Monitor Windows via WMI from Cacti on Linux

[claymen]

@Mika2008

Your problem is the username and password you have specified in your authentication file doesn't have permission to remote WMI query (that or its password denied, I haven't had my morning coffee yet to decode your error entirely). Your second issue is that it appears the user the poller is running as doesn't have permission to read the actual authentication file. Fix those and you should see it start working.

You also still have that issue with the msql.so php library being loaded in your php.ini file but the actual library not existing on your system. That'd be worth fixing simply to cut down the crap it is spewing into your log files.

If you run this manually?

Code: Select all

/usr/local/bin/wmic --namespace='root\CIMV2' --authentication-file=/etc/cacti/cactiwmi.pw //192.168.0.11 "SELECT Size,FreeSpace FROM Win32_LogicalDisk WHERE DeviceID='C:'" 

What does it do? What comes up? Also can you try running that AS the user the poller runs as? This often is www-data on deb boxes (e.g. the apache user) or sometimes the cacti user if your setup has been secured down.

I've just implemented a cacti install at my new work place with these scripts and a Debian VM with no issues. If people are interested I could provide a pre-configured VM to play with... Just a basic cacti install with the templates loaded and ready to go.

[Mika2008]

Hello,
i have this, if someone can help me please

Code: Select all

Mika2008[/etc/cacti] >  /usr/bin/php -q /var/www/cacti/scripts/wmi.php -h 'xxx;xxx;xxx;xxx' -u '/etc/cacti/cactiwmi.pw' -w 'Win32_PerfFormattedData_PerfOS_Processor' -n '' -k '' -v '' -c 'PercentProcessorTime'
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php5/20060613+lfs/msql.so' - /usr/lib/php5/20060613+lfs/msql.so: cannot open shared object file: No such file or directory in Unknown on line 0
NTSTATUS: NT_STATUS_IO_TIMEOUT - NT_STATUS_IO_TIMEOUT


Return code non-zero, debug mode enabled!



/usr/local/bin/wmic --namespace='root\CIMV2' --authentication-file=/etc/cacti/cactiwmi.pw //xxx;xxx;xxx;xxx "SELECT PercentProcessorTime FROM Win32_PerfFormattedData_PerfOS_Processor"
Exec Status: 1

mika2008[/etc/cacti] > ^C
mika2008 [/etc/cacti] > /usr/bin/php -q /var/www/cacti/scripts/wmi.php -h 'xxx;xxx;xxx;xxx' -u '/etc/cacti/cactiwmi.pw' -w 'Win32_LogicalDisk' -n '' -k 'DeviceID' -v 'C:' -c 'Size,FreeSpace'
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php5/20060613+lfs/msql.so' - /usr/lib/php5/20060613+lfs/msql.so: cannot open shared object file: No such file or directory in Unknown on line 0
NTSTATUS: NT_STATUS_IO_TIMEOUT - NT_STATUS_IO_TIMEOUT


Return code non-zero, debug mode enabled!



/usr/local/bin/wmic --namespace='root\CIMV2' --authentication-file=/etc/cacti/cactiwmi.pw //xxx;xxx;xxx;xxx "SELECT Size,FreeSpace FROM Win32_LogicalDisk WHERE DeviceID='C:'"
Exec Status: 1

mika2008[/etc/cacti] > /usr/local/bin/wmic --namespace='root\CIMV2' --authentication-file=/etc/cacti/cactiwmi.pw //xxx;xxx;xxx;xxx "SELECT Size,FreeSpace FROM Win32_LogicalDisk WHERE DeviceID='C:'"
ERROR: Login to remote object.
NTSTATUS: NT_STATUS_IO_TIMEOUT - NT_STATUS_IO_TIMEOUT

[claymen]

a) you haven't fixed the msql.so warning
b) it looks like a timeout, checked your firewalls?

