris

[lmiltchev]

Chris, what happens if you try using the FQDN instead of an IP address?

Code: Select all

/usr/local/nagios/libexec/check_wmi_plus.pl -H FQDN -u '<username>' -p '<password>' -m checkeventlog -a system,application, security -o 1,2,3,4,5 -3 24 --extrawmicarg "--debuglevel=4"

Edit:
Also try:

Code: Select all

/usr/local/nagios/libexec/check_wmi_plus.pl -H FQDN -u '<username>' -p '<password>' -m checkeventlog -a system,application, security -o 1,2,3,4,5 -3 24 --extrawmicarg "--debuglevel=4" -d -d -d

[Chris Hardick]

Hi

Unfortunately the system in which we are trying to use these checks does not use domain names, only IP addresses. We dont have a DNS setup, and it is not possible to accommodate one.

[lmiltchev]

Run the command with the IP address then:

Code: Select all

/usr/local/nagios/libexec/check_wmi_plus.pl -H <ip address>-u '<username>' -p '<password>' -m checkeventlog -a system,application, security -o 1,2,3,4,5 -3 24 --extrawmicarg "--debuglevel=4" -d -d -d

Hopefully, the extra "d"s will provide more verbose output. If we don't fine any clues in the output, we would have to move this to a ticket, and probably schedule a remote session to further troubleshoot the issue.

You can open a ticket via our support center here:

https://support.nagios.com/tickets/

[Chris Hardick]

Thanks

I have PMd the output file.

[lmiltchev]

Replied via a PM.