Page 1 of 2
check_wmi_plus checkeventlog response is 0 entries
Posted: Wed Jun 19, 2019 4:51 am
by Chris Hardick
Hi
I am running Nagios XI 5.6.2, using the check_wmi_plus plugin (v1.6) to interrogate a Windows 10 PC
We have set up a minimal permission account on the Windows PC for the remote monitoring.
Most service checks set up are working perfectly, but checkeventlog always returns 0 entries when I know there are entries present
the service parameters are:
-a system,application, security -o 1,2,3,4,5 -3 24
I have run the query from the Nagios XI VM command line with /d option and it still returns no errors, but 0 entries.
If I run powershell on the Win 10 PC (logged in with minimal permission account), and interrogate WMIC using the query that can be seen at the start of the VM command line /d output I get the expected entries returned
Any ideas why I am not getting anything returned?
Thanks for any help
Chris
Re: check_wmi_plus checkeventlog response is 0 entries
Posted: Wed Jun 19, 2019 10:19 am
by lmiltchev
Can you run the following command from the CLI, and show the output? (Hide/obfuscate sensitive data)
Code: Select all
/usr/local/nagios/libexec/check_wmi_plus.pl -H <ip address> -u '<username>' -p '<password>' -m checkeventlog -a system,application, security -o 1,2,3,4,5 -3 24 --extrawmicarg "--debuglevel=4"
Re: check_wmi_plus checkeventlog response is 0 entries
Posted: Thu Jun 20, 2019 8:00 am
by Chris Hardick
Hi
Thanks for helping, here is the output
Re: check_wmi_plus checkeventlog response is 0 entries
Posted: Thu Jun 20, 2019 10:58 am
by lmiltchev
It seems like you are using kerberos. I am not sure if this is what is causing the issue. Can you try to set check_wmi_plus to use NTLMv2 and see if this is going to fix the issue?
https://www.rootusers.com/implement-ntl ... rver-2016/
Some users reported that adding the following option to their command fixed similar issues:
Code: Select all
--extrawmicarg --option"client ntlmv2 auth"=yes
Hope this helps.
Re: check_wmi_plus checkeventlog response is 0 entries
Posted: Mon Jun 24, 2019 10:31 am
by Chris Hardick
Hi
I tried your suggestion though as written it came up with an error with the query usage, i had to use
Code: Select all
--extrawmicarg "--option=client ntlmv2 auth=yes"
but this didnt change the result when I used the debuglevel=4 option. Maybe I have still got the argument wrong?
I have read that kerberos doesnt work with IP addresses, but I assume the check will automatically then use NTLM
Thanks for your help
Chris
Re: check_wmi_plus checkeventlog response is 0 entries
Posted: Mon Jun 24, 2019 12:04 pm
by lmiltchev
Chris, what happens if you try using the FQDN instead of an IP address?
Code: Select all
/usr/local/nagios/libexec/check_wmi_plus.pl -H FQDN -u '<username>' -p '<password>' -m checkeventlog -a system,application, security -o 1,2,3,4,5 -3 24 --extrawmicarg "--debuglevel=4"
Edit:
Also try:
Code: Select all
/usr/local/nagios/libexec/check_wmi_plus.pl -H FQDN -u '<username>' -p '<password>' -m checkeventlog -a system,application, security -o 1,2,3,4,5 -3 24 --extrawmicarg "--debuglevel=4" -d -d -d
Re: check_wmi_plus checkeventlog response is 0 entries
Posted: Tue Jun 25, 2019 6:01 am
by Chris Hardick
Hi
Unfortunately the system in which we are trying to use these checks does not use domain names, only IP addresses. We dont have a DNS setup, and it is not possible to accommodate one.
Re: check_wmi_plus checkeventlog response is 0 entries
Posted: Tue Jun 25, 2019 12:02 pm
by lmiltchev
Run the command with the IP address then:
Code: Select all
/usr/local/nagios/libexec/check_wmi_plus.pl -H <ip address>-u '<username>' -p '<password>' -m checkeventlog -a system,application, security -o 1,2,3,4,5 -3 24 --extrawmicarg "--debuglevel=4" -d -d -d
Hopefully, the extra "d"s will provide more verbose output. If we don't fine any clues in the output, we would have to move this to a ticket, and probably schedule a remote session to further troubleshoot the issue.
You can open a ticket via our support center here:
https://support.nagios.com/tickets/
Re: check_wmi_plus checkeventlog response is 0 entries
Posted: Wed Jun 26, 2019 3:40 am
by Chris Hardick
Thanks
I have PMd the output file.
Re: check_wmi_plus checkeventlog response is 0 entries
Posted: Wed Jun 26, 2019 9:55 am
by lmiltchev
Replied via a PM.