[Mika2008]

Hello,
i have delette all line with msql.so on this files :

Code: Select all

Éditez le fichier /etc/php5/apache2/php.ini et décommenter la ligne suivante :

;extension=msql.so

Éditez le fichier /etc/php5/cli/php.ini et décommenter la ligne suivante :

;extension=msql.so

Éditez le fichier /etc/php5/cgi/php.ini et décommenter la ligne suivante :

;extension=msql.so

Redémarrer Apache :

sudo /etc/init.d/apache2 restart

and now i have this :'(

Code: Select all

Mika2008[/var/www/cacti] > /usr/local/bin/wmic --namespace='root\CIMV2' --authentication-file=/etc/cacti/cactiwmi.pw //192.168.1.3 "SELECT Size,FreeSpace FROM Win32_LogicalDisk WHERE DeviceID='C:'"
ERROR: Login to remote object.
NTSTATUS: NT_STATUS_IO_TIMEOUT - NT_STATUS_IO_TIMEOUT
Mika2008[/var/www/cacti] > /usr/bin/php -q /var/www/cacti/scripts/wmi.php -h '192.168.1.3 ' -u '/etc/cacti/cactiwmi.pw' -w 'Win32_PerfFormattedData_PerfOS_Processor' -n '' -k '' -v '' -c 'PercentProcessorTime'

Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /var/www/cacti/scripts/wmi.php on line 16

and i have no firewall, on my ubuntu.

[Mika2008]

now i have this error message :

Code: Select all

Mika2008@ubuntu:~/0.0.6.r101$ /usr/bin/php -q /var/www/cacti/scripts/wmi.php -h '192.168.7.5' -u '/etc/cacti/cactiwmi.pw' -w 'Win32_PerfRawData_EnterpriseVaultVaultStores_EnterpriseVaultVaultStores' -n '' -k 'Name' -v '_Total' -c 'WatchfileTableSize,VaultStoreDBLogSize,VaultStoreDBLogPercentUsed,VaultStoreDBLogBackup,VaultStoreDBBackup'
NTSTATUS: NT code 0x80041010 - NT code 0x80041010


Return code non-zero, debug mode enabled!



/usr/local/bin/wmic --namespace='root\CIMV2' --authentication-file=/etc/cacti/cactiwmi.pw //192.168.7.5 "SELECT WatchfileTableSize,VaultStoreDBLogSize,VaultStoreDBLogPercentUsed,VaultStoreDBLogBackup,VaultStoreDBBackup FROM Win32_PerfRawData_EnterpriseVaultVaultStores_EnterpriseVaultVaultStores WHERE Name='_Total'"
Exec Status: 1

Mika2008@ubuntu:~/0.0.6.r101$ /usr/bin/php -q /var/www/cacti/scripts/wmi.php -h '192.168.7.5' -u '/etc/cacti/cactiwmi.pw' -w 'Win32_PerfRawData_MSExchangeIS_MSExchangeISMailbox' -n '' -k 'Name' -v '' -c 'ActiveClientLogons,MessagesDelivered,MessagesSent,MessagesSubmitted,ReceiveQueueSize,SendQueueSize,TotalCountofRecoverableItems,TotalSizeofRecoverableItems'
NTSTATUS: NT code 0x80041010 - NT code 0x80041010


Return code non-zero, debug mode enabled!



/usr/local/bin/wmic --namespace='root\CIMV2' --authentication-file=/etc/cacti/cactiwmi.pw //192.168.17.5 "SELECT ActiveClientLogons,MessagesDelivered,MessagesSent,MessagesSubmitted,ReceiveQueueSize,SendQueueSize,TotalCountofRecoverableItems,TotalSizeofRecoverableItems FROM Win32_PerfRawData_MSExchangeIS_MSExchangeISMailbox WHERE Name=''"
Exec Status: 1

[claymen]

Your new error could possibly be because your trying to query some WMI classes which don't exist. Can you confirm they actually exist by using Scriptomatic2 and running a query locally.

In addition to this what version of exchange are you trying to query? Exchange 2007 whilst having the same WMI class that you are trying to query as 2003 doesn't have the Send/Receive Queue's so you'd need to remove those.

