WMI Monitoring With Nagios

Server Management Service

WMI (Windows Management Instrumentation) allows for agentless monitoring of Windows machines. Nagios XI supports WMI monitoring, which provides admins with a simple method of monitoring their Windows servers and workstations without having to install or configure agents.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related Nagios queries.

In this context, we shall look into how to monitor Windows machines with Nagios XI using WMI.

Windows Machine Requirements for WMI Monitoring With Nagios

Before we setup WMI monitoring with Nagios to monitor and windows server or workstation, we have to ensure that we have the following requirements set up:

WMI service is up.
WMI user account.
Firewall rules.

We have to log in as a user with administrator privileges.

Following steps help us to check if the Windows Management Instrumentation service is running.

In Windows XP/Vista/7/8/10/Server 2003/Server 2008:

Click Start and choose Run.
The window to the right will appear and type services.msc in the Open field and then click OK. We can also type services.msc in the Search field of the Start menu.

In Windows Server 2012/Server 2016:

Open the Server Manager.
In the Tools menu, select Services.

Verify the service Windows Management Instrument (WMI) is in Started status and has the Startup Type of Automatic.

How to Configure A WMI User Account On The Windows Machine ?

Next, we need to configure a WMI user account on the local machine. This account will be used to monitor the Windows machine from Nagios XI. For instance, to create a new user account called wmiagent with a password wmiagent use the command below from an administrative command prompt:

net user wmiagent wmiagent /add

We should get a response of "The command completed successfully".

Note to use a stronger password than wmiagent, as it will most likely fail the password policy requirements.

How to set WMI Permissions ?

WMI requires a valid username and password on the target system. We can add only the permissions needed to the Windows user account. Some of these permissions do not need to be set if our user account is a member of the local administrator’s group.

However, from a security perspective, it is best to use an account with only the minimal required permissions.

If we wish to monitor multiple computers across the domain, instead add the user to be a member of the “Distributed Com Users”, “Event Log Readers”, “Performance Log Users” and “Performance Monitor Users” groups.

How to Add Remote Activation Privilege to Windows DCOM ?

We need to give our newly created user access to DCOM on the localhost.

In order to do this, open Component Services.
Click Start, choose Run. Type DCOMCnfg.exe and click OK.
In Server 2012/2016, this is located at Server Manager > Tools > Component Services.
Expand Component Services > Computers and click on My Computer. Then, right-click on My Computer and select Properties.
Click the COM Security tab. Under the Launch and Activation Permissions section, click the Edit Limits button. Then, click the Add button.
Type wmiagent in the Enter the object names to select field and click OK.
We may need to use the Locations button to set the search scope to be the local computer object (instead of the domain).
Now, we will see wmiagent as a user and it will be selected.
Check the Remote Launch and Remote Activation checkboxes under the Allow column.
Click OK twice. We can now close the Component Services management console.

How to Add Remote WMI Access ?

In order for the wmiagent user to return data remotely from WMI, access to the WMI namespace CIMV2 must be granted.

Click Start, choose Run. Type WMImgmt.msc and click OK. Right-click on WMI Control (local) and select Properties.
Now, click the Security tab of the WMI Control Properties window. Expand Root and select CIMV2.
Click the Security button and then the Add button.
Type wmiagent in the Enter the object names to select field and click OK.
We may need to use the Locations button to set the search scope to be the local computer object. Now, we can see wmiagent as a user and it will be selected.
Check the Enable Account and Remote Enable checkboxes under the Allow column.
Click OK twice. We can now close the WmiMgmt management console.

How to set Windows Firewall ?

Here, we will configure the firewall rules specific to the version of windows being monitored.

1. Windows Server 2008/2012/2016 Firewall Rules

To check firewall settings, select Start and type firewall in the search dialog box and open Windows Firewall with Advanced Security.
In Server 2012/2016, this is located at Server Manager > Tools > Windows Firewall with Advanced Security.
From the left-hand pane, click Inbound Rules. In the right-hand pane, click Filter by Group and then select Windows Management Instrumentation (WMI). We will then be shown the available firewall rules for WMI.
We need to make sure that the DCOM-In and WMI-In rules are enabled.

If the WMI rule group does not exist, execute the commands from the command prompt:

netsh advfirewall firewall add rule dir=in name="DCOM" program=%systemroot%\system32\svchost.exe service=rpcss action=allow protocol=TCP localport=135
netsh advfirewall firewall add rule dir=in name ="WMI" program=%systemroot%\system32\svchost.exe service=winmgmt action = allow protocol=TCP localport=any
netsh advfirewall firewall add rule dir=in name ="UnsecApp" program=%systemroot%\system32\wbem\unsecapp.exe action=allow
netsh advfirewall firewall add rule dir=out name ="WMI_OUT" program=%systemroot%\system32\svchost.exe service=winmgmt action=allow protocol=TCP localport=any

2. Windows Server 2003 Firewall Rules

Here, we will look into firewall and DCOM port configuration for a 2003 Windows Server. By default, DCOM communicates with the client on a random port. So in order to write firewall rules, it also describes a specific port range.

Click Start, choose Run, type DCOMCnfg.exe, and click OK.
Expand Component Services, expand Computers, right-click My Computer, and select Properties.
Click the Default Protocols tab and the Properties button. Then click the Add button.
Add a port range for COM services. In this example, the range is from 5000-5020. Depending on our environment, we may want to choose a different range.
Finally, click OK when done.
Now, we need to allow the port range through the windows firewall. This command will open ports from 5000-5020 to match the COM Internet Services Range.
FOR /L %I IN (5000,1,5020) DO netsh firewall add portopening TCP %I "COM"%I .
Lastly, open DCOM port 135.
For this, from the command prompt type: netsh firewall add portopening TCP 135 "DCOM" .

How to run the Windows WMI Wizard ?

Now that WMI has been configured on our windows machine, we can now run the Windows WMI wizard from our Nagios XI server.

To begin using the Windows WMI wizard, navigate via the top menu bar to Configure > Run a configuring wizard and select the Windows WMI wizard.
The wizard will prompt for the IP Address of the Windows machine, along with the Domain (if applicable), Username, and Password to access the machine.
Alternatively, we can use an Auth File that includes the username and password. Once done, click Next.
Now, the wizard will perform a WMI query against the Windows machine to get a list of the available disks, services, and processes. If Nagios XI is not able to communicate via WMI, an error will be displayed.
Make sure the Host Name field is correctly populated. Select the server metrics, we wish to monitor and adjust the thresholds as required.
For Disk Usage, the automatically detected disk drives will be populated in the Scanned Disk List and they will already be selected in the drop-down lists.
Now, for Services, the automatically detected services will be populated in the Scanned Service List.
We can add a service to be monitored by double-clicking it in the Scanned Service List.
For Event Logs, we can select the specific log on the windows machine and define warning and critical thresholds based on the amount of Warning or Error logs found in the past x hours.
Once we have finished selecting all the items we wish to monitor, click Next and then complete the wizard by choosing the required options.
To finish up, click on Finish in the final step of the wizard. This will create the new hosts and services and begin monitoring.
Once the wizard applies the configuration, click the View status details for xxxxx link to see the new host and services that were created.

How to set the Authentication File ?

In the initial step of the configuration wizard, we can provide the location of a file that contains the authentication username and password.

This provides the following advantages:

It stores credentials in one location. If we need to update the credentials, we only need to update the file and all services that use the file are immediately affected.

Admins using Core Configuration Manager will not see these credentials, they will only see the reference to the file.

To create a file, we need to establish a terminal session to Nagios XI server. This example will create a file called wmi_auth.txt inside the folder /usr/local/nagios/etc/.

Create the file by opening any text editor: