forked from zenoss/ZenPacks.zenoss.Microsoft.Windows
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME.mediawiki
executable file
·1585 lines (1209 loc) · 89.6 KB
/
README.mediawiki
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
This ZenPack provides support for monitoring Microsoft Windows. Monitoring is performed using the Windows Remote Management (WinRM) and Windows Remote Shell (WinRS) to collect Windows Management Instrumentation (WMI) and Perfmon data.
{{note}} This ZenPack supersedes the earlier ZenPack named ''ZenPacks.zenoss.WindowsMonitor'' for Windows platforms that support WinRM. If you have ''ZenPacks.zenoss.WindowsMonitor'' installed on your system, please read the [[#Transitioning from WindowsMonitor]] section below.
__TOC__
== Video ==
{{#widget:YouTube|id=kP28F_aQ77E|width=640|height=360}}
{{#widget:YouTube|id=IIa5uiYaJj4|width=640|height=360}}
== Gallery ==
<gallery widths=250px heights=127px>
windows_device.png
windows_filesystem.png
windows_graphs.png
windows_infrastructure.png
windows_interfaces.png
windows_processors.png
windows_routes.png
windows_services.png
</gallery>
== Features ==
The features added by this ZenPack can be summarized as follows. They are each detailed further below.
* Initial discovery and periodic remodeling of relevant components.
* Performance monitoring.
* Event management.
* Custom Commands
=== Discovery ===
The following components will be automatically discovered through the Windows server address, username and password you provide. The properties and relationships will be periodically updated by modeling.
[[File:windows_device.png|thumb|320px|Device]]
[[File:windows_services.png|thumb|320px|File systems]]
[[File:windows_interfaces.png|thumb|320px|Interfaces]]
;Server (Device)
: Attributes: Name, Contact, Description, Serial Number, Tag, Hardware Model, Physical Memory, Total Virtual Memory, Operating System, Cluster
;Cluster (Device)
: Attributes: Name, Contact, Description, Physical Memory, Total Virtual Memory, Operating System, Member Servers
;Processors
: Attributes: Name, Description, Model, Socket, Cores, Threads, Clock Speed, External Speed, Voltage, L1 Cache Size, L2 Cache Size and Speed, L3 Cache Size and Speed
;Hard Disks
: Attributes: Name, Size, Number of Partitions, Disk Ids, Free Space, Capabilities
: Relationships: File Systems
;File Systems
: Attributes: Mount Point, Status, Storage Device, Type, Block Size, Total Blocks, Total Bytes, Maximum Name Length
:Relationships: Hard Disks
;Interfaces
: Attributes: Name, Description, MAC Address, MTU, Speed, Duplex, Type, Administrative Status, Operational Status, IP Addresses
;Network Routes
: Attributes: Destination, Next Hop, Interface, Protocol, Type
;Process Sets
: Attributes: Name, Recent Matches, Process Class
;Software
: Attributes: Name, Vendor, Installation Date
;Services
: Attributes: Name, Display Name, Start Mode, Account
;Cluster Services
: Attributes: Name, Core Group, Owner Node, State, Description, Priority
: Relationships: Cluster Resources
;Cluster Resources
: Attributes: Name, Owner Node, Description, Owner Group, State
: Relationships: Cluster Service
;Cluster Nodes
: Attributes: Name, Assigned Vote, Current Vote, State
: Relationships: Cluster Disks, Cluster Interfaces
;Cluster Networks
: Attributes: Name, Description, State
;Cluster Disks
: Attributes: Name, Owner Node, Volume Path, Disk Number, Partition Number, Capacity, Free Space, State
: Relationships: Cluster Nodes
;Cluster Interfaces
: Attributes: Name, Owner Node, Network, IP Addresses, Adapter, State
: Relationships: Cluster Nodes
;IIS Sites
: Attributes: Name, Status, App Pool
;SQL Server Instances
: Attributes: Name
: Relationships: SQL Server Databases
;SQL Server Databases
: Attributes: Name, Version, Owner, Last Backup, Last Log Backup, Accessible, Collation, Creation Date, Default File Group, Primary File Path, Recovery Model, Is System Object
: Relationships: SQL Server Instance
;SQL Server Backups
: Attributes: Name, Device Type, Physical Allocation, Status
: Relationships: SQL Server Instance
;SQL Server Jobs
: Attributes: Name, Job ID, Description, Enabled, Date Created, Username
; Relationships: SQL Server Instance
<br clear=all>
=== Performance Monitoring ===
Perfmon counters are collected using the PowerShell Get-Counter Cmdlet within a remove shell (WinRS). The following metrics will be collected every 5 minutes by default. Any other Windows Perfmon counters can also be collected by adding them to the appropriate monitoring template.
