Windows Management Instrumentation (WMI) allows for agentless monitoring of Windows machines which in turn helps to set up monitoring with Nagios without having to install or configure agents.
As a part of our Server Management Services, we help our customers with requests related to Nagios.
Let us today discuss how to monitor Windows machines with Nagios XI using WMI.
Windows Machine Requirements for WMI Monitoring With Nagios
Before we setup WMI monitoring with Nagios to monitor and windows server or workstation, we have to ensure that we have the following requirements set up:
- WMI service is up
- WMI user account
- Firewall rules
We have to log in as a user with administrator privileges. Following steps help us to check if the Windows Management Instrumentation service is running.
In Windows XP/Vista/7/8/10/Server 2003/Server 2008
- Click Start and choose Run.
- The window to the right will appear and type services.msc in the Open field and then click OK. We can also type services.msc in the Search field of the Start menu.
In Windows Server 2012/Server 2016
- Open the Server Manager
- In the Tools menu, select Services
Verify the service Windows Management Instrument (WMI) is in Started status and has the Startup Type of Automatic.
Configure A WMI User Account On The Windows Machine
Next, we need to configure a WMI user account on the local machine. This account will be used to monitor the Windows machine from Nagios XI. For instance, to create a new user account called wmiagent with a password wmiagent use the command below from an administrative command prompt:
net user wmiagent wmiagent /add
We should get a response of “The command completed successfully”.
Note to use a stronger password than wmiagent, as it will most likely fail the password policy requirements.
Setting WMI Permissions
WMI requires a valid username and password on the target system. We can add only the permissions needed to the Windows user account. Some of these permissions do not need to be set if our user account is a member of the local administrator’s group. However, from a security perspective, it is best to use an account with only the minimal required permissions.
If we wish to monitor multiple computers across the domain, instead add the user to be a member of the “Distributed Com Users”, “Event Log Readers”, “Performance Log Users” and “Performance Monitor Users” groups.
Adding Remote Activation Privilege to Windows DCOM
We need to give our newly created user access to DCOM on the localhost. In order to do this, open Component Services.
Click Start, choose Run. Type DCOMCnfg.exe and click OK.
In Server 2012/2016, this is located at Server Manager > Tools > Component Services.
Expand Component Services > Computers and click on My Computer. Then, right-click on My Computer and select Properties.
Click the COM Security tab. Under the Launch and Activation Permissions section, click the Edit Limits button. Then, click the Add button
Type wmiagent in the Enter the object names to select field and click OK.
We may need to use the Locations button to set the search scope to be the local computer object (instead of the domain). Now, we will see wmiagent as a user and it will be selected.
Check the Remote Launch and Remote Activation checkboxes under the Allow column. Click OK twice. We can now close the Component Services management console.
Adding Remote WMI Access
In order for the wmiagent user to return data remotely from WMI, access to the WMI namespace CIMV2 must be granted.
Click Start, choose Run. Type WMImgmt.msc and click OK. Right-click on WMI Control (local) and select Properties.
Now, click the Security tab of the WMI Control Properties window. Expand Root and select CIMV2.
Click the Security button and then the Add button
Type wmiagent in the Enter the object names to select field and click OK.
We may need to use the Locations button to set the search scope to be the local computer object. Now, we can see wmiagent as a user and it will be selected.
Check the Enable Account and Remote Enable checkboxes under the Allow column. Click OK twice. We can now close the WmiMgmt management console.
Windows Firewall Settings
Next, configure the firewall rules specific to the version of windows being monitored.
Windows Server 2008/2012/2016 Firewall Rules
To check firewall settings, select Start and type firewall in the search dialog box and open Windows Firewall with Advanced Security.
In Server 2012/2016, this is located at Server Manager > Tools > Windows Firewall with Advanced Security.
From the left-hand pane, click Inbound Rules. In the right-hand pane, click Filter by Group and then select Windows Management Instrumentation (WMI). We will then be shown the available firewall rules for WMI.
We need to make sure that the DCOM-In and WMI-In rules are enabled.
