Monitoring Windows Machines with WMI and Nagios XI

Nagios XI – Monitoring Windows Using WMI

The Industry Standard in IT Infrastructure Monitoring

Purpose

This document describes how to monitor Windows machines with Nagios® XI™ using WMI.

WMI (Windows Management Instrumentation) allows for agentless monitoring of Windows machines.

Nagios XI supports WMI monitoring, which provides admins with a simple method of monitoring their Windows servers and workstations without having to install or configure agents.

Target Audience

This document is intended for use by Nagios XI Administrators who want to monitor Windows servers and workstations without having to install an agent.

XI Server Requirements

Before you can monitor Windows machines using WMI, you must install the WMI client on the Nagios XI server. For instructions on doing this, read the following document from the Nagios Library:

Installing The WMI Client For XI http://assets.nagios.com/downloads/nagiosxi/docs/Installing_The_WMI_Client_For_XI.pdf

Windows Machine Requirements

You will need to ensure you have the following requirements setup before you can use WMI to monitor and windows server or workstation.

• WMI service is running • WMI user account set up • Firewall rules set up

We will walk through each of these requirements for the window machine you wish to monitor. You will need to log in as a user with administrator privileges.

WMI Service

First, verify the WMI service is running on your windows machine:

Click Start and choose Run.

The window to the right will appear and type “services.msc” in the Open field.

Note: This document was originally written for Windows XP and Windows Server 2003. If you are running a later version of Window or Windows Server, you can skip the Run step in the instructions and instead type the “services.msc” in the Search field of Start menu. This applies to all the instructions going forward in this document.

Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 1 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI

Before you can monitor Windows machines using WMI, you must ensure that the Windows Management Instrumentation service is running. You can configure and start the service in the Computer Management console under the Services section.

Verify the service Windows Management Instrument (WMI) is in a status of Started.

Configure A WMI User Account On The Windows Machine:

Next, configure a WMI user account on the local machine. We'll create a new user account called “wmiagent” with a password “wmiagent” as an example.

From the command prompt enter: net user wmiagent wmiagent /add

Setting WMI permissions

WMI requires a valid username and password on the target system. The following steps outline how to add only the permissions needed to the Windows user account. However, you can add the user to be a member of the local administrators group instead.

Note: If you wish to monitor multiple computers across the domain, instead add the user to be a member of the “Distributed Com Users”, “Performance Log Users” and “Performance Monitor Users” groups.

Adding Remote Activation Privilege to Windows DCOM

Next, we need to give our newly created user access to DCOM on the localhost. In order to do this, open Component Services.

Click Start, choose Run. Enter “DCOMCnfg.exe” and click OK.

Expand Component Services, and drill down to the local computer.

Right click on My Computer and select Properties

Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 2 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI

Select COM Security tab, and next choose the Edit Limits... button from the Launch Activation Permissions section.

Add the user that will be used by Nagios to monitor this machine, in our case the user is wmiagent.

Click Add. Enter “wmiagent” in the Enter the object name to select and click OK. You will now see wmiagent as a user.

Check the Remote Launch and Remote Activation check boxes under Allow.

Click OK twice.

Adding Remote WMI Access

In order for our user to return data remotely from WMI, access to the WMI namespace CIMV2 must be added.

Click Start, choose Run, type “WMImgmt.msc”

Right click on WMI Control (local) and select Properties.

Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 3 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI

Select the Security tab of the WMI Control Properties.

Expand Root, and right click on CIMV2, select Properties

Note: In later version of Windows you need to select CMIV2 and click the Security button.

Click Add. Enter “wmiagent” in the Enter the object name to select and click OK. You may need to use the Check Names button to find the correct object.

You will now see “wmiagent” as a user.

Check the Enable Account and Remote Enable check boxes under Allow.

Click OK twice.

Windows Firewall Settings

Next, configure the firewall rules specific to the version of windows being monitored.

Windows Server 2008

Windows Server 2008 should by default have the correct firewall rules set.

To check firewall settings, select Start and type “firewall” in the search dialog box and hit enter.

Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 4 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI

Verify the Inbound Rules exist and are enabled for:

• DCOM • WMI

If the WMI rule group does not exist as pictured above, the recommended settings are listed here as outlined by Microsoft. From the command prompt enter:

netsh advfirewall firewall add rule dir=in name="DCOM" program=%systemroot %\system32\svchost.exe service=rpcss action=allow protocol=TCP localport=135

netsh advfirewall firewall add rule dir=in name ="WMI" program=%systemroot %\system32\svchost.exe service=winmgmt action = allow protocol=TCP localport=any

netsh advfirewall firewall add rule dir=in name ="UnsecApp" program=%systemroot %\system32\wbem\unsecapp.exe action=allow

netsh advfirewall firewall add rule dir=out name ="WMI_OUT" program=%systemroot %\system32\svchost.exe service=winmgmt action=allow protocol=TCP localport=any

More details about 2008 firewall settings can be found at: http://msdn.microsoft.com/en-us/library/windows/desktop/aa822854(v=vs.85).aspx

Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 5 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI

Windows Server 2012

Create a user account on the server. Example is wmiagent as the username and wmiagent as the password.

Add the user (s) in question to the Performance Monitor Users group. You can access this from Control Panel, Administrative Tools, Computer Management. Expand System Tools, Local Users and Groups, Groups. Edit the Performance Monitor Users group and add the wmiagent user.

Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 6 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI

Enabling Remote DCOM

Under Services and Applications, bring up the Properties dialog of WMI Control. You can access this from Control Panel, Administrative Tools, Computer Management. Expand Services and Applications and right click WMI Control.