[Taltos]

hello

thx claymen for your work and your help. I've read the 32 pages but i have a pb:


If I send
intranet:~# wmic -U corp/user%pass //172.16.1.12 "SELECT * FROM Win32_PerfRawData_PerfDisk_PhysicalDisk"

give a result:

CLASS: Win32_PerfRawData_PerfDisk_PhysicalDisk
AvgDiskByteestamp_Object|Timestamp_PerfTime|Timestamp_Sys100NS
73728|4|24641024|3479|24567296|3475|217346000|173000|48279802|4|526075460|3

blablabla


but if I try

intranet:~# wmic --authentication-file=/tmp/cactiwmi.pw //172.16.1.12 "SELECT * FROM Win32_PerfRawData_PerfDisk_PhysicalDisk"

I receive

Failed to bind to uuid 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 - NT_STATUS_NET_WRITE_FAULT
ERROR: Login to remote object.
NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
intranet:~#


I have try to put cactiwmi.pw everywhere with all permissions available
no more results
cactiwmi.pw:
username=<user>
password=<pass>
domain=<corp>

and wmic -V send me
Version 4.0.0tp4-SVN-build-UNKNOWN

after a day of work, I can say I'm really lost

thx for your help

[claymen]

Well the failure is an access denied so something isn't being passed properly cause its not able to auth.

The cactiwmi.pw file has the exact same user and pass you were testing with before?

Can you try calling wmic with -d2/-d3 to increase the debug level, it might give you a clue as to why its not reading the file or passing the credential.

[garnser]

Hi all,

I just installed CactiWMI and have some issues, when running an example query I get this:

Code: Select all

root@cacti2:~/cactiwmi# ./wmi.php -h xx.xx.xx.xx -u /etc/cacti/wmi.pw  -w Win32_ComputerSystem -c PrimaryOwnerName,NumberOfProcessors -n 'root\CIMV2' 
./wmi.php -h xx.xx.xx.xx -u /etc/cacti/wmi.pw  -w Win32_ComputerSystem -c PrimaryOwnerName,NumberOfProcessors -n 'root\CIMV2'


Return code non-zero, debug mode enabled!



/usr/local/bin/wmic --namespace='root\CIMV2' --authentication-file=/etc/cacti/wmi.pw //193.17.218.86 "SELECT PrimaryOwnerName,NumberOfProcessors FROM Win32_ComputerSystem" 2>/dev/null
Exec Status: 1

root@cacti2:~/cactiwmi# 

Please advice on what's wrong, thanks.

[claymen]

Hi all,

I just installed CactiWMI and have some issues, when running an example query I get this:

Code: Select all

root@cacti2:~/cactiwmi# ./wmi.php -h xx.xx.xx.xx -u /etc/cacti/wmi.pw  -w Win32_ComputerSystem -c PrimaryOwnerName,NumberOfProcessors -n 'root\CIMV2' 
./wmi.php -h xx.xx.xx.xx -u /etc/cacti/wmi.pw  -w Win32_ComputerSystem -c PrimaryOwnerName,NumberOfProcessors -n 'root\CIMV2'


Return code non-zero, debug mode enabled!



/usr/local/bin/wmic --namespace='root\CIMV2' --authentication-file=/etc/cacti/wmi.pw //193.17.218.86 "SELECT PrimaryOwnerName,NumberOfProcessors FROM Win32_ComputerSystem" 2>/dev/null
Exec Status: 1

root@cacti2:~/cactiwmi# 

Please advice on what's wrong, thanks.

Does this return anything? It should give you some idea what's not working.
/usr/local/bin/wmic --namespace='root\CIMV2' --authentication-file=/etc/cacti/wmi.pw //193.17.218.86 "SELECT PrimaryOwnerName,NumberOfProcessors FROM Win32_ComputerSystem"

Can you query that wmi class with the username/password combo in your pw file run locally on the destination server with say scriptomatic?

[garnser]

Turns out my user didn't have the correct permission, so that portion is ok now and I get a return, however it seams like WMI doesn't return that much data, for instance if I run:

root@cacti2:/usr/share/cacti/site/scripts# ./wmi.php -h xx.xx.xx.xx -u /etc/cacti/wmi.pw -w Win32_ComputerSystem -c DiscWritesPersec


Return code non-zero, debug mode enabled!



/usr/local/bin/wmic --namespace='root\CIMV2' --authentication-file=/etc/cacti/wmi.pw //xx.xx.xx.xx "SELECT DiscWritesPersec FROM Win32_ComputerSystem" 2>/dev/null
Exec Status: 1

While this works fine:
root@cacti2:/usr/share/cacti/site/scripts# ./wmi.php -h xx.xx.xx.xx -u /etc/cacti/wmi.pw -w Win32_ComputerSystem -c Name
Name:REALHOSTNAME

Running it without columns I get:
AdminPasswordStatus:1 AutomaticManagedPagefile:True AutomaticResetBootOption:True AutomaticResetCapability:True BootOptionOnLimit:3 BootOptionOnWatchDog:3 BootROMSupported:True BootupState:Normal_boot Caption:REALHOSTNAME ChassisBootupState:3 CreationClassName:Win32_ComputerSystem CurrentTimeZone:60 DaylightInEffect:False Description:AT/AT_COMPATIBLE DNSHostName:REALHOSTNAME Domain:domain.tld DomainRole:3 EnableDaylightSavingsTime:True FrontPanelResetStatus:3 InfraredSupported:False InitialLoadInfo:NULL InstallDate:(null) KeyboardPasswordStatus:3 LastLoadInfo:(null) Manufacturer:VMware,_Inc. Model:VMware_Virtual_Platform Name:REALHOSTNAME NameFormat:(null) NetworkServerModeEnabled:True NumberOfLogicalProcessors:4 NumberOfProcessors:4 OEMLogoBitmap:NULL OEMStringArray:([MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7],Welcome_to_the_Virtual_Machine) PartOfDomain:True PauseAfterReset:3932100000 PCSystemType:0 PowerManagementCapabilities:NULL PowerManagementSupported:False PowerOnPasswordStatus:0 PowerState:0 PowerSupplyState:3 PrimaryOwnerContact:(null) PrimaryOwnerName:Windows_User ResetCapability:1 ResetCount:-1 ResetLimit:-1 Roles:(LM_Workstation,LM_Server,NT,Server_NT) Status:OK SupportContactDescription:NULL SystemStartupDelay:0 SystemStartupOptions:NULL SystemStartupSetting:0 SystemType:x64-based_PC ThermalState:3 TotalPhysicalMemory:4293496832 UserName:DOMAINNAME\cacti WakeUpType:6 Workgroup:(null)

[garnser]

Did some more digging and figured out I had an syntax error.

Now it seams to return data correctly:
./wmi.php -h xx.xx.xx.xx -u /etc/cacti/wmi.pw -w Win32_PerfRawData_PerfDisk_LogicalDisk -c DiskWritesPersec
DiskWritesPersec0:4246873 Name0:C DiskWritesPersec1:1458790 Name1:D DiskWritesPersec2:5705663 Name2:_Total

However the cactilog complains:
01/13/2010 02:10:32 PM - CACTID: Poller[0] Host[141] DS[3115] WARNING: Result from SCRIPT not valid. Partial Result: ...

And no graphs are generated.

Please advice.

[claymen]

@garnser

DiskWritesPersec doesn't exist in Win32_ComputerSystem.

Think of it like SQL (which is what this is but ms call it WQL). Your selecting columns from the table Win32_ComputerSystem. So what we call a WMI class is kinda like your table. Whilst WMI is a little more complex than just that for our purposes of monitoring that's all it is If you have ever done any SQL the syntax will make sense. Select Columns From Table Where Column = "Blah" which would return rows of the selected columns where the column/row combo = blah.

Now your second problem where it's running ok from the console but not from cacti. Can you make sure that the user that the cacti poller is running as has permission to both execute the script AND access to read your password file. Best way to test it is work out what user the poller runs as, then su to it and run the same command that cacti is trying to run. You can grab this from the poller cache. That way you can test from the console in the same environment that the poller would be.

[garnser]

I've verified that the permissions are correct but still no luck.

The only other issue is that when I loaded the template from the trunk I got a XML hash error, the ones from branches worked though.

[Taltos]

The cactiwmi.pw file has the exact same user and pass you were testing with before?

Yes master !

Can you try calling wmic with -d2/-d3 to increase the debug level, it might give you a clue as to why its not reading the file or passing the credential.[/quote]

Ok let's go:

Code: Select all

intranet:/tmp/wmi-1.3.5/Samba/source# wmic -d3 -U corp/user%pass  //172.16.1.12 "SELECT * FROM Win32_PerfRawData_PerfDisk_PhysicalDisk"


Initialising global parameters
lp_load: refreshing parameters from /dev/null
params.c:pm_process() - Processing configuration file "/dev/null"
adding hidden service IPC$
adding hidden service ADMIN$
failed to get principal from default ccache: No such file or directory: open(/tmp/krb5cc_0): No such file or directory
AUTH backend 'winbind_samba3' registered
AUTH backend 'winbind' registered
AUTH backend 'name_to_ntstatus' registered
AUTH backend 'fixed_challenge' registered
AUTH backend 'unix' registered
AUTH backend 'anonymous' registered
AUTH backend 'sam' registered
AUTH backend 'sam_ignoredomain' registered
GENSEC backend 'krb5' registered
gensec subsystem fake_gssapi_krb5 is disabled
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
gensec subsystem gssapi_spnego is disabled
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'ntlmssp' registered
Using binding ncacn_ip_tcp:172.16.1.12
Mapped to DCERPC endpoint 135
dcerpc_ndr_request_recv returned NT_STATUS_OK
IObjectExporter::ServerAlive returned NT_STATUS_OK
Cannot do GSSAPI to an IP address
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x62898205
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088205
Negotiated COM version: 5.1 using binding ncacn_ip_tcp:172.16.1.12[135]
lib/com/dcom/main.c:1172: dcom_get_pipe: host=172.16.1.12, similar=172.16.1.12[1675]
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
OK   : Login to remote object.
OK   : WMI query execute.
OK   : Reset result of WMI query.
OK   : Retrieve result data.
CLASS: Win32_PerfRawData_PerfDisk_PhysicalDisk
AvgDiskBytesPerRead|AvgDiskBytesPerRead_Base|A333740500|129078744856049856|22714544500|1294000

And

Code: Select all

intranet:/tmp/wmi-1.3.5/Samba/source# wmic -d3 --authentication-file=/etc/cacti/cactiwmi.pw //172.16.1.12 "SELECT * FROM Win32_PerfRawData_PerfDisk_PhysicalDisk"

Initialising global parameters
lp_load: refreshing parameters from /dev/null
params.c:pm_process() - Processing configuration file "/dev/null"
adding hidden service IPC$
adding hidden service ADMIN$
failed to get principal from default ccache: No such file or directory: open(/tmp/krb5cc_0): No such file or directory
AUTH backend 'winbind_samba3' registered
AUTH backend 'winbind' registered
AUTH backend 'name_to_ntstatus' registered
AUTH backend 'fixed_challenge' registered
AUTH backend 'unix' registered
AUTH backend 'anonymous' registered
AUTH backend 'sam' registered
AUTH backend 'sam_ignoredomain' registered
GENSEC backend 'krb5' registered
gensec subsystem fake_gssapi_krb5 is disabled
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
gensec subsystem gssapi_spnego is disabled
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'ntlmssp' registered
Using binding ncacn_ip_tcp:172.16.1.12
Mapped to DCERPC endpoint 135
dcerpc_ndr_request_recv returned NT_STATUS_OK
IObjectExporter::ServerAlive returned NT_STATUS_OK
Cannot do GSSAPI to an IP address
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x62898205
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088205
Failed to bind to uuid 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 - NT_STATUS_NET_WRITE_FAULT
ERROR: Login to remote object.
NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
intranet:/tmp/wmi-1.3.5/Samba/source#

Thx for your help