Monitor Windows via WMI from Cacti on Linux

[argon0]

OK, this is now working, but only by setting the user used as a member of Domain admins...

Does anybody know what permissions the user needs to be able to get wmi stats?

OFFS!! not to self, do a google before posting... Yup you can set security from the Computer Manager, by default only users in local admin groups can get wmi stats...

So this means setting credentials on all Servers to allow Cacti to do it, or use admin accounts...

For those who've been trying the same thing here is a link on how to do it: http://www.microsoft.com/technet/script ... mifaq.mspx

Q 9. How do I set WMI namespace security?
Setting namespace security using WMI Control
The WMI Control provides one way to manage namespace security. You can start the WMI Control from the command prompt using this command:
wmimgmt
On Windows 9x or Windows NT4 computers that have WMI installed, type this command instead:
wbemcntl.exe
Alternatively, you can access the WMI Control and the Security tab by doing the following:
1.
Right-click on My Computer and click Manage.
2.
Double-click Services and Applications and then double-click WMI Control.
3.
Right-click WMI Control and then click Properties.
4.
In the WMI Control Properties dialog box click the Security tab.
5.
A folder named Root with a plus sign (+) next to it should now be visible. Expand this tree as necessary to locate the namespace for which you want to set permissions.
6.
Click the Security button. A list of users and their permissions appears. If the user is on that list, modify the permissions as appropriate. If the user is not on the list, click the Add button, and add the user from the location (local machine, domain, etc.) where the account resides.
Notes:
•
In order to view and set namespace security, the user must have Read Security and Edit Security permissions. Administrators have these permissions by default, and can assign the permissions to other user accounts as required.
•
If this user needs to access the namespace remotely, you must select the Remote Enable permission.
•
By default, user permissions set on a namespace apply only to that namespace. If you want the user to have access to that namespace and all subnamespaces in the tree below it, or in subnamespaces only, click the Advanced button. Click Edit and specify the scope of access in the resulting dialog box.

Argon0

[claymen]

Right installed, looks like its going to work, but a couple of questions:

1) The Filter value for Drive graphs - should this be c\: as you mentioned on page one, or C as you have in the filter fields
2) the Exchange graph: 'Exchange - Database Performance (WMI)' do you put the name of the Database you want to look at in here - e.g. Directors.edb, or does it follow the format SG1-Directors as used by Cigamits plugin?

Argon0

1) The filter value needs to be escaped so C\: the template does funny stuff when I have C:\ in or C:\\ so that Cacti doesnt mess with it..

2) Full database and store name enclosed in single quotes for example 'Storage Group1-Database Blah'. The easiest way I found was to run the following and grab the names, put the script into debug level 1 and run wmic and query the list to grab the names like so.

Code: Select all

wmic -U domain/user //xx.xx.xx.xx "SELECT Name FROM Win32_PerfRawData_MSExchangeIS_MSExchangeISMailbox"

It will spit out the list and then just copy and paste and ensure they are enclosed in single quotes. Again this is due to it being passed to the script/shell and the spaces will make it fail.

[claymen]

Re...

I have an another problem. Memory graph doesn't work...

I don't receive any information, i don't understand why ??

All others graph work...

Enable debug for the graph. Are there any errors? I suspect your CDEF is broken because of either a different version of Cacti or you have adjusted it to use more or less data sources. I think I mentioned this earlier in the thread that in different versions of Cacti it defines different data sources for the graph from the RRD to improve accuracy. This throws out the CDEF as it relies on the data source being in a specific position.

[argon0]

Right installed, looks like its going to work, but a couple of questions:

1) The Filter value for Drive graphs - should this be c\: as you mentioned on page one, or C as you have in the filter fields
2) the Exchange graph: 'Exchange - Database Performance (WMI)' do you put the name of the Database you want to look at in here - e.g. Directors.edb, or does it follow the format SG1-Directors as used by Cigamits plugin?

Argon0

1) The filter value needs to be escaped so C\: the template does funny stuff when I have C:\ in or C:\\ so that Cacti doesnt mess with it..

2) Full database and store name enclosed in single quotes for example 'Storage Group1-Database Blah'. The easiest way I found was to run the following and grab the names, put the script into debug level 1 and run wmic and query the list to grab the names like so.

Code: Select all

wmic -U domain/user //xx.xx.xx.xx "SELECT Name FROM Win32_PerfRawData_MSExchangeIS_MSExchangeISMailbox"

It will spit out the list and then just copy and paste and ensure they are enclosed in single quotes. Again this is due to it being passed to the script/shell and the spaces will make it fail.

1) got it
2) a) how do you get to "debug level 1"
b) so you can graph more than one db at once, up to how many?

btw couple of graphs not showing anything (by which I mean broken graphic icons only, nothing else) - e.g. active client logon & disk i/o...

[claymen]

1) got it
2) a) how do you get to "debug level 1"
b) so you can graph more than one db at once, up to how many?

btw couple of graphs not showing anything (by which I mean broken graphic icons only, nothing else) - e.g. active client logon & disk i/o...

Copy the wmi.php script somewhere else, edit it and inside there is a debug variable, just set it to 1. Then update the path to your wmi-logins.php file else it won't work. That way you can execute wmi.php in debug mode to test the queries

You monitor additional databases by adding more data sources. E.g. for each of our data stores its another data source. Simple as that Same way that disks are done each disk is another data source & graph.

What errors are you seeing for Disk I/O in your poller log? If you take the command from the poller cache and run that yourself does it work? Does it work in debug mode? Does the wmic command debug mode generates work?

Debug mode 1 basically switches to printing the output line by line rather than space separating for cacti and also prints out the exact wmic command its calling so that you can debug it to work out where the problem is. This is why you want a second copy of this linking to the same wmi-logins.php cause it will break your cacti polling as its output is different in debug mode

[tipiaks]

Hello,

Log :

Data Source Debug

/usr/bin/rrdtool create \
/var/lib/cacti/rra/brive01_availablebytes_974.rrd \
--step 300 \
DS:AvailableBytes:GAUGE:600:0:100000000000 \
DS:CommitLimit:GAUGE:600:0:100000000000 \
DS:CommittedBytes:GAUGE:600:0:100000000000 \
RRA:AVERAGE:0.5:1:500 \
RRA:AVERAGE:0.5:1:600 \
RRA:AVERAGE:0.5:6:700 \
RRA:AVERAGE:0.5:24:775 \
RRA:AVERAGE:0.5:288:797 \
RRA:MAX:0.5:1:500 \
RRA:MAX:0.5:1:600 \
RRA:MAX:0.5:6:700 \
RRA:MAX:0.5:24:775 \
RRA:MAX:0.5:288:797 \


I dont have error in poller-error.
How i fix CDEF ? and What's is CDEF ?


Thanks for your help.

[argon0]

Copy the wmi.php script somewhere else, edit it and inside there is a debug variable, just set it to 1. Then update the path to your wmi-logins.php file else it won't work. That way you can execute wmi.php in debug mode to test the queries

You monitor additional databases by adding more data sources. E.g. for each of our data stores its another data source. Simple as that Same way that disks are done each disk is another data source & graph.

What errors are you seeing for Disk I/O in your poller log? If you take the command from the poller cache and run that yourself does it work? Does it work in debug mode? Does the wmic command debug mode generates work?

Debug mode 1 basically switches to printing the output line by line rather than space separating for cacti and also prints out the exact wmic command its calling so that you can debug it to work out where the problem is. This is why you want a second copy of this linking to the same wmi-logins.php cause it will break your cacti polling as its output is different in debug mode

Got it, the database names can be got from Cigamit's Plugin, using the Verbose query from the client, this, if you've got it working correctly, returns things like the database names, I just couldn't get the graphs to work...

As to my "no-graphs2 I've gone into graph management, and see None for all the graph item fields when I look at Active Client Connections graph....

what data source should i choose from the drop down? Is it "Database Performance (Active Client Logons)"?

Argon0

[claymen]

The active client logons is a little more manual then the others because I named each item to make it look better.

To make it work you just create a database performance data template for each store/db and then you will find an activeclientlogons data source available. The single template provides about 5-6 different types of data as they are all queried at once to reduce poll time.

So yes the active client logons one from Database Performance is what you want.

[argon0]

You monitor additional databases by adding more data sources. E.g. for each of our data stores its another data source. Simple as that Same way that disks are done each disk is another data source & graph.

So not by putting them into one datasource seperated by a ","... And if you've not got spaces in your DB name it won't fail if you don't have single quotes?

I'm slightly confused then, what are the database1, database2, etc.. that the graph templates are talking about?

[claymen]

Yer it looks like there is a bit of confusion, i'll do my best to try and explain it.

