Community Comunidad Servers Servidores

Windows Management Instrumentation in remote monitoring

January 29, 2019

Windows Management Instrumentation in remote monitoring

This post is also available in : Spanish

Windows Management Instrumentation in monitoring

Pandora FMS features include decentralized monitoring, which is based on several standards and/or protocols of common and open use (SNMP v1 and v2 -v3 from version 7.0 NG 727-, ICMP and WMI). In this article we will talk about the latter, starting from the simplest and with references to each of the articles published here in your blog.

Local monitoring and remote monitoring

The local monitoring is done through programs of the operating system or third parties, and scripts or programs stored in the firmware of the device (router, modem, etc.) and that are executed every so often. The response values will be stored in your own storage system and may optionally be sent – or consulted – to other servers in charge of collecting such data. Pandora FMS uses this option for the computers with GNU/Linux and Microsoft Windows® – among other operating systems thanks to the Tentacle® protocol, even in isolated surroundings.

Remote monitoring consists of sending messages from a server, containing queries – and even our identification, including passwords – about the status of a device. SNMP (Simple Network Management Protocol) , is the first choice for these tasks, but as its name indicates it is something very basic.

GNU / Linux and SSH

The central server of Pandora FMS is executed on GNU / Linux and one of the features of this operating system is that we can use Secure SHell, better known as SSH, which is a protocol that allows to consult in a remote and secure way other computers with GNU / Linux. This connection contemplates the sending of credentials and guarantees an encrypted communication in both ways, so when connecting we can perform all the tasks of monitoring as if we were doing it locally. This is fine for the world of high computing, since the vast majority, use a successor of Unix and its corresponding POSIX. But, how do we do with the operating system used by the vast majority of end users?

Windows Management Instrumentation

With the breakthrough of the Internet in our lives, personal computing took hold and the need to remotely manage computers was discovered. In 1992, the “Distributed Management Task Force“, DMTF was created, whose founding members are important companies which produce hardware and software of the United States Achieving an agreement among such a variety of companies is a titanic task, and the rules and protocols dictated are extremely deep and we will not describe them here, but we will make an exception with two of its regulations: ” Web-Based Enterprise Management“, and “Common Information Model“, ; The latter includes all documents issued by that organism. A special mention is the”Desktop Management Interface” or DMI, 1998) for personal computers which includes many features, such as serving an SNMP query by returning all the MIB values available.

For 1998, Microsoft Windows® releases one of its most famous versions and at the end of the 20th century it evolves to Windows 2000®, a robust operating system that “absorbs” Windows 98 SE® and incorporates the regulations of DMTF, as Instrumentation of Windows Administration (WMI). Even today important manufacturers build fully certified devices with its standards and are very important models for the high-end business environment. The rest of the users are also indirectly benefited from WMI, since manufacturers also include their own “drivers”; for example, Windows 10® includes 47 new “providers“, only for mobile device management service!

The Microsoft® company has also made available to us a tool that works by command line, interface preferred by us in order to be able to extract any data available for the Windows Administration Instrumentation.

The importance of this theory is that since it’s proprietary hardware it opens a path of effective communication between each of the components and the Windows® operating system.But, what does all this have to do with Pandora FMS?

Practical example with Windows Management Instrumentation

So far we have given you the theory in a very, very basic way, and in this article published by one of our colleagues we realize how to pick up the processor temperature metric with WMI. In general, we can obtain any other value, let´s see:

C:\Users\Jimmy>wmic
wmic:root\cli>path win32_processor get maxclockspeed
MaxClockSpeed
2194

wmic:root\cli>

We opened a terminal window and then we launched the command wmic.exec.
When having the command indicator with the command path we establish where it will look for information, and with get we ask the specific value, in this case the speed of the processor. For Pandora FMS, which has the ability to take an inventory of devices, this is one of the values that we can collect and save in our database in the central server.
If we need to set up a web server under Windows®, we must use Internet Information Services (“Internet Information Services“® or IIS) since Windows Server 2008®, there are more WMI providers useful for monitoring, added services with Powershell® and even to obtain metrics on virtualization.

Practical Uses of Windows Management Instrumentation

  • Internally: if we have a Pandora FMS software agent installed in a computer with Windows 2000® or higher, we can have access to an infinity of metrics, including very specific components which are impossible for the operating system to have by default installed, since otherwise the disks or installation download of the operating system would be gigantic. Although it is true that the monitoring scripts (modules) for Pandora FMS are very general, also -following the same approach of the operating system- we will be able to have our own routines for concise hardware, in case we need its monitoring. This represents a great advantage and denotes the flexibility of Pandora FMS.
  • The wmic.exe tool also has the ability to add other computers on the same local area network, by means of the command “/node:computer_name”, always taking into account the credentials and access privileges granted to the querying user. This concept we indicate operates very much like a broker agent, but using WMI. Note: we must review that we will first need to establish the credentials due in all the devices with Windows® installed and what we need to monitor, and then configure Pandora FMS so that it collects each metric identified with the corresponding device.
  • To implement and test all our WMI queries it is recommended to use the tool WBEMTest.exe. Although not officially a Microsoft® software, in practice it is widely used for testing and debugging scripts in WMI.
  • To communicate from a computer with GNU/Linux we will have to add a special client for this task. In free software there are many alternatives, but we prefer those written in Python language. One of them is wmi_client_wrapper, which once installed we can pass a program like the following:

  • import wmi_client_wrapper as wmi

    wmic = wmi.WmiClientWrapper(
    username="Administrator",
    password="password",
    host="192.168.1.149",
    )

    output = wmic.query("SELECT * FROM Win32_Processor")

  • From the above we must also point out that there is the Structured Query Language for Windows Administration Instrumentation, which is very long to read and is abbreviated as SQL WMI or simply WQL. This functionality allows programmers a familiar environment, just as if we were working with a database. This shows the breadth of the standard, since with Python, available on many platforms, allows to connect and SQL. In fact, a universal language, with its “dialects”, makes it possible to connect many different companies. Of course all this helps Pandora FMS in its monitoring tasks!
  • Remotely we have another possibility: through SNMP and adding the feature “WMI SNMP Provider”, an element that is used by other monitoring software which we have reviewed. Now, Pandora FMS has support for SNMP v3, which includes identification and secure communication to obtain the metrics.

Records in Windows Management Instrumentation

Finally we want to review the management of records in WMI, since we can monitor the operation of WMI itself, as well as any other WMI provider we discussed. We won’t be long; the main ones are:

  • Wmiprov.log: contains WMI data and events, including binary compilation errors if we use MOF.
  • Ntevt.log: is the most important and allows access to anyone using the Event Log Provider.
  • Dsprovider.log: The Active Directory is essential for the software written for this operating system; the records can be consulted in this way.

You will find all the information (in English) in this web link.

Do you need any additional guidance about Pandora FMS? Contact us here!

You can make your comments on this topic, or even requests for articles, here below!


    Written by:



    Leave a comment

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.