WMI added checks for virus checking

Description

Monitors Exchange Virus Services on a Windows server using Windows Management Instrumentation (WMI). Nagios Remote Plugin Executor (NRPE) is used by the Nagios server to communicate with the WMI proxy server. This proxy server queries the monitored Windows server for measurements and status using WMI. Additionally, you may want to refer to the WMI Monitoring documentation. This project consists of a collection of script monitors (.vbs for starters) that use the Microsoft .Net Framework and WMI to retrieve performance data from remote Windows hosts without the need for agents on the remote hosts. The nrpe.cfg file on the Windows server maps commands issued by the GroundWork server to scripts in the c:\nrpe_nt directory. Commands issued by this profile are installed with this package. If new NRPE commands are added, this file must be modified. The WMI proxy server must be in the same domain as target monitored Windows server, and must have administrator rights.

Profile Package

This package includes the following files:

  • Profile definition: service-profile-wmi-exchange-virus.xml

  • Plugin scripts (installed on the GroundWork server): check_nrpe

  • WMI script (installed on the WMI Proxy server): nrpe_nt.zip

Installation

GroundWork Monitor includes many monitoring profiles for a variety of devices, systems and applications. Some profiles are pre-imported on a new GroundWork installation and others are distributed with the product. The configuration tool is used to import updated profiles and profiles that require additional setup, services can also be imported, see Importing Profiles.

Services Configuration

For plugin details you can run the service help command from within the nagios container. For example: Get to the nagios container from the gw8 directory: docker-compose exec -u 1000 nagios bash, then to the libexec directory: cd /usr/local/nagios/libexec, and enter a service help command e.g., ./check_snmp --help to receive help content.

Service/Command Line/Plugin CommandCommand Parameters

This column lists the Service Definition name, Service Command name with arguments to be passed to the plugin, and the Plugin Command line which is the plugin script called by Nagios for the service.

Command parameters are in the configuration services section with the following names and default values.

  • wmi_VirusScanFilesCleanedPersec

  • check_wmi_counter_counter!Win32_
    PerfRawData_MSExchangeIS_MSExchangeIS!*!
    VirusScanFilesCleanedPersec!200!400

  • $USER1$/check_nrpe -t 60 -H $USER21$ -c get_counter_counter -a "$HOSTADDRESS$" "$ARG1$" "$ARG2$" "$ARG3$" "$ARG4$" "$ARG5$"

Uses check_nrpe plugin to connect to NRPE on $USER21$ and execute the get_counter_counter command as defined in the nrpe.cfg against the host $HOSTADDRESS$.

  • $ARG1$: WMI Class Name

  • $ARG2$: Matching Instance (* is all)

  • $ARG3$: WMI Property for threshold comparison

  • $ARG4$: Warning threshold

  • $ARG5$: Critical threshold

  • wmi_VirusScanFilesQuarantinedPersec

  • check_wmi_counter_counter!Win32_
    PerfRawData_MSExchangeIS_MSExchangeIS!*!
    VirusScanFilesQuarantinedPersec!200!400

  • $USER1$/check_nrpe -t 60 -H $USER21$ -c get_counter_counter -a "$HOSTADDRESS$" "$ARG1$" "$ARG2$" "$ARG3$" "$ARG4$" "$ARG5$"


  • wmi_VirusScanMessagesCleanedPersec

  • check_wmi_counter_counter!Win32_
    PerfRawData_MSExchangeIS_MSExchangeIS!*!
    VirusScanMessagesCleanedPersec!200!400

  • $USER1$/check_nrpe -t 60 -H $USER21$ -c get_counter_counter -a "$HOSTADDRESS$" "$ARG1$" "$ARG2$" "$ARG3$" "$ARG4$" "$ARG5$"


  • wmi_VirusScanMessagesQuarantinedPersec

  • check_wmi_counter_counter!Win32_
    PerfRawData_MSExchangeIS_MSExchangeIS!*!
    VirusScanMessagesQuarantinedPersec!200!400

  • $USER1$/check_nrpe -t 60 -H $USER21$ -c get_counter_counter -a "$HOSTADDRESS$" "$ARG1$" "$ARG2$" "$ARG3$" "$ARG4$" "$ARG5$"


  • wmi_VirusScanQueueLength

  • check_wmi_counter_rawcount!Win32_
    PerfRawData_MSExchangeIS_MSExchangeIS!*!
    VirusScanQueueLength!200!400

  • $USER1$/check_nrpe -t 60 -H $USER21$ -c get_counter_rawcount -a "$HOSTADDRESS$" "$ARG1$" "$ARG2$" "$ARG3$" "$ARG4$" "$ARG5$"

Uses check_nrpe plugin to connect to NRPE on $USER21$ and execute the get_counter_rawcount command as defined in the nrpe.cfg against the host $HOSTADDRESS$.

  • $ARG1$: WMI Class Name

  • $ARG2$: Matching Instance (* is all)

  • $ARG3$: WMI Property for threshold comparison

  • $ARG4$: Warning threshold

  • $ARG5$: Critical threshold

Related Resources