Pulling SSL certs from a local Certificate store
I am wondering if any one has been able to pull SSL certificate info from a servers local computer certificate store. I can get on the server and run the below PowerShell command and it pulls all of the SSL certificates that i expect. When i create a custom datasource to run this same PowerShell command its only pulling the SSL certificates for my local session. Get-item Cert:\LocalMachine\my\* | select-object certificatedomains,issuer,status,notbefore,subject I can run this command without admin rights, i am suspecting that Logic Monitor is using WMI to run this and for some reason it isnt allow of some sort. I have searched all of the docs and cannot find anything on how to do this. Any help is greatly appreciated.Solved900Views1like4CommentsDoes anyone have any experience with monitoring Windows Processes?
I’ve checked the community for datasources and I don’t see anything to what I’m specifically looking for. Our organization currently utilizes the Microsoft_Windows_Services datasource (modified a little bit for our specific needs) to monitor services. I’m looking for something similar to monitor windows processes. Similar to the Microsoft_Windows_Services datasource, what I am hoping to accomplish is provide a list of keywords that will either match or be contained in the process name that I want to monitor, provide a list of machines that I want to monitor those processes on, and then get alerted on if those processes stop running. Some issues I am running into so far are: Win32_Process always returns a value of NULL for status and state. So I cannot monitor for those two class level properties. Powershell’s Get-Process does not return status or state, rather it just looks for processes that are actively running, so I would need to get creative in having LogicMonitor create the instance and what value to monitor in the instance. Some of the processes I want to monitor create multiple processes with the same name, and LogicMonitor then groups them all together into one instance, which makes monitoring diffucult. Some of the process I want to monitor are processes that only run if an application is manually launched, which means that again I will need to get creative in how I set up monitoring because I don’t want to get alerts when a process that I know shouldn’t be running is not running. Because the processes I am trying to monitor are not going to be common for everyone everywhere, something that other people could do to try to replicate my scenario would be: Open Chrome. When Chrome is launched, you will get a processed called “Chrome”. Now, open several other tabs of Chrome, you will just get more processes named “Chrome”. Now, keeping in mind the points I made earlier, set up monitoring to let you know when the 3rd tab in Chrome has been closed, even though the rest of the Chrome tabs are still open. How would you break that down? My first thought would be to monitor the PIDs, however, when you reboot your machine, your PIDs will likely change. Also, I don’t want to have the datasource wild value search by PID, because that would get confusing really fast once you have 2 or 3 different PIDs that you want to monitor. All suggestions are welcome, and any help is greatly appreciated. Bonus points if you can get this to work with the discovery method as Script and you use an embedded Groovy or Powershell script.Solved800Views12likes19CommentsNo WMI data is being collected from <host>
I get an error in LM on a few of our hosts: Quote No WMI data is being collected from <host>. This started at <time>. This means the LogicMonitor agent does not have permissions to collect data from <host>, or the traffic is being blocked. If the host is in a domain, ensure the LogicMonitor agent service is running as a domain account that has local administrator privileges on the host, or running as LocalSystem on a domain controller. Ensure there are no firewalls preventing the agent from accessing the host. These hosts don't really have anything particularly different on them - i have run through the WMI guide here : https://www.logicmonitor.com/support/monitoring/os-virtualization/troubleshooting-wmi/ After going to LM Tech support (who are very helpful) they said that the only solution they can give is to disable UAC. This will not work for us as this will introduce a security issue on those devices. Other machines in very similar configurations do not have this issue, so it seems odd that particular machines present this behavior even though others have UAC on as well. Can further investigation be done in this area to diagnose the fault specifically, and a different solution than UAC deactivation be provided. Thanks309Views0likes0Comments
WMI Least Privileges
Our support team is trying to move away from traditionally adding admin group privileges' to least privileage of WMI.But they have issues in giving the permissions to Enable Account–Controls the ability to enable and disable the WMI provider ensuring that only the authorised entities can control its state. Remote Enable–Governs whether remote systems can access and query the WMI provider on the local computer, thus preventing unauthorised remote access.Just for WMI querying why do we need enable account and remote enable Why it Controls the ability to enable and disable the WMI provider ensuring that only the authorised entities can control its state. Why it needs to Governs whether remote systems can access and query the WMI provider on the local computer, thus preventing unauthorised remote access216Views0likes0CommentsPSA: Collect from windows systems without admin rights
Don't know if anyone else noticed, but MS released a pretty slick script that enables WMI access remotely without admin rights. I have done a brief test with LM and it seems to be working well. https://blogs.technet.microsoft.com/askpfeplat/2018/04/30/delegate-wmi-access-to-domain-controllers/ That's the article. I created an AD group instead of a user to delegate, and I put the LM collector service in that group. Everything else I've followed as documented. I haven't tested anything else, but this alone is a huge step in the right direction.100Views3likes7Comments
issues with WMI in windows server 2003
Hello to everyone, I've problems when monitoring windows server 2003, always the collector tells me that it can not connect to port 135, but doing the tests locally the WMI service with some tools like WBEMTEST or PORTQRY seems working properly. please help me to verify if this problem is in general with the version windows server 2003 or I must do something else. thanks67Views0likes1CommentIs anyone interested in a utility to remotely bulk set WMI permissions (non-admin) ?
Some people don't want to use 'Domain Admin' level credentials or even local admin credentials for Windows monitoring via WMI. l have created a utility in PowerShell that allows you to set these in bulk from a central location without doing all the tedious steps. The relevant help doc is here Let me know if you're interested. I will send it to you so you can test/use. Click this link to see a demo: https://share.vidyard.com/watch/6Bgp9ksd5aWAN9J93h2d2F32Views0likes8Comments
Better Win_WMI_Access_Denied, with error code identification
Win_WMI_Access_Denied- identifies that a probably-windows device isn't giving up WMI data (auto properties and active discovery) This scripted alternative version, Win_WMI_Access_Denied_ErrorCodes, parses the error code returned from the Windows devices and converts that to a human-friendly alert message to help identify the likely cause (DCOM permissions, Windows Firewall, etc). As in Exchange it has AppliesTo of '!(system.sysinfo) && isDevice()' as the original DataSource has, i.e. only devices that have never returned data. However, you could clone or change the datasource to apply to previously-working devices, all Windows devices, etc, such that if collection fails for any reason, alerts can be triggered. 4CKLN230Views0likes1Comment
Secondary WMI Credentials
Use case: We have parts of the business that have some standalone servers and servers joined to different domains. We create our device groups based on our business services, which means we have business services that are made up of devices that are standalone, and from different domains. Problem: We have to set the WMI user for these servers indepdently because one user ID inherited from parent groups won't work in such a scenario. Enhancement: It would be useful to be able to use a function (in the manner of Applies To) to supply the WMI user value. The function could inspect device properties to determine which WMI user account to use.22Views0likes0Comments
WMI Least Privileges
Our support team is trying to move away from traditionally adding admin group privileges' to least privileage of WMI.But they have issues in giving the permissions to Enable Account–Controls the ability to enable and disable the WMI provider ensuring that only the authorised entities can control its state. Remote Enable–Governs whether remote systems can access and query the WMI provider on the local computer, thus preventing unauthorised remote access.Just for WMI querying why do we need enable account and remote enable Why it Controls the ability to enable and disable the WMI provider ensuring that only the authorised entities can control its state. Why it needs to Governs whether remote systems can access and query the WMI provider on the local computer, thus preventing unauthorised remote access