CheckWMI

CheckWMI is part of the wiki:CheckWMI module.

New version that is *a lot* more usefull (i hope). It is still alpha need to do more testing but I would like to get some initialö feedback on the syntax and such. Also feel free to try it out and report bugs to me (might wanna keep track of memory and such as I have not done so myself yet) To debug and help you setup your queries there is also a command line interface to run queries and see the result.

nsclient++ CheckWMI <query>

The syntax for this is Similar to CheckEventLog but simpliefied in regards to syntax so I hope it shall be easier to use and udnerstand.

This check enumerates all rows returned from your query filtering results and check the count against a set war and crit threshold. If you want to check a value there will soon be a separet check for that. This is designed to find "anomalies" in result-sets.

Option	Values	Description
filter	any, all	Specify the way you want to filter things. (See section below) Not yet implemented (default is all)
truncate	length of the returned set	This will truncate the output after the specified length. As NRPE can only handle 1024 chars you need to truncate the output.
MaxWarn	number of records	The maximum records to allow before reporting a warning state.
MaxCrit	number of records	The maximum records to allow before reporting a critical state.
<mode>filter-<type>:<Column>	<filter value>	A number of strings to use for filtering the event log
namespace	root\\cimv2	Namespace to use when querying
Alias		Alias to use for returned data
columnSeparator	", "	Field separator in the returned string.
columnSyntax		Syntax for the returned message.

Filters

Capturing result entries (or discarding them) are done with filters. There are three kinds of filters.

* positive requirments (+)

All these filters must match or the row is discarded.

* negative requriments (-)

None of these filters can match (if any do the row is discarded).

* normal matches (.)

If this matches the line is included.

The syntax of the filter is: <mode>filter-<type>:<Column>=<expression>

Filter <Mode>s

<mode>	title	description
+	required filter	If you miss this filter the line is discarded
.	normal filter	If a hit the line is included
-	negative filter	If a line hits this it is discarded

Filter <Type>s

<type>	Value	Description
string	[[string expression]]	Match the column againast a string expression
numeric	[[numeric expression]]	Match the column againast a numeric expression

Filter <Columns>s

A Column (if specified) will make the filter woirk againast a specific column in the result set.

string expression

A string expression is a key followed by a string that specifies a string expression. Currently substr and regexp are supported. Thus you enter filter.message=regexp:(foo|bar) to enter a regular expression and filter-message=substr:foo to enter a substring patter match.

columnSyntax

The column syntax field can be used to alter the renderd output. It has the following keys (everything else will be a string):

Key	Description
%column%	The name of the current column
%value%	The value
%<column>%	The value of a named column

Examples

A sample query

A not very useful check which serves to illustrate how to use the command. Check to see if there is 2 CPUs present (or cores)

Sample Command:

CheckWMI MaxCrit=3 MinWarn=1 "Query=Select * from win32_Processor"

WARNING: WARNING:: 1 < warning

Nagios Configuration:

define command {
  command_name <<CheckWMI>>
  command_line check_nrpe -H $HOSTADDRESS$ -p 5666 -c CheckWMI -a MaxCrit=3 MinWarn=1 "Query=Select * from win32_Processor"
}
<<CheckWMI>> 

From Commandline (with NRPE):

check_nrpe -H IP -p 5666 -c CheckWMI -a MaxCrit=3 MinWarn=1 "Query=Select * from win32_Processor"

Using Query Alias

Adding query alias to the not very useful check above (Alias is cpu)

Sample Command:

CheckWMI MaxCrit=3 MinWarn=1 "Query:cpu=Select * from win32_Processor"

WARNING: WARNING:: cpu: 1 < warning

Nagios Configuration:

define command {
  command_name <<CheckWMI>>
  command_line check_nrpe -H $HOSTADDRESS$ -p 5666 -c CheckWMI -a MaxCrit=3 MinWarn=1 "Query:cpu=Select * from win32_Processor"
}
<<CheckWMI>> 

From Commandline (with NRPE):

check_nrpe -H IP -p 5666 -c CheckWMI -a MaxCrit=3 MinWarn=1 "Query:cpu=Select * from win32_Processor"

Overriding Query Alias

Overriding the previous query alias with foobar

Sample Command:

CheckWMI MaxCrit=3 MinWarn=1 "Query:cpu=Select * from win32_Processor" Alias=foobar

WARNING: WARNING:: foobar: 1 < warning

Nagios Configuration:

define command {
  command_name <<CheckWMI>>
  command_line check_nrpe -H $HOSTADDRESS$ -p 5666 -c CheckWMI -a MaxCrit=3 MinWarn=1 "Query:cpu=Select * from win32_Processor" Alias=foobar
}
<<CheckWMI>> 

From Commandline (with NRPE):

check_nrpe -H IP -p 5666 -c CheckWMI -a MaxCrit=3 MinWarn=1 "Query:cpu=Select * from win32_Processor" Alias=foobar

Checking With filters

This uses the UserAccount? object to query if any enabled users have password expires set to false.

Sample Command:

CheckWMI CheckWMI MaxCrit=3 MaxWarn=1 "Query:badUsers=Select Name, PasswordExpires, Disabled from Win32_UserAccount" "columnSyntax=%Name%" "columnSeparator= & " +filter-numeric:PasswordExpires==0 +filter-numeric:Disabled==0

WARNING: WARNING:mickem & Xiqun Liao

Nagios Configuration:

define command {
  command_name <<CheckWMI>>
  command_line check_nrpe -H $HOSTADDRESS$ -p 5666 -c CheckWMI -a CheckWMI MaxCrit=3 MaxWarn=1 "Query:badUsers=Select Name, PasswordExpires, Disabled from Win32_UserAccount" "columnSyntax=%Name%" "columnSeparator= & " +filter-numeric:PasswordExpires==0 +filter-numeric:Disabled==0
}
<<CheckWMI>> 

From Commandline (with NRPE):

check_nrpe -H IP -p 5666 -c CheckWMI -a CheckWMI MaxCrit=3 MaxWarn=1 "Query:badUsers=Select Name, PasswordExpires, Disabled from Win32_UserAccount" "columnSyntax=%Name%" "columnSeparator= & " +filter-numeric:PasswordExpires==0 +filter-numeric:Disabled==0

Debbuging queries

To try a query use the following syntax:

nsclient++ CheckWMI Select * from win32_Processor