NSClient++ Help (#1) - CheckWMI (#18) - Message List
Does anybody have any real-world examples of using CheckWMI with NSlient++? I'd like to try it, but I'm not sure how to configure it. Does it need the WMI *.vbs scripts? And, if so, how do I tell the DLL where to look for those?
Thanks,
Karl
-
Message #30
What can we do with the WMI module. I have already use WMI in VBS script and when I heard of that module, I was happy because I believed I can use it to do some automatics actions. When I've just finished to read the documentation of this module, and I begin to think it's an other way to notify state of what you want. Can we really do some automatics actions ?
In all case, thanks to have created it.
anonymous06/12/07 10:14:05 (6 years ago) -
Message #66
I am not yet using WMI, but I need to.
In their Infinite Wisdom(TM) Microsoft deprecated most useful performance counters from Exchange 2003. Unless countless hours of research have missed something, WMI is now the only way to capture some important performance characteristics.
I am hoping the WMI module receives more attention so that it's not an alpha (though I may try it anyway, I'm desparate!)
For my purposes, I am using Nagios to collect data, and sometimes stuffing it into RRD via NagiosGrapher? for analysis. Being able to set min/max warn/crit parameters on any WMI query, just like the performance counters, would be most important.
MikeR10/11/07 19:48:24 (6 years ago)-
Message #104
I tried the CheckWMI and CheckWMIValue. My Build of NSC++ is Win32-20071116-2155 . It doesn't work at all. Some features are not implemented. At Value truncate and in normal WMI the filter. I think this is essentional. We need filtering functions to get clear results. For example we tried to check the free capacity of an harddrive, the CheckWMI is not able to handle the output from WMI - I think because the result is to big. MS returns the WMI output in bytes. So the check won't work.
Example: ./check_nrpe -H <my-host> -c CheckWMIValue -a "Query=Select * from win32_Volume" MaxWarn=50 MaxCrit=80 Check:Disk=FileSystem ShowAll=long
Is there a Build available which can handle some filtering?
Regards Björn
Bjoern11/21/07 08:39:50 (5 years ago)-
Message #105
I tried the CheckWMI and CheckWMIValue. My Build of NSC++ is Win32-20071116-2155 . It doesn't work at all. Some features are not implemented. At Value truncate and in normal WMI the filter. I think this is essentional. We need filtering functions to get clear results. For example we tried to check the free capacity of an harddrive, the CheckWMI is not able to handle the output from WMI - I think because the result is to big. MS returns the WMI output in bytes. So the check won't work.
Example: ./check_nrpe -H <my-host> -c CheckWMIValue -a "Query=Select * from win32_Volume" MaxWarn=50 MaxCrit=80 Check:Disk=FileSystem ShowAll=long
Is there a Build available which can handle some filtering?
Regards Björn
Little mistake ;) instead of FileSystem? it shold be FreeSpace?, but doesn't work either.
anonymous11/21/07 08:49:06 (5 years ago)-
Message #106
Humm, there are two checks: CheckWMI and CheckWMIValue, the first filters a result set, the second does not. The idea was that when you want to check a value you don't need to filter. but when you have a large resultset you will need to filter.
I think the answer you are looking for is to swap-out * with the actual columns you want but I am not sure I understand till I have run the query myself.
"Query=Select Col1, Col2, Col3 from win32_Volume" MaxWarn=50 MaxCrit=80 Check:Disk=FileSystem"
But I shall look into this when I get home...
MickeM
mickem11/21/07 09:07:27 (5 years ago)-
Message #107
Hi,
thanks for the fast response.
I want to get the "how much space is left" info for all disks available in Windows. My goal was to exchange that single check for every volume (eg. c:\ D:\ E:\) with one WMI Check, then it would be like the Unix check, only one for all drives.
