Pulling SSL certs from a local Certificate store
I am wondering if any one has been able to pull SSL certificate info from a servers local computer certificate store. I can get on the server and run the below PowerShell command and it pulls all of the SSL certificates that i expect. When i create a custom datasource to run this same PowerShell command its only pulling the SSL certificates for my local session. Get-item Cert:\LocalMachine\my\* | select-object certificatedomains,issuer,status,notbefore,subject I can run this command without admin rights, i am suspecting that Logic Monitor is using WMI to run this and for some reason it isnt allow of some sort. I have searched all of the docs and cannot find anything on how to do this. Any help is greatly appreciated.Solved455Views1like4CommentsDoes anyone have any experience with monitoring Windows Processes?
I’ve checked the community for datasources and I don’t see anything to what I’m specifically looking for. Our organization currently utilizes the Microsoft_Windows_Services datasource (modified a little bit for our specific needs) to monitor services. I’m looking for something similar to monitor windows processes. Similar to the Microsoft_Windows_Services datasource, what I am hoping to accomplish is provide a list of keywords that will either match or be contained in the process name that I want to monitor, provide a list of machines that I want to monitor those processes on, andthen get alerted on if those processes stop running. Some issues I am running into so far are: Win32_Process always returns a value of NULL for status and state. So I cannot monitor for those two class level properties. Powershell’s Get-Process does not return status or state, rather it just looks for processes that are actively running, so I would need to get creative in having LogicMonitor create the instance and what value to monitor in the instance. Some of the processes I want to monitorcreate multiple processes with the same name, and LogicMonitor then groups them all together into one instance, which makes monitoring diffucult. Some of the process I want to monitor are processes that only run if an application is manually launched, which means that again I will need to get creative in how I set up monitoring because I don’t want to get alerts when a process that I know shouldn’t be running is not running. Because the processes I am trying to monitor are not going to be common for everyone everywhere, something that other people could do to try to replicate my scenario would be: Open Chrome. When Chrome is launched, you will get a processed called “Chrome”. Now, open several other tabs of Chrome, you will just get more processes named “Chrome”. Now, keeping in mind the points I made earlier, set up monitoring to let you know when the 3rd tab in Chrome has been closed, even though the rest of the Chrome tabs arestill open. How would you break that down? My first thought would be to monitor the PIDs, however, when you reboot your machine, your PIDs will likely change. Also, I don’t want to have the datasource wild value search by PID, because that would get confusing really fast once you have 2 or 3 different PIDs that you want to monitor. All suggestions are welcome, and any help is greatly appreciated. Bonus points if you can get this to work with the discovery method as Script and you use an embedded Groovy or Powershell script.Solved299Views12likes19CommentsNo WMI data is being collected from <host>
I get an error in LM on a few of our hosts: Quote No WMI data is being collected from <host>. This started at <time>. This means the LogicMonitor agent does not have permissions to collect data from <host>, or the traffic is being blocked. If the host is in a domain, ensure the LogicMonitor agent service is running as a domain account that has local administrator privileges on the host, or running as LocalSystem on a domain controller. Ensure there are no firewalls preventing the agent from accessing the host. These hosts don't really have anything particularly different on them - i have run through the WMI guide here : https://www.logicmonitor.com/support/monitoring/os-virtualization/troubleshooting-wmi/ After going to LM Tech support (who are very helpful) they said that the only solution they can give is to disable UAC. This will not work for us as this will introduce a security issue on those devices. Other machines in very similar configurations do not have this issue, so it seems odd that particular machines present this behavior even though others have UAC on as well. Can further investigation be done in this area to diagnose the fault specifically, and a different solution than UAC deactivation be provided. Thanks16Views0likes0CommentsPSA: Collect from windows systems without admin rights
Don't know if anyone else noticed, but MS released a pretty slick script that enables WMI access remotely without admin rights. I have done a brief test with LM and it seems to be working well. https://blogs.technet.microsoft.com/askpfeplat/2018/04/30/delegate-wmi-access-to-domain-controllers/ That's the article. I created an AD group instead of a user to delegate, and I put the LM collector service in that group. Everything else I've followed as documented. I haven't tested anything else, but this alone is a huge step in the right direction.10Views3likes7CommentsIs anyone interested in a utility to remotely bulk set WMI permissions (non-admin) ?
Some peopledon't want to use'Domain Admin' level credentials or even local admin credentials for Windows monitoring via WMI. l havecreated a utility in PowerShell that allows you to set these in bulk from a central location without doing all the tedious steps. The relevant help doc is here Let me know if you're interested. I will send it to you so you can test/use. Click this link to see a demo:https://share.vidyard.com/watch/6Bgp9ksd5aWAN9J93h2d2F5Views0likes8Comments
Better Win_WMI_Access_Denied, with error code identification
Win_WMI_Access_Denied- identifies that a probably-windows device isn't giving up WMI data (auto properties and active discovery) This scripted alternative version,Win_WMI_Access_Denied_ErrorCodes, parses the error code returned from the Windows devices and converts that to a human-friendly alert message to help identify the likely cause (DCOM permissions, Windows Firewall, etc). As in Exchange it has AppliesTo of '!(system.sysinfo) && isDevice()' as the original DataSource has, i.e. only devices that have never returned data. However, you could clone or change the datasource to apply to previously-working devices, all Windows devices, etc, such that if collection fails for any reason, alerts can be triggered. 4CKLN25Views0likes1Comment
Automatic grouping by service status
A customer recently requested assistance with grouping some of their hosts that were running a particular service. This can be achieved by a combination of Active Discovery, Dynamic Groups, PropertySources, and of course functioning WMI. ? First, we have to figure out how to dynamically group these. We can rely on a custom query to automatically match the devices we want to see, but must depend on the properties from a device’s Info tab for any evaluation. We can use a PropertySource to do some of this work for us, and have it perform a check for the service and apply a property if it is found. Let's confirm we can query this host, and see how it identifies itself. I can query the win32_service class for a test host and see what gets returned: Great, so I've found an example of the service I want, and canreference its NAME attribute in our PropertySource to check for a match and determine if a host has this service installed. This PropertySource runs a WMI query against the win32_service class, looking for the NAME of the service as it’s report as an attribute. If it finds a match, it checks to seeif it’s running, and if those two pass it applies a property called "auto.GoldenEye" to the device. The nice thing about this PropertySource is that if discovery finds the device no longer runs the installed service, it will remove the autoproperty, and thus remove it from the dynamic group. This allows you to have a top level view of only thosedevices with the service actually running. Now that we have a method to automatically flag the service we want to track, we can reference this property name in our Dynamic Group query. This is a simple boolean check to see if the property is applied to any given host As an optional step, but highly advised, we can add the services as monitored instances. You may already know that running services can be added into LM through the Add Other Monitoring option in the UI, but this can become cumbersome if you want to add the same or multiple services into monitoring for manydevices. Since the wizard in the link above is just a frontend for the WinServices datasource, we can work with a clone of it, enable Active Discovery to automatically apply to eligibledevices, and utilize filtering to specify which services to monitor.Here I've specified that I want it to match by the DISPLAYNAMEattribute of the win32_service class: Once this is applied, discovery automatically checks each host for the desired service, and returns it as an alertable instance so you can be notified when it is not running or has degraded performance. Further reading: LogicMonitor Scripting Monitoring Processes and Services Creating PropertySources PropertySource embedded Groovy script example: import com.santaba.agent.groovyapi.win32.WMI import com.santaba.agent.groovyapi.win32.WMISession // Set hostname def hostname = hostProps.get('system.hostname'); // Form the full query. def wmiQuery = "Select name,state from Win32_Service Where name='someservicenameNOTdisplayname'"; try { // using default namespace def session = WMI.open(hostname); def result = session.queryFirst("CIMv2", wmiQuery, 10); // Did we get anything? if (result.STATE == "Running") { // Yes, apply the properties println 'auto.somedesiredpropname=yes' } } catch(Exception e) { println e return 1; } // Exit by returning 0. return 0;4Views0likes0Comments
Secondary WMI Credentials
Use case: We have parts of the business that have some standalone servers and servers joined to different domains. We create our device groups based on our business services, which means we have business services that are made up of devices that are standalone, and from different domains. Problem: We have to set the WMI user for these servers indepdently because one user ID inherited from parent groups won't work in such a scenario. Enhancement: It would be useful to be able to use afunction (in the manner of Applies To) to supply the WMI user value. The function could inspect device properties to determine which WMI user account to use.3Views0likes0Comments
issues with WMI in windows server 2003
Hello to everyone, I've problems when monitoring windows server 2003, always the collector tells me that it can not connect to port 135, but doing the tests locally the WMI service with some tools like WBEMTEST or PORTQRY seemsworking properly. please help me to verify if this problem is in general with the version windows server 2003 or I must do something else. thanks1View0likes1Comment