In the Security tab, highlight the root / CIMV2, click Security;

Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 7 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI

Add Performance Monitor Users Group and enable the options: Enable Account and Remote Enable. Click OK

Run dcomcnfg. At Component Services> Computers> My Computer, Right click My Computer and Select the COM COM Security tab of the Properties dialog box.

Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 8 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI

Click "Edit Limits" for Both Access Permissions and Launch and Activation Permissions. Add Performance Monitor Users and allow remote access, remote launch, and remote activation

Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 9 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI

Select Windows Management Instrumentation under Component Services> Computers> My Computer> DCOM Config.

Right Click Windows Management Instrumentation and select the Security Tab. Click Edit for Launch and Activation Permissions and give Remote Launch and Remote Activation privileges to performance Users Group.

Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 10 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI

Allowing NTLM Run gpedit.msc, Go to Local Computer Policy, Computer Configuration, Windows Settings, Security Settings, Security Options and edit Network security: LAN Manager authentication Level. Change it to the following setting: Send LM & NTLM – use NTLMv2 session security if negotiated.

Open a Command prompt on the 2012 server and run the following command. winrm quickconfig

Type Y to configure LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.

This should enable your Windows 2012 server for remote WMI monitoring.

Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 11 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI

Windows Server 2003

The following section describes firewall and DCOM port configuration for a 2003 Windows Server. By default DCOM communicates with the client on a random port, so in order to write firewall rules, specifying a port range is also described.

Click Start, choose Run, type “DCOMCnfg.exe”

Expand Component Services, expand Computers, right-click My Computer, and select Properties.

Next, choose the Default Protocols tab

Select Properties and click Add.

Add a port range for COM services. In our example we selected range from 5000- 5020. Depending on your environment, you may want to choose a different range.

Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 12 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI

Allow the port range through the windows firewall. This command will open ports from 5000-5020 to match the COM Internet Services Range.

From the command prompt enter:

FOR /L %I IN (5000,1,5020) DO netsh fire wall add portopening TCP %I "COM"%I

Lastly, open DCOM port 135

From the command prompt enter: netsh firewall add portopening TCP 135 "DCOM"

Windows XP

If you are running a firewall on the Windows machine, you must ensure that the Nagios server can contact the WMI service.

To do this, you must open TCP Port 135 on the Windows firewall.

Navigate to Start→All Programs→Accessories→System Tools→Security Center

From the Windows Security Center click on the link to Manage Setting for: Windows Firewalls.

Switch to the Exception Tab and click the Add Port Button. The following window will open.

Enter WMI for the Name and Port number 135, then click OK.

Installing The WMI Monitoring Wizard (For users running Nagios XI 2012 r1.0 and earlier)

Now that we have the windows machine set up to connect with WMI, we can now set up Nagios XI to monitor it. To do so we will use the WMI Monitoring Wizard.

Installing the WMI Monitoring wizard only applies to users running Nagios XI 2012 r1.0 and earlier. If you are using a later version you can skip this section as the Windows WMI monitoring wizard comes pre-installed on your system. If you need to install the Windows

Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 13 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI

WMI monitoring wizard, you can download the wizard from the following link:

Nagios XI Windows WMI Wizard Direct Download http://assets.nagios.com/downloads/nagiosxi/wizards/windowswmi.zip

To install the wizard in Nagios XI, go to Admin → Manage Config Wizards.

Browse for the windowswmi.zip that was downloaded above and click the Upload Wizard button.

Running The WMI Wizard

Once the wizard is installed in Nagios XI, it will be available when you navigate to Configure → Run the Monitoring Wizard → Windows WMI wizard.

The wizard will prompt you for the IP Address of the Windows machine, along with the Username and Password to access the machine.

Click Next.

The wizard will allow you to select what types of metrics and data should be monitored, along with warning and critical thresholds. New in XI5, WMI will detect disks, services, and processes that are on your machine. This makes it much easier to set up checks for those services. If XI5 is not able to communicate via WMI, the error information will also display.

Metrics and data that can be monitored using the WMI wizard include:

• CPU Usage • Memory Usage • Page File Usage • Disk Usage • Service State • Process State

Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 14 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI

• Event Log Data

Once you have selected the checks you want to enable, click Next to continue. Customize your monitoring setting as needed and click Finish.

The screen shot below shows disk, cpu, memory, service, and additional process monitoring capabilities of the WMI wizard.

Troubleshooting

If the status information on the Service Detail page is empty (null) or states “Install wmic”. The problem is probably that the WMIC plugins were not installed properly. Redo the installation steps outlined in the document below:

How To Install The WMI Client For Nagios XI http://assets.nagios.com/downloads/nagiosxi/docs/Installing_The_WMI_Client_For_XI.pdf

When the process that is trying to access the namespace does not have the required WMI privileges, you may see errors similar to this one:

UNKNOWN - The WMI query had problems. The error text from wmic is: [wmi/wmic.c:212:main()] ERROR: Retrieve result data. NTSTATUS: NT code 0x80041003 - NT code 0x80041003

To fix the issue, log in the remote Windows box (target machine), open the CMD Prompt as an Administrator, and run the following command in order to allow WMI queries: sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD) (AU;OIIOFA;GA;;;WD)

Sourced from here: http://support.microsoft.com/kb/907460

This command is proven to work on Windows 2003, 2008R2 and 2012R2 – no reboot is required.

Finishing Up

You should now be able to monitor windows workstations and servers using WMI. If you have any issues with your Nagios XI system, please post your questions on the Nagios Support Forum at:

Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 15 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI

http://support.nagios.com/forum/

Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 16 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016