So I decided to test the CheckWMI feature. I started with CheckWMIValue and used thet command:
./check_nrpe -H <myhost> -c CheckWMIValue -a "Query=Select FreeSpace from win32_Volume" MinWarn=10000 MinCrit=5000 Check:Disk=FreeSpace
Result:
Disk: 0 < critical, Disk: 0 < critical, Disk: 0 < critical, Disk: 0 < critical, Disk: 0 < critical, Disk: 0 < critical, Disk: 0 < critical, Disk: 0 < critical, Disk: 0 < critical, Disk: 0 < critical|'Disk'=0;10000;5000; 'Disk'=0;10000;5000; 'Disk'=0;10000;5000; 'Disk'=0;10000;5000; 'Disk'=0;10000;5000; 'Disk'=0;10000;5000; 'Disk'=0;10000;5000; 'Disk'=0;10000;5000; 'Disk'=0;10000;5000; 'Disk'=0;10000;5000;
The Volumes are all detected. But there is no value submitted.
It doesn't work so then I switched to CheckWMI:
./check_nrpe -H <myhost> -c CheckWMI -a "Query=Select FreeSpace from win32_Volume" MinWarn=10000 MinCrit=5000
Result:
: 0 < critical|''=0;10000;5000;
Don't know whats wrong. When i try to use the filter value it tells me the command is not recognized.
Bjoern11/21/07 10:58:20 (5 years ago)-
Message #108
Another try from me, seems that the WMI Syntax is right.
C:\NSClient++>"NSClient++.exe" CheckWMI select FreeSpace from win32_Volume < Reading: modules from: C:\NSClient++-2005-Win32-20071120-2211\NSC.ini e \WMIQuery.cpp(41) Attempting Inialized WMI component e \WMIQuery.cpp(55) Inialized WMI component < Reading: NRPE Handlers from: C:\NSClient++-2005-Win32-20071120-2211\NSC.ini l \CheckWMI.cpp(272) |--------------+ l \CheckWMI.cpp(273) | FreeSpace | l \CheckWMI.cpp(274) |--------------+ l \CheckWMI.cpp(283) | 117774901248 | l \CheckWMI.cpp(283) | 82292793344 | l \CheckWMI.cpp(283) | 59532906496 | l \CheckWMI.cpp(283) | NULL | l \CheckWMI.cpp(283) | NULL | l \CheckWMI.cpp(283) | NULL | l \CheckWMI.cpp(283) | NULL | l \CheckWMI.cpp(283) | NULL | l \CheckWMI.cpp(283) | NULL | l \CheckWMI.cpp(283) | 19886772224 | l \CheckWMI.cpp(285) |--------------+
All drives detected and the Values are correct.
Bjoern11/21/07 11:04:19 (5 years ago)-
Message #109
humm.. looks pretty broken to me. I shall investigate when I get home.
First off, there is a "CheckAll?" (or some such) on the check_disk command, so you can check all drives on your system if you want) :)
Secondly the CheckWMI Max/Min? is rows matching (not values). The idea is similar to the event-log check. ie. select data and filter "out" the the things you dont want and if you get hits you have a "problem".
So if you want to use the CheckWMI for you "problem" you would think like so: select all rows, filter out any disks that are "within bounds" and so the ones that are "bad" are left. Then set the MaxWarn/MaxCrit? to number of "bad disks" (in your case 1).
With CheckWMiValue you instead do: Run a query, and for each row I want to check if a value is abowe a warning threashold or a critical threshold.
Anyways, CheckWMiValue is what makes the most sense for you and the syntax seems correct so maybe something is broken?
mickem11/21/07 11:51:24 (5 years ago)-
Message #110
Shame on me.... ;)
I was so fastinated by the WMI function, never looked in the other features of NSClient++. Well now I use the non WMI alldisk check. Works for me. But if WMI gets to work would be nice to use that for other checks.
