...A place where sharing IT monitoring knowledges

Thursday, 6 December 2012

Monitoring Windows services with WMI


One of the most important tasks when monitoring Windows servers is controlling the status of critical services. In this post I'll explain how to externally check if they are running using WMI.

The key point for using WMI instead other until now common methods (NSClient++) is clear: WMI is Windows native and it doesn't require third-party software installation on the server side, what leverages you of:

  • agent software periodic upgrades
  • potential security holes
  • (what translates to) long and boring server administrators discussions
This post must not be considered as an in-depth WMI howto but as a "if you need to do it follow this way". You can find tons of info on the Web deeply covering each aspect of configuring a Windows system for allowing WMI remote access.

WMI

Windows Management instrumentation is the infrastructure for management data and operations on Windows-based operating systems, what can be translated to all you need to know about a Win XP, Vista, Windows 7, Windows 8, 2003 server and 2008 server can be retrieved via WMI.

wmic is a Windows command-line program that allows you interacting with WMI from both a local or a remote windows-based system. For instance, it allows us checking what are the running processes calling wmic from the command line in this way:

>wmic SERVICE where (state=”running”) GET caption, name, state

WMI on the linux side

Luckily for us it exists wmi-client, a Linux program that allows us getting the same kind of info but, in this case, running sql-like queries from a remote Linux host:

>wmic -U myDomain/jdoe%jdoe_password //192.168.0.64 "select caption, name, state from Win32_Service where state='running'"

The previous command will retrieve the name, caption and state from all running services in a windows host with address 192.168.0.64 using the credentials of the user jdoe (password jdoe_password) that belongs to a Windows domain called myDomain.

wmi-client 1.3.14 packages for Debian (Squeeze) and Ubuntu (Maverick) are available in the Mike Palmer's website (sorry Mike, I've no available online resources for storing them). For those not using Debian-like systems, the wmi-client 1.3.13 source package is available on the Zenoss repository.

Granting remote access to WMI

Once wmi-client is installed on your Linux system, the only needed for starting to play with is:
  • Configuring the remote Windows system for supporting external WMI queries.
  • Defining a user with enough privileges for running remote WMI queries.
About the first task, if you're dealing with Windows 2003/2008 servers you don't need to do anything on the server side since WMI access is enabled from scratch. 

About defining a user, you can google for finding many literature (and the most wrong) about how to configure it with just the needed privileges for running WMI queries, but if you need to go for it faster just create a local user with admin privileges. Moreover, if you need to go for it fastest, create that user in the domain and prefix the user name with the domain name in the way domain/user (like in the previous example).

Monitoring services

Once you get remote server access, it's time to allow your monitoring system managing the available info retrieved via WMI. For that purpose you need to run a query that returns the status of a service given its name, for instance "select state from Win32_Service where name='target_service_name'".

In order to feed your monitoring system with the retrieved info you can proceed in different ways:
  • Calling wmic command and parsing its output.
  • If you like Perl, you can manage the previous query using Net::WMIClient, an programatic interface for wmic binary.
Nagios-core compatible solutions users (what include Nagios, Centreon, Icinga, OP5) can rely on check_wmic_plus, a well documented mega-plugin that allows getting, among many others, info related to service status running on a remote WMI system:

define command{
command_name check_wmi_service
command_line $USER1$/check_wmi_plus.pl -H $HOSTADDRESS$ -u $ARG1$ -p $ARG2$ -m checkservice -a '$ARG3$' --inidir=/usr/local/nagios/libexec -c _NumBad=0
}

In the previous example a command named check_wmi_service is defined for monitoring if a given service is running. It is based on these variables:
  • $HOSTADDRESS$: The address of the WMI compatible Windows seerver
  • $ARG1$: The user name (if you're using a local user) or the domain/username (if you are using a domain user)
  • $ARG2$: The user password
  • $ARG3$: A regular expression matching the service name
That command will return OK if one or more services whose name matches $ARG3$ regex are running, else it will return CRITICAL since the threshold for services in "bad" state is set to 0 (-c _Numbad=0).

So, for instance, you can define a service using the previous command for checking if the MS Enchange address book service (called MSExchangeAB) is running if in this way:

define service{
host_name ExchangeServer
service_description Address book service
check_command check_wmi_service!jdoe!jdoe_password!^MSExchangeAB$
...
}


3 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. try ready made ISO fullyautomatednagios, You can download and install it from http://www.dlightdaily.com

    ReplyDelete
  3. wmic SERVICE where (state=”running”) GET caption, name, state

    state=running : The term 'state=running' is not recognized as the name of a cmdlet, function, script file, or
    operable program. Check the spelling of the name, or if a path was included, verify that the path is correct
    and try again.
    At line:1 char:21
    + wmic SERVICE where (state=”running”) GET caption, name, state
    + ~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (state=running:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    ReplyDelete

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes