×


WMI errors in Nagios – How to Troubleshoot and fix ?

Nagios Core and Nagios XI are capable of monitoring Windows machines via WMI. So it is best to troubleshoot WMI errors in Nagios as soon as possible.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related Nagios queries.

In this context, we shall look into methods to troubleshooting WMI problems.


WMI errors in Nagios

Here, let us discuss various errors and how to troubleshoot them.


Debug

Enabling debug can help diagnose the source of the issue.

There are two different types of debugging options available:

i. check_wmi_plus.pl Plugin Debugging

This method is for the plugin itself.

Suppose we are to execute a command. Here, using -d will produce extra debug information.

For example,

/usr/local/nagios/libexec/check_wmi_plus.pl -H 10.25.14.3 -u wmiagent -p wmiagent -m checkcpu -w ’80’ -c ’90’ -d

In the output, the first and last few lines are our information:

Base Dir: /usr/local/nagios/libexec
Conf File Dir: /usr/local/nagios/libexec
Loaded Conf File /usr/local/nagios/libexec/check_wmi_plus.conf
Starting Keep State Mode
STATE FILE: /tmp/cwpss_checkcpu__1025143___.state

UNKNOWN – The WMI query had problems. You might have your username/password wrong or the user’s access level is too low. Wmic error text on the next line.
[librpc/rpc/dcerpc_util.c:1290:dcerpc_pipe_auth_recv()] Failed to bind to uuid 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 – NT_STATUS_NET_WRITE_FAULT
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c0000022) in dcerpc_pipe_connect_b_recv
[wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_ACCESS_DENIED – Access denied


ii. WMI Debugging

This method will produce WMI API debugging output. The –extrawmicarg argument passes native WMI arguments which can help identify issues.

In a command, using –extrawmicarg “–debuglevel=4” will produce extra debug information.

For example,

/usr/local/nagios/libexec/check_wmi_plus.pl -H 10.25.14.3 -u wmiagent -p wmiagent -m checkcpu -w ’80’ -c ’90’ –extrawmicarg “–debuglevel=4”

Like the prior, the first and last few lines in the output is our information:

UNKNOWN – The WMI query had problems. You might have your username/password wrong or the user’s access level is too low. Wmic error text on the next line.

[param/loadparm.c:587:init_globals()] Initialising global parameters
[param/loadparm.c:2462:lp_load()] lp_load: refreshing parameters from /dev/null
[param/params.c:556:pm_process()] params.c:pm_process() – Processing configuration file “/dev/null”
[param/loadparm.c:2471:lp_load()] pm_process() returned Yes

[auth/ntlmssp/ntlmssp.c:72:debug_ntlmssp_flags()] Got NTLMSSP neg_flags=0x60088205
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[librpc/rpc/dcerpc_util.c:1290:dcerpc_pipe_auth_recv()] Failed to bind to uuid 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 – NT_STATUS_NET_WRITE_FAULT
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c0000022) in dcerpc_pipe_connect_b_recv
[wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_ACCESS_DENIED – Access denied


FQDN vs IP Address

It is possible for us to see an error like this:

[librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_ncacn_ip_tcp_recv
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_b_recv
CLASS: Win32_ComputerSystem

This never occurs when querying a Windows machine via an IP address. However, it occurs when we use an FQDN DNS record (intermittently).

The solution here is to change the check_wmi_plus.pl plugin to resolve the DNS record to an IP address before performing the query.


Perform A Raw Query

Performing a query directly on the Windows machine is helpful. This helps to confirm that WMI is working and the data actually exists.

The first step is to identify the query WMI performs. We can obtain it by executing the plugin with debugging enabled.

For example,

/usr/local/nagios/libexec/check_wmi_plus.pl -H 10.25.14.3 -u wmiagent -p wmiagent -m checkcpu -d

Our output will be like this:

Round #2 of 2
QUERY: /usr/bin/wmic ‘-U’ ‘USER%PASS’ ‘–namespace’ ‘root/cimv2’ ‘//10.25.14.3’ ‘select PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfOS_Processor where Name=”_Total”‘

Since we have the information, we open PowerShell on the Windows machine and run:

Get-WmiObject -Query ‘select PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfOS_Processor where Name=”_Total”‘

Successful output will be like this:

__GENUS : 2
__CLASS : Win32_PerfRawData_PerfOS_Processor
__SUPERCLASS :
__DYNASTY :
__RELPATH :
__PROPERTY_COUNT : 2
__DERIVATION : {}
__SERVER :
__NAMESPACE :
__PATH :
PercentProcessorTime : 51966897119
Timestamp_Sys100NS : 131374922305304314

The last two lines indicate the objects being queried and that they actually have values.

Instead, if there were problems, we will not get this output.


Administrative Permissions

Sometimes the standard permission levels do not expose all the monitoring capabilities of the WMI plugin.

Then, we can elevate permissions by adding the WMI user to one of the two local groups:

  • Performance Monitor Users
  • Administrators


Access Denied When Using Domain Account

While authenticating with a Windows domain account, we may come across:

UNKNOWN – The WMI query had problems. You might have your username/password wrong or the user’s access level is too low. Wmic error text on the next line.

[librpc/rpc/dcerpc_util.c:1290:dcerpc_pipe_auth_recv()] Failed to bind to uuid 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 – NT_STATUS_NET_WRITE_FAULT
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c0000022) in dcerpc_pipe_connect_b_recv
[wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_ACCESS_DENIED – Access denied

The solution to this problem is to use a forward slash /to separate the domain name and user account.

For instance,

/usr/local/nagios/libexec/check_wmi_plus.pl -H 10.25.14.3 -u your_domain/wmiagent -p wmiagent -m checkcpu


Force NTLMv2

At times, we may have to force the plugin to use NTLMv2. This can be done globally.

To do so, we open the check_wmi_plus.conf file in a text editor:

vi /usr/local/nagios/libexec/check_wmi_plus.conf

Then we locate the following line:

our @opt_extra_wmic_args=(); # extra arguments to pass to wmic

Add “–option=client ntlmv2 auth=Yes” in between the brackets as follows:

our @opt_extra_wmic_args=(“–option=client ntlmv2 auth=Yes”); # extra arguments to pass to wmic

Once done, we save the changes and close the file.


[Find it hard to troubleshoot Nagios errors? We are here to assist you. ]


Conclusion

This article covers methods to troubleshoot different WMI errors in Nagios.