How to implement agentless monitoring of Windows using WMI
Introduction Copied
This how-to will guide you to monitor your Windows server using WMI. This will allow you to monitor Windows hosts without installing an agent.
WMI monitoring is an alternative to using the NSClient++ agent.
Information about WMI Copied
What is WMI? Copied
In short: A way to do queries on a Windows host, much like SNMP but much more advanced. The Long version: WMI is a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification. WMI is Microsoft’s implementation of the Web-Based Enterprise Management (WBEM) and Common Information Model (CIM) standards from the Distributed Management Task Force (DMTF) (source: Wikipedia).
Why should I use WMI? Copied
- It is agentless
- You can monitor a lot more with WMI on Windows host than with SNMP
- You can create more complex monitoring queries
Prerequisites Copied
- The Windows host you want to monitor needs to have WMI enabled and a system user that is allowed to do WMI queries (See “Configure remote WMI access in Windows” below)
Start monitoring Copied
Add a new host using Management packs Copied
- Go to Configure -> Host Wizard
- Select the management pack “Microsoft Windows Server via WMI” and enter the credentials for a user with WMI query privileges
- Click the Next button
- Enter host name and IP address and click Next
- Click on Save configuration and view hosts
Usage examples Copied
To start monitoring Windows system services you need to add a new service to your host in op5 Monitor. See the product Manual for more information regarding service configuration.
Monitoring all system services Copied
-
Expand “check_command” and select “check_wmip_service” in the drop-down list
-
Set “check_command_args” to “$_HOSTUSER$!$_HOSTPASSWORD$!Auto”
You can add a fourth argument with a pipe ("|") separated list containing services that you want to exclude from monitoring. Example: “$_HOSTUSER$!$_HOSTPASSWORD$!Auto!service_a|service_b_|service_c”
-
Click on the “Submit” button and then “Save changes” in the top right corner
Monitoring specific system service Copied
-
Expand “check_command” and select “check_wmip_service” in the drop-down list
-
Set “check_command_args” to “$_HOSTUSER$!$_HOSTPASSWORD$!service_name”
The third argument specifying service name can be a pipe ("|") separated list containing of services. Example: “$_HOSTUSER$!$_HOSTPASSWORD$!service_a|service_b”
-
Click on the “Submit” button and then “Save changes” in the top right corner
Troubleshooting and testing Copied
Manually test the check_wmi_plus plugin Copied
Execute the following command via SSH or console on the server running op5 Monitor:
## asmonitor /opt/plugins/check_wmi_plus.pl -H [IP or Hostname] -u [username] -p [password] -m checkmem -w 80 -c 90
In some cases UPN (user@domain) might be used instead of DOMAIN/USER
Security
Configure WMI account information Copied
It’s possible to add user and password to a central file “/opt/monitor/etc/resource.cfg”.
This allows you to partially hide the credentials from the op5 GUI and to update a single file if they need to be updated.
Note that you need to edit all of the WMI check_command to use $USER8$ and $USER9$ instead of $ARG1$ and $ARG2$.
You will also have to rename the remaining arguments.
Example of an updated check_command:
$USER1$/check_wmi_plus.pl -H $HOSTADDRESS$ -m checkcpu -u $USER8$ -p $USER9$ -w $ARG1$ -c $ARG2$ $ARG3$ $ARG4$ $ARG5$
If you wish to use the resource file, add the following to "/opt/monitor/etc/resource.cfg":
$USER8$=[wmi username]$USER9$=[wmi password]
Restart the monitor service via SSH or console on the op5 Monitor server:
# service monitor restart
Configure remote WMI access in Windows Copied
There are two ways to grant access to WMI for a remote user, either you add a user to the administrators group or you follow the steps below to grant access to WMI without using administrator rights.
When using a non-administrator user it is not possible to monitor all Windows services. Some services require that some security settings in Windows are modified, which is out of scope for this how-to.
This part shows how to set up remote WMI access on a Windows 2008 R2 SP1 server. This server was set up as a member server of a workgroup.
Create a new user Copied
We create a new user and after that we will give the user access to do remote WMI queries.
- Go to ‘Server Manager’ by right-clicking on ‘Computer’ in the start-menu and select ‘Manage’
- Click your way down to Configuration -> Local Users and Groups -> Users
- Create a new user.
- Set ‘User Name’ to any name you like.
- Check ‘User cannot change password’
- Check ‘Password never expires’
- Click ‘Create’
Change user settings Copied
- Edit the user just created and go to the tab ‘Members of’
- Click add and add the group ‘Distributed COM Users’
- Click ‘OK’
- Also add the group ‘Performance log users’
- Remove group ‘User’
- Click ‘OK’
Grant privileges to WMI Copied
- Open ‘MMC’ by going to start-menu and run the command ‘mmc’
- Go to File -> Add/Remove Snap-in?’
- Add ‘WMI Control’ for the local computer
- Click ‘OK’
- Right-click on ‘WMI Control (local)’ in the right hand list and select ‘Properties’
- Go to the ‘Security’ tab
- Select ‘Root’ and click on ‘Security’
- Add the user earlier created and set the following permissions:
- Execute methods
- Enable Account
- Remote Enable
- Click on ‘Advanced’
- Select the WMI user and click on ‘Edit’
- Select to apply this to ‘This namespace and subnamespaces’
- Click ‘OK’ four times.
Done!
How does it look like in monitor? Copied
Read more
WMI browser Check WMI Plus homepage
OP5 Monitor: Open Source Network Monitoring Copied
OP5 is the preferred Open Source Networking & Server Monitoring tool for large multi-national companies in over 60 markets. If you would like to experience OP5 Monitor you can get started here, alternatively, if you prefer to get more hands on you can Download OP5 Monitor for free.
Download op5 Monitor Free Copied