THX Björn
Bjoern11/21/07 14:35:28 (5 years ago)-
Message #116
humm... I played around a bit with this and it seems to work here but I dont have the class you are using so I am not sure. (I also added a new otion AliasCol?=<column> to make things a bit more usefull)
./check_nrpe -H 192.168.0.147 -c CheckWMIValue -a "Query=select Caption, ThreadCount from Win32_Process" MaxWarn=50 MaxCrit=100 Check:threads=ThreadCount AliasCol=Caption
gives me:
System threads: 98 > warning, svchost.exe threads: 87 > warning|'System Idle Process threads'=2;50;100; 'System threads'=98;50;100; 'smss.exe threads'=3;50;100; 'csrss.exe threads'=13;50;100; 'winlogon.exe threads'=21;50;100; 'services.exe threads'=18;50;100; 'lsass.exe threads'=21;50;100; 'svchost.exe threads'=19;50;100; 'svchost.exe threads'=11;50;100; 'svchost.exe threads'=87;50;100; 'svchost.exe threads'=6;50;100; 'svchost.exe threads'=18;50;100; 'aswUpdSv.exe threads'=3;50;100; 'ashServ.exe threads'=28;50;100; 'sdmcp.exe threads'=3;50;100; 'spoolsv.exe threads'=11;50;100; 'svchost.exe threads'=4;50;100; 'MSCamS32.exe threads'=5;50;100; 'nTuneService.exe threads'=4;50;100; 'nvsvc32.exe threads'=4;50;100; 'svchost.exe threads'=7;50;100; 'tlswrap.exe threads'=4;50;100; 'vmount2.exe threads'=4;50;100; 'vmnat.exe threads'=3;50;100; 'vmnetdhcp.exe threads'=2;50;100; 'vmware-authd.exe threads'=7;50;100; 'ashMaiSv.exe threads'=8;50;100; 'ashWebSv.exe threads'=22;50;100; 'alg.exe threads'=5;50;100; 'explorer.exe
And this is I belive something along the lines of what you were trying to do?
MickeM
mickem11/21/07 21:55:17 (5 years ago)-
Message #123
Hi,
just downloaded and tested the new version. Your request works perfect, copy-pasted it. Then I changed the settings for my check:
Check:
./check_nrpe -H pc-bott -c CheckWMIValue -a "Query=Select DriveLetter?, FreeSpace? from win32_Volume where DriveType?=3" MinWarn=10000 MinCrit=5000 Check:Disk=FreeSpace AliasCol?=DriveLetter?
Result: OK: WMI Query returned no results.|'C: Disk'=0;10000;5000; 'Z: Disk'=0;10000;5000; 'D: Disk'=0;10000;5000;
Same like before, but I think I know the problem: The output from the FreeSpace? on a drive is in bytes so 120GB are 128849018880bytes. My understanding is that the output is to long for the nrpe and thats the reason why the test couldn't work ever. The only strange thing I found out is that i receive the Volume FreeSpace? when I malform the request:
Request: ./check_nrpe -H pc-bott -c CheckWMIValue -a "Query=Select DriveLetter?, FreeSpace? from win32_Volume where DriveType?=3" MinWarn=10000 MinCrit=5000 Check:Disk=FreeSpace AliasCol?=FreeSpace?
Result: OK: WMI Query returned no results.|'116568899584 Disk'=0;10000;5000; '82292793344 Disk'=0;10000;5000; '59532906496 Disk'=0;10000;5000;
Strange? Isn't it. Some reults which are correct but in a wrong way that the check would never work.
Anyway. I use the built in check methode now. But will stay tuned on WMI. Maybe I will test out the Class win32_ScheduledJobs sounds practical to have a check on scheduled jobs with Nagios.
Best Regards Bjoern
Bjoern11/22/07 11:08:52 (5 years ago)-
Message #124
humm, not so sure it is the length.. since you get a "OK: WMI Query returned no results." back it is not to long then you would have gotten something else. The reason you get "WMI Query returned no results." is that processing the query yielded no results there are two reasons for that: 1, no "problems where found" 2, nothing was found
The strange thing is that all "values" (performance data) are returned as "0" and this is "wrong" I think the data is either some unupported type or something is broken.
Try running the query when nsclient is in "test" mode (ie. "nsclient++ /test") and see if it tells you something along the lines of "unsuppotrted datatype" or "column not found" or something like that... :(
What OS are you on? (strange thing is I don't have that class on my XP box)
MickeM
mickem11/22/07 11:33:33 (5 years ago)
-
-
-
-
-
-
-
-
-
-
-
Message #784
hi,
i do have problems with nsclient++ version 0.3.4.33 2008-09-18.
with:
/usr/local/nagios/libexec/check_nrpe -H windowshost -c CheckWMIValue -a 'Query=select Caption, ThreadCount from Win32_Process WHERE Name="myprog.exe"' MaxWarn=10 MaxCrit=20 Check:threads=ThreadCount ShowAll=long
i get:
OK: Everything seems fine.
and i do get:
threads: 255 > critical
if i ask for a prog that uses a lot of threads:
/usr/local/nagios/libexec/check_nrpe -H windowshost -c CheckWMIValue -a 'Query=select Caption, ThreadCount from Win32_Process WHERE Name="hpsmhd.exe"' MaxWarn=10 MaxCrit=20 Check:threads=ThreadCount ShowAll=long
but i don't get any performance data at all. (even with performance_data=1 in NSC.ini)
what do i miss?
bs
bs09/25/08 11:51:46 (5 years ago)-
Message #785
interesting I had the very same thing when I was doing a presentation but when I got back home I could not reproduce the problem... I shall investigate a bit more then, I thought it was just a fluke...
performance data should be there "Out of the box"
MickeM
mickem09/25/08 12:06:47 (5 years ago) -
Message #787
i tested this with v0.3.5 (same bad results without perfdata) and with v0.3.3 successfully.
but how do i could get a CRTICAL if there are 0 results in my select?
thanks, bs
bs09/25/08 12:44:50 (5 years ago)-
Message #788
the "value" checks the "value" so there is no "fall back to zero if not found" (not sure one would make sense since "0" is not always the "default").
Perhaps and option for "default values" might be the way to go ?
I always considered the use case for such to be to use the CheckWMI command, where you check "if one or more metrics are above/below a threshold".
MickeM
mickem09/25/08 12:48:07 (5 years ago)-
Message #791
if i understand you correctly, you suggest that i should use CheckWMI.
i tryed that:
CheckWMI select Caption, ThreadCount from Win32_Process WHERE Name="myprog.exe" MaxWarn=10 MaxCrit=20 d \NSClient++.cpp(541) Injecting: CheckWMI: select, Caption,, ThreadCount, from, Win32_Process, WHERE, Name="myprog.exe, MaxWarn=10, MaxCrit=20 d \NSClient++.cpp(561) Injected Result: CRITICAL 'WMIQuery failed: ExecQuery of '' failed: unknown error: 1: Incorrect function. ):failed to lookup error code: 2147749896( reson: 317)' d \NSClient++.cpp(562) Injected Performance Result: '' CRITICAL:WMIQuery failed: ExecQuery of '' failed: unknown error: 1: Incorrect fu nction. ):failed to lookup error code: 2147749896( reson: 317)
with no success. could you give me an example how to ask for the threadcount and return critical if 0?
bs09/25/08 13:11:21 (5 years ago)-
Message #792
you need to escape the query above:
CheckWMI "select Caption, ThreadCount from Win32_Process WHERE Name='myprog.exe'" MaxWarn=10 MaxCrit=20
or some such...
MickeM
mickem09/25/08 13:22:11 (5 years ago)-
Message #793
the overall idea with CHeckWMi is that you "filter the result" so you get the "ones you want" or the ones you "dont want" and then you can check how many you got (a bit like the CheckEventLog) So think like this:
- select all items I want:
- remove the ones I don't want
- check if we got more or less then x results back
i.e. are there more then 2 cores with a CPU load of 80%?