[[File:windows_graphs.png|thumb|320px|Device-level graphs]]
[[File:windows_filesystem.png|thumb|320px|File systems]]
;Device
* \Memory\Available bytes
* \Memory\Committed Bytes
* \Memory\Pages Input/sec
* \Memory\Pages Output/sec
* \Paging File(_Total)\% Usage
* \Processor(_Total)\% Privileged Time
* \Processor(_Total)\% Processor Time
* \Processor(_Total)\% User Time
* \System\System Up Time
;File Systems
* \LogicalDisk({$here/instance_name})\Disk Read Bytes/sec
* \LogicalDisk({$here/instance_name})\% Disk Read Time
* \LogicalDisk({$here/instance_name})\Disk Write Bytes/sec
* \LogicalDisk({$here/instance_name})\% Disk Write Time
* \LogicalDisk({$here/instance_name})\Free Megabytes
;File Systems
* \PhysicalDisk({$here/instance_name})\Disk Read Bytes/sec
* \PhysicalDisk({$here/instance_name})\% Disk Read Time
* \PhysicalDisk({$here/instance_name})\Disk Write Bytes/sec
* \PhysicalDisk({$here/instance_name})\% Disk Write Time
;Interfaces
* \Network Interface(${here/instance_name})\Bytes Received/sec
* \Network Interface(${here/instance_name})\Bytes Sent/sec
* \Network Interface(${here/instance_name})\Packets Received Errors
* \Network Interface(${here/instance_name})\Packets Received/sec
* \Network Interface(${here/instance_name})\Packets Outbound Errors
* \Network Interface(${here/instance_name})\Packets Sent/sec
;Interfaces on Windows 2012
* \Network Adapter(${here/instance_name})\Bytes Received/sec
* \Network Adapter(${here/instance_name})\Bytes Sent/sec
* \Network Adapter(${here/instance_name})\Packets Received Errors
* \Network Adapter(${here/instance_name})\Packets Received/sec
* \Network Adapter(${here/instance_name})\Packets Outbound Errors
* \Network Adapter(${here/instance_name})\Packets Sent/sec
;Active Directory
* \NTDS\DS Client Binds/sec
* \NTDS\DS Directory Reads/sec
* \NTDS\DS Directory Searches/sec
* \NTDS\DS Directory Writes/sec
* \NTDS\DS Monitor List Size
* \NTDS\DS Name Cache hit rate
* \NTDS\DS Notify Queue Size
* \NTDS\DS Search sub-operations/sec
* \NTDS\DS Server Binds/sec
* \NTDS\DS Server Name Translations/sec
* \NTDS\DS Threads in Use
* \NTDS\KDC AS Requests
* \NTDS\KDC TGS Requests
* \NTDS\Kerberos Authentications
* \NTDS\LDAP Active Threads
* \NTDS\LDAP Bind Time
* \NTDS\LDAP Client Sessions
* \NTDS\LDAP Closed Connections/sec
* \NTDS\LDAP New Connections/sec
* \NTDS\LDAP New SSL Connections/sec
* \NTDS\LDAP Searches/sec
* \NTDS\LDAP Successful Binds/sec
* \NTDS\LDAP UDP operations/sec
* \NTDS\LDAP Writes/sec
* \Security System-Wide Statistics\NTLM Authentications
{{note}} The Active Directory monitoring template will only be used when the server has the Primary or Backup Domain Controller role.
;Exchange 2007 & 2010
* \MSExchangeIS Mailbox(_Total)\Folder opens/sec
* \MSExchangeIS Mailbox(_Total)\Local delivery rate
* \MSExchangeIS Mailbox(_Total)\Message Opens/sec
* \MSExchangeIS\RPC Averaged Latency
* \MSExchangeIS\RPC Operations/sec
* \MSExchangeIS\RPC Requests
* \MSExchangeTransport Queues(_Total)\Active Mailbox Delivery Queue Length
* \MSExchangeTransport SmtpSend(_Total)\Messages Sent/sec
;Exchange 2013
* \MSExchangeIS Store(_Total)\Folders opened/sec
* \MSExchangeIS Store(_Total)\Messages Delivered/sec
* \MSExchangeIS Store(_Total)\Messages opened/sec
* \MSExchange Store Interface(_Total)\RPC Latency average (msec)
* \MSExchange Store Interface(_Total)\RPC Requests sent/sec
* \MSExchange Store Interface(_Total)\RPC Requests sent
* \MSExchangeTransport Queues(_Total)\Active Mailbox Delivery Queue Length
* \MSExchange Delivery SmtpSend(_Total)\Messages Sent/sec
{{note}} If monitoring Exchange with a non-administrator user, the user must be a member of the Active Directory group "Exchange View-Only Administrators" for pre-2010 Exchange installations or "View Only Organization Management" for 2010 and later installations.