If the WMI rule group does not exist, execute the commands from the command prompt.
netsh advfirewall firewall add rule dir=in name="DCOM" program=%systemroot%\system32\svchost.exe service=rpcss action=allow protocol=TCP localport=135 netsh advfirewall firewall add rule dir=in name ="WMI" program=%systemroot%\system32\svchost.exe service=winmgmt action = allow protocol=TCP localport=any netsh advfirewall firewall add rule dir=in name ="UnsecApp" program=%systemroot%\system32\wbem\unsecapp.exe action=allow netsh advfirewall firewall add rule dir=out name ="WMI_OUT" program=%systemroot%\system32\svchost.exe service=winmgmt action=allow protocol=TCP localport=any
Windows Server 2003 Firewall Rules
The following section describes firewall and DCOM port configuration for a 2003 Windows Server. By default, DCOM communicates with the client on a random port. So in order to write firewall rules, it also describes a specific port range.
Click Start, choose Run, type DCOMCnfg.exe, and click OK.
Expand Component Services, expand Computers, right-click My Computer, and select Properties.
Click the Default Protocols tab and the Properties button. Then click the Add button.
Add a port range for COM services. In this example, the range is from 5000-5020. Depending on our environment, we may want to choose a different range.
Finally, click OK when done.
Now, we need to allow the port range through the windows firewall. This command will open ports from 5000-5020 to match the COM Internet Services Range.
FOR /L %I IN (5000,1,5020) DO netsh firewall add portopening TCP %I "COM"%I
Lastly, open DCOM port 135. For this, from the command prompt type:
netsh firewall add portopening TCP 135 "DCOM"
Running The Windows WMI Wizard
Now that WMI has been configured on our windows machine, we can now run the Windows WMI wizard from our Nagios XI server. To begin using the Windows WMI wizard, navigate via the top menu bar to Configure > Run a configuring wizard and select the Windows WMI wizard.
The wizard will prompt for the IP Address of the Windows machine, along with the Domain (if applicable), Username, and Password to access the machine. Alternatively, we can use an Auth File that includes the username and password. Once done, click Next.
Now, the wizard will perform a WMI query against the Windows machine to get a list of the available disks, services, and processes. If Nagios XI is not able to communicate via WMI, an error will be displayed.
Make sure the Host Name field is correctly populated. Select the server metrics, we wish to monitor and adjust the thresholds as required.
For Disk Usage, the automatically detected disk drives will be populated in the Scanned Disk List and they will already be selected in the drop-down lists.
Now, for Services, the automatically detected services will be populated in the Scanned Service List. We can add a service to be monitored by double-clicking it in the Scanned Service List.
For Event Logs, we can select the specific log on the windows machine and define warning and critical thresholds based on the amount of Warning or Error logs found in the past x hours.
Once we have finished selecting all the items we wish to monitor, click Next and then complete the wizard by choosing the required options.
To finish up, click on Finish in the final step of the wizard. This will create the new hosts and services and begin monitoring.
Once the wizard applies the configuration, click the View status details for xxxxx link to see the new host and services that were created.
In the initial step of the configuration wizard, we can provide the location of a file that contains the authentication username and password. This provides the following advantages:
- It stores credentials in one location. If we need to update the credentials, we only need to update the file and all services that use the file are immediately affected
- Admins using Core Configuration Manager will not see these credentials, they will only see the reference to the file
To create a file, we need to establish a terminal session to Nagios XI server. This example will create a file called wmi_auth.txt inside the folder /usr/local/nagios/etc/. Create the file by opening any text editor:
Add two lines that contain our username and password, for example:
When we have finished, save the changes and close the file. Also, we can now close the terminal session and proceed to the following page to see how to use the authentication file in the configuration wizard.
Here we can see how the Auth File has been defined in the initial step of the configuration wizard.
It is important that the Username and Password fields above are empty to ensure the wizard correctly works.
Click Next and complete the wizard.
Need any further assistance set up WMI monitoring with Nagios? – We’re available 24*7
In short, to set up WMI monitoring with Nagios, we need to configure A WMI User Account On The Windows Machine and then set up the WMI permissions. Today, we saw how our Support Engineers perform this.