About WMIC

When deciding how to monitor MS Windows servers, you have a few best-practices choices to make. You can install the GroundWork Distributed Monitoring Agent (GDMA), use the native MS Windows SNMP service, use another open source agent such as NSClient++ and NRPE, or you can use the native WMI calls, all of which will give you some form of detailed information on exactly what is happening on your Windows systems. If you have just a few Windows servers and a single domain, you might consider not installing or running an agent at all. You can get detailed information by interrogating the WMI service using the excellent check_wmi_plus.pl plugin, supplied here https://edcint.co.nz/checkwmiplus/ and packaged by GroundWork for your convenience. We created a profile to use this plugin for several Windows checks. This article shows you how to set it up. 

Note the plugin is designed to run as an active check from your GroundWork server, and it isn't very fast (though the supplier can give you a premium version for a small fee that is faster, see https://edcint.co.nz/checkwmiplus/check-wmi-plus-pro-to-improve-performance-and-functionality/). That limits it a bit, we do recommend using a local GroundWork server (either a parent or a child), and you may need to limit the polling frequency somewhat. This is balanced by the convenience of not needing to install anything on the Windows systems, but as you will see there are a few hoops to jump through nonetheless. In particular, you need to enable an account with remote login, and WinRM for full functionality. It's not always possible to do so in secure environments, so evaluate your policies before you use this method.  

In summary, the steps are:

  • Add a user to your domain for monitoring
  • Enable the user for Remote access rights
  • Edit the authfile
  • Set a Nagios macro
  • Load and apply the profile

Configuring WMIC

  1. Each Windows domain to be monitored with WMIC requires a monitoring account. Add a user to your domain for this if necessary, and then enable it for remote access to your systems. 

    You need to be a member of Domain Admin to do this, and these steps are not always correct for all versions of Windows. For more information about security settings and requirements in MS Windows, please see the check_wmi_plus documentation https://edcint.co.nz/checkwmiplus/faq/how-do-i-setup-the-windows-user-for-wmic-or-what-permissions-do-i-need/.

  2. Open the WMI Control console:

    • Click Start, click Run, type wmimgmt.msc, then click OK.
      Run wmimgmt.msc

    • Right-click WMI Control, click Properties, and click the Security tab. 
    • Expand Root and select WMI.
      expand root
      select wmi
    • Click the Security button, select Authenticated Users, and click Add.
      click security
    • Select the object type, locations, enter and check names, and click OK:
      object type, locations, check names
    • Allow or deny the following, then click Apply, and OK

      Execute Methods (enable)
      Full Write (disable)
      Partial Write (disable)
      Provider Write (disable)
      Enable Account (enable)
      Remote Enable (enable)
      Read Security (enable)
      Edit Security (disable)

      allow or deny permissions

  3. At this point, your Windows domain should be ready for monitoring with check_wmi_plusNext, you will need to configure GroundWork to run the plugin. From the GroundWork Monitor interface, go to Configuration > Nagios Monitoring > ProfilesExpand Profile importer, and select New > Import > WindowsThen select the service-profile-Windows-WMIC-based-checks.xml service profile. Click Import. You should see a success message. 
  4. On the GroundWork 8 server command line, create (or edit) the authfile for username, password and Domain for example:

    cd gw8
    docker exec -it dockergw8_nagios_1 /bin/bash
    cd /usr/local/nagios/libexec/check_wmi_plus/
    vi authfile
    CODE

    The format is:

    username=myusername
    password=mypassword
    domain=mydomain
    • You can use a different filename, or a subdirectory of the check_wmi_plus directory if you like. Note the password you enter will be available to the user you set up to run GroundWork 8, and the superuser on the GroundWork 8 host, as it resides in a Docker volume. It won't show up on any monitored Windows host or in any check commands.  

  5. Set Nagios USER9 macro to the full path to authfile:
    • In GroundWork Monitor go to Configuration > Nagios Monitoring > Control, and select Nagios resource macros. Then select the macro USER9 and enter the path, e.g., /usr/local/nagios/libexec/check_wmi_plus/authfile as the value. Click Update.
  6. To test the plugin from the terminal on the gw8 server, you can run it directly, for example: 

    docker-compose exec nagios /usr/local/nagios/libexec/check_wmi_plus.pl -H 10.1.13.55 -A /usr/local/nagios/libexec/check_wmi_plus/authfile -m checkcpu -w 50 -c 80
    OK (Sample Period 183 sec) -Average CPU Utilisation 13.83%|'Avg CPU Utilisation'=13.83%;50;80;
  7. Then, from GroundWork Monitor go to Configuration > Nagios Monitoring > Hosts > Host Group, select a Windows host to monitor and apply the profile you loaded. You can test from the Service Check tab with the Test button, for example:
    run service check
  8. Adjust the profile to your liking and apply it to your Windows hosts, just as you would any GroundWork profile. Don't forget to Commit (Configuration > Nagios Monitoring > Control > Commit) the configuration changes.

Related Resources