If you want the active logon template to look right you create it then convert to no template to change the names else it lists just database1 databse2 etc. You don't have to do this but there is no way for it to know the database names without editing it and if you have more than 5 or use the template more than once you'll want to generate the graph from the template but then set it to none later so you can edit it directly and not the template itself.

In any case, you have created data sources for each of your databases on the exchange server correct? And the database or filter value was entered in like so 'Storage Group-Database Name' as per what you grabbed from the plugin or from wmic as I mentioned. Yes you need to enclose it with single quotes like I have to pass the spaces through, else you can escape each space with a \

So at this point you have a data source defined for each database on the exchange server and have tested you get data by grabbing the full path and arguments from the cacti poller cache and run them from the command line.

Now you can create your active logon graph (not via the devices page just manually). For each of its inputs you select the activeclientlogons data source for each database in the list. The data template for database performance provides a number of actual data sources that graphs can use, one of which is the active client logons.

The graph template is just that a template, the names are simply database1 2 3... because thats whats in the template, it doesnt know the names of the data sources you are adding.

This is all exactly the same as how you monitor Disk I/O for each Disk on a machine you should have a data source added for that disk.

I know its somewhat confusing because these data templates you then add to a host are called a data source but they actually contain multiple data sources. And the same "data source" in this case the database performance data template is referenced by multiple graphs. This is done for performance reasons because all this info can be grabbed in one go when doing the WMI query, so rather than call the same WMI class multiple times I grab as much in one hit and build the graphs around that.

If you get really stuck drop me a PM and I can try and go over it directly with you

[argon0]

Understood.... (I think)...

When you choose the performance data (activelogons) how do you know which db they apply to as the data sourece doesn't mention the name of the db (I guess you can work it out via the order they are in....)

One question, which my Security Manager has raised is:

Why are we trying to use WMI rather than NetSaint/Nagios? Due to the fact that Netsaint/NC_Net passes data encrypted and can read wmi counters anyway... (I know that the nc_net exe needs to be installed on servers, but this is no biggie, and to get the security right for WMI you need to edit the WMI Namespace security in any case). Also unless you join the cacti server to the domain you will be passing the passwords in clear text...

Argon0

[claymen]

Understood.... (I think)...

When you choose the performance data (activelogons) how do you know which db they apply to as the data sourece doesn't mention the name of the db (I guess you can work it out via the order they are in....)

One question, which my Security Manager has raised is:

Why are we trying to use WMI rather than NetSaint/Nagios? Due to the fact that Netsaint/NC_Net passes data encrypted and can read wmi counters anyway... (I know that the nc_net exe needs to be installed on servers, but this is no biggie, and to get the security right for WMI you need to edit the WMI Namespace security in any case). Also unless you join the cacti server to the domain you will be passing the passwords in clear text...

Argon0

You should be naming your data source properly. The name field is left editable so when you add your data source give it a clear name.

Because WMI is built in, doesn't require admin if you set it up that way and means one less 3rd party application installed on the server for vendors/Microsoft to complain about.

Not sure what your referring to when you say its being passed in clear text? The wmic binary supports a wide range of security/auth backends. Try putting it in debug mode -d3 and query with wmic directly see which one its using. And the reason I used the wmi-logins.php was so that in your username/password isn't spammed all through your log files... You might want to have a look at your poller cache and see how certain other polling methods are storing the password

If you are talking about the passwords being stored in plain text well its no worse than any other method. At some stage the password for that host whether it be using SNMP v3 (or v2 with a community name), WMI or Netsaint the password needs to be kept somewhere.

If you are really paranoid you can lock it down. You need to create a domain account to be used for this, use group policy to restrict how it can be used (no interactive logins etc), you limit the pc's it can log into to the servers you are querying, you adjust the WMI security to allow only that account remote WMI and adjust the DCOM settings as well. Most can be scripted or done via GP.

I'm not sure why you refer joining cacti to the domain, cacti is just the script/application. And joining the host doesn't just automatically make it secure...

[argon0]

wmic binary supports a wide range of security/auth backends.

Ah, something I didn't know will research it directly...

[claymen]

wmic binary supports a wide range of security/auth backends.

Ah, something I didn't know will research it directly...

Generally its going to be either kerberos or NTLM which is what Windows uses depending on version.

[argon0]

Ok, my security guy said he would prefer it if it used Kerberos, can you run through how I set it up for this? Or is this the default? If it is how does it work?

I.e. how is the client authenticating using kerberos without joining the domain (which, as I understand it, is a requirement of kerberos...)

Argon0