6.6.1. Device Preparation for Windows Devices
WMI is used to monitor the Windows event log and state of Windows services. Before you can monitor Windows devices, you must ensure that:
• The Distributed Component Object Model (DCOM) is enabled for WMI connections • The host name of the system collector does not exceed fifteen characters
Optionally, you can use SNMP InformantTM to collect CPU, memory, and disk I/O statistics. SNMP Informant agents collect information from Windows devices via WMI on the server where they are installed, and then convert system, state, and operational data into SNMP OIDs for broadcast. The system can then process the SNMP OID information and generate events and alerts based on this information. See the section titled Monitoring Windows Performance with SNMP Informant (in this chapter) for more information.
6.6.2. Setting Windows Configuration Properties
You must set the following configuration properties to collect information from Windows servers. In Zenoss Core, navigate to the configuration properties for each device, and then set the appropriate values for:
• zWmiMonitorIgnore - Tuns on or off all WMI monitoring. Set the value of Ignore to False to turn on Windows monitoring.
You should set this property at the Server/Windows class level, so that any device placed in this class has Windows monitoring automatically enabled.
Core Monitoring
• zWinUser - Must be set as the local admin. The format for zWinUser is: • .\Username - The format to use when the account is a local account. • DOMAIN\Username - The format for a Domain account.
• zWinPassword - Enter the password used to remotely log in to the Windows machine.
6.6.3. Testing WMI on a Windows Server
Follow these steps to test the WMI connections on the Windows server: 1. Run wbemtest.
2. Click “Connect…”
3. In the Namespace field, enter:
\\HOST\root\cimv2
4. Enter login information in the User and Password fields. 5. Click Query.
6. Enter “select * from win32_service” to return a dialog with a list of services on the device.
6.6.4. Optional Windows Configuration
The system can gather additional, detailed OS and hardware information from Windows devices if you have these agents installed on your Windows device:
• Dell Open Manage Agent • HP Insight Management Agent
6.6.5. Modeling Services on Windows Devices
Zenoss Core uses ZenWin to perform Windows Service Monitoring over WMI. ZenWin monitors the up and down availability of Windows services.
The WinServiceMap WMI plugin is included in zCollectorPlugins on the /Server/Windows device class. WinSer- viceMap retrieves all services that can be monitored on a device, regardless of whether it is up or down.
Windows services are (by default) not monitored. To monitor a specific Windows service, follow these steps: 1. Navigate to Infrastructure > Windows Services.
2. Select the service you want to monitor from the list in the left panel.
3. Select Set Local Value for Enable Monitoring? (zMonitor), and then click Save.
6.6.6. Collecting Windows Event Log Events
The system uses ZenEventLog to collect WMI event log events. Enable the following configuration properties to define how Windows event log events are processed and monitored:
Core Monitoring
• zWinEventlog - Tells the system whether or not to read the event log.
• zWinEventlogMinSeverity - Sets the minimum severity to collect from the Windows event log. The lowest number indicates the highest severity (1 is the most severe; 5 is least severe).
• zWinEventlogClause - Allows for specific queries, per device, on the Windows event log. These fields in the TargetInstance results entries are available:
• Category • CategoryString • ComputerName • Data • EventCode • EventIdentifier • EventType • InsertionStrings • Logfile • Message • RecordNumber • SourceName • TimeGenerated • TimeWritten • Type • User
An example zWinEventlogClause that allows for only Application logs to be queried is:
TargetInstance.Logfile = "Application"
For testing, the command line option testClause allows you to override the device properties at the command line. For example, to see all events and ignore the zWinEventlogClause property, use the following:
zeneventlog run -v10 -d deviceName --testClause=''
The zWinEventlogClause starts with this WQL:
SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'
AND TargetInstance.EventType <= zWinEventlogMinSeverity
For example, to select a particular ID at a lower log level:
Core Monitoring
SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.EventType <= 3
AND (TargetInstance.EventCode = 6005 or TargetInstance.EventType <=2)
6.6.7. Monitoring Windows Performance with SNMP Informant
Zenoss Core can use information from SNMP Informant to collect SNMP information from Windows devices. Install the free version of SNMP Informant from this location:
http://www.snmp-informant.com
To make sure SNMP Informant is running and set up correctly, run this command to walk the SNMP Informant MIB:
snmpwalk -v1 -c<community> <server> 1.3.6.1.4.1.9600
This command will return some performance information if SNMP Informant is configured and running correctly. Once this is configured properly, the system gathers and uses SNMP information the same as any other device sending SNMP traps.
6.6.8. Running winexe Commands on Windows Servers
You can use winexe commands to run commands on monitored Windows servers from within the system. Usage:
$ZENHOME/bin/winexe [options] //host [command]
Options Use
--uninstall Uninstall winexe service after remote execution. --reinstall Reinstall winexe service before remote execution.
--system Use SYSTEM account.
--runas=[DOMAIN\]USERNAME%PASSWORD Run as user (IMPORTANT! password is sent in cleartext over net).
Help Options Use
-?, --help Show this help message.
--usage Display brief usage message.
Common samba options Use
-d, --debuglevel=DEBUGLEVEL Set debug level.
--debug-stderr Send debug output to STDERR.
-s, --configfile=CONFIGFILE Use alternative configuration file. --option=name=value Set smb.conf option from command line. -l, --log-basename=LOGFILEBASE Basename for log/debug files.
--leak-report enable talloc leak reporting on exit. --leak-report-full enable full talloc leak reporting on exit.
Core Monitoring
Common samba options Use
-V, --version Print version.
Connection Options Use
-R, --name-resolve=NAME-RESOLVE-ORDER Use these name resolution services only. -O, --socket-options=SOCKETOPTIONS Socket options to use.
-n, --netbiosname=NETBIOSNAME Primary netbios name. -W, --workgroup=WORKGROUP Set the workgroup name.
--realm=REALM Set the realm name.
-i, --scope=SCOPE Use this Netbios scope.
-m, --maxprotocol=MAXPROTOCOL Set max protocol level.
Authentication Options Use
-U, --user=[DOMAIN
\]USERNAME[%PASSWORD]
Set the network user name.
-N, --no-pass Do not ask for a password.
--password=STRING Password
-A, --authentication-file=FILE Get the credentials from a file. -S, --signing=on|off|required Set the client signing state.
-P, --machine-pass Use stored machine account password (implies -k). --simple-bind-dn=STRING DN to use for a simple bind.
-k, --kerberos=STRING Use Kerberos.
--use-security-mechanisms=STRING Restricted list of authentication mechanisms available for use with this authentication.