- Select all CPU:s
- Remove the ones with load less then 80%
- are there more then 2 left? (if so bad)
MickeM
mickem09/25/08 13:24:52 (5 years ago)-
Message #797
Hello,
now after a lot of try and error, i have the following:
/usr/local/nagios/libexec/check_nrpe -H windowshost -c CheckWMIValue -a 'Query=select Caption, ThreadCount from Win32_Process WHERE Name="explorer.exe"' MaxWarn=10 MaxCrit=20 Check:threads=ThreadCount ShowAll=long
which gives me:
threads: 11 > warning|'threads'=11;10;20; 'threads'=9;10;20;
this version has no clue that there are 2 processes named explorer.exe are running, but could warn me if one of them (i dont know which one) has to many threads. BUT it shows OK: WMI Query returned no results. if no process is running.
and a second version:
/usr/local/nagios/libexec/check_nrpe -H windowshost -c CheckWMI -a "Query:processes=select Name, Caption, ThreadCount from Win32_Process WHERE Name='explorer.exe'" MaxWarn=5 MaxCrit=10 +filter-string=explorer.exe
which gives me:
Caption=explorer.exe, Name=explorer.exe, ThreadCount=11, Caption=explorer.exe, Name=explorer.exe, ThreadCount=9|''=2;5;10;
no more warning if there are to many threads, but now i know how many processes are running.
please let my have both.
but at least monitor the threadcount and go critical if there are no results from wmi.
bs
bs09/25/08 17:35:39 (5 years ago)
-
-
-
-
-
Message #804
to finly get some usefull output from the wmi check i use the following for now:
/usr/local/nagios/libexec/check_nrpe -H windowshost -c CheckWMIValue -a 'Query=select Caption, ThreadCount from Win32_Process WHERE Name="explorer.exe"' MaxWarn=10 MaxCrit=20 Check:threads=ThreadCount ShowAll=long
which gives me:
threads: 11 > warning|'threads'=11;10;20; 'threads'=9;10;20;
and wrap it with a little shell script on the nagios server:
#!/bin/sh # little wrapper to go red if no values from wmi OUTPUT=$("$@") RC=$? if [ "$OUTPUT" == "OK: WMI Query returned no results." ] ; then echo "CRITICAL: WMI Query returned no results." exit 2 else echo "$OUTPUT" | sed 's/OK: WMI Query returned no results\..*|\(.*\)/\1|\1/' exit $RC fiIt would be nice if this functionality goes into nsc++ sooner or later.
thanks
bs
bs09/26/08 10:34:42 (5 years ago)-
Message #805
would have been much cooler to do it with Lua :)
But I shall try to add support for "default values"...
MickeM
mickem09/26/08 10:49:02 (5 years ago)-
Message #810
Greetings everyone..
Ok here is the short of this;
If I don't start making some progress on these checks this entire Nagios thing is going to go down the tubes from an impatient boss that doesn't understand the real world.
I have nagios configured and working from my monitoring host. The hosts I am monitoring is almost 100% windows so I have been installing NSCLIENT like mad. I have all other checks working with these hosts and I can even get;
"/usr/local/nagios/libexec# ./check_nrpe -H 192.168.0.91 -n
I (0.3.5.1 2008-09-24) seem to be doing fine..."
But when I issue a command like the ones people are trying in this thread to work (if I read it right this was one that was working);
./check_nrpe -H 192.168.0.91 -n -c CheckWMIValue -a "Query=select Caption, ThreadCount? from Win32_Process" MaxWarn=50 MaxCrit=100 Check:threads=ThreadCount AliasCol?=Caption
I get this in the error log;
2008-10-01 13:16:03: error:.\NRPEListener.cpp:364: Request contained arguments (not currently allowed, check the allow_arguments option).
2008-10-01 13:16:03: error:.\NRPEListener.cpp:336: NRPEException: Request contained arguments (not currently allowed, check the allow_arguments option).
In fact I get the above with even the most simple queries ie " select * from win32_volume "
You are all my saviors if you can simply help by giving me some other things to research. Heck if I could just get ANY query to work once (returning a value) it will help tremendously with my learning curve.
The point I am at beyond the basic checks is still educational but would like to start rolling some real checks by the end of the week.
Thank you in advance.
Dycropts10/01/08 22:35:53 (5 years ago)
-
-
-