; IIS
{{note}} IIS Management Scripts and Tools needs to be installed on the server side in order to model and monitor IIS sites. This is done through the Add Roles and Features tool on the Windows Server under Web Server -> Management Tools -> IIS Management Scripts and Tools.
* \Web Service(_Total)\Bytes Received/sec
* \Web Service(_Total)\Bytes Sent/sec
* \Web Service(_Total)\CGI Requests/sec
* \Web Service(_Total)\Connection Attempts/sec
* \Web Service(_Total)\Copy Requests/sec
* \Web Service(_Total)\Delete Requests/sec
* \Web Service(_Total)\Files Received/sec
* \Web Service(_Total)\Files Sent/sec
* \Web Service(_Total)\Get Requests/sec
* \Web Service(_Total)\Head Requests/sec
* \Web Service(_Total)\ISAPI Extension Requests/sec
* \Web Service(_Total)\Lock Requests/sec
* \Web Service(_Total)\Mkcol Requests/sec
* \Web Service(_Total)\Move Requests/sec
* \Web Service(_Total)\Options Requests/sec
* \Web Service(_Total)\Other Request Methods/sec
* \Web Service(_Total)\Post Requests/sec
* \Web Service(_Total)\Propfind Requests/sec
* \Web Service(_Total)\Proppatch Requests/sec
* \Web Service(_Total)\Put Requests/sec
* \Web Service(_Total)\Search Requests/sec
* \Web Service(_Total)\Trace Requests/sec
* \Web Service(_Total)\Unlock Requests/sec
;IIS Sites
* \Web Service(${here/sitename})\Bytes Received/sec
* \Web Service(${here/sitename})\Bytes Sent/sec
* \Web Service(${here/sitename})\CGI Requests/sec
* \Web Service(${here/sitename})\Connection Attempts/sec
* \Web Service(${here/sitename})\Copy Requests/sec
* \Web Service(${here/sitename})\Connection Attempts/sec
* \Web Service(${here/sitename})\Delete Requests/sec
* \Web Service(${here/sitename})\Files Received/sec
* \Web Service(${here/sitename})\Files Sent/sec
* \Web Service(${here/sitename})\Get Requests/sec
* \Web Service(${here/sitename})\Head Requests/sec
* \Web Service(${here/sitename})\ISAPI Extension Requests/sec
* \Web Service(${here/sitename})\Lock Requests/sec
* \Web Service(${here/sitename})\Mkcol Requests/sec
* \Web Service(${here/sitename})\Move Requests/sec
* \Web Service(${here/sitename})\Options Requests/sec
* \Web Service(${here/sitename})\Other Request Methods/sec
* \Web Service(${here/sitename})\Post Requests/sec
* \Web Service(${here/sitename})\Propfind Requests/sec
* \Web Service(${here/sitename})\Proppatch Requests/sec
* \Web Service(${here/sitename})\Put Requests/sec
* \Web Service(${here/sitename})\Search Requests/sec
* \Web Service(${here/sitename})\Trace Requests/sec
* \Web Service(${here/sitename})\Unlock Requests/sec
{{note}} The IIS monitoring template will only be used when IIS is found during modeling.
{{note}} The IISAdmin service must be running in order to collect IIS data.
The following metrics are collected directly via WMI.
;Processes (Win32_PerfFormattedData_PerfProc_Process)
* PercentProcessorTime
* WorkingSet
* WorkingSetPrivate
<br clear=all>
{{note}} IIS 6 Management compatibility role no longer needs to be installed on the server side in order to use the IIS Sites component.
=== SQL Server ===
The following performance counters are monitored via Powershell script per database:
* \SQLServer:Databases(<dbname>)\Active Transactions
* \SQLServer:Databases(<dbname>)\Backup/Restore Throughput/sec
* \SQLServer:Databases(<dbname>)\Bulk Copy Rows/sec
* \SQLServer:Databases(<dbname>)\Bulk Copy Throughput/sec
* \SQLServer:Databases(<dbname>)\Cache Entries Count
* \SQLServer:Databases(<dbname>)\Cache Entries Pinned Count
* \SQLServer:Databases(<dbname>)\Cache Hit Ratio
* \SQLServer:Databases(<dbname>)\Cache Hit Ratio Base
* \SQLServer:Databases(<dbname>)\DBCC Logical Scan Bytes/sec
* \SQLServer:Databases(<dbname>)\Data File(s) Size (KB)
* \SQLServer:Databases(<dbname>)\Log Bytes Flushed/sec
* \SQLServer:Databases(<dbname>)\Log Cache Hit Ratio
* \SQLServer:Databases(<dbname>)\Log Cache Hit Ratio Base
* \SQLServer:Databases(<dbname>)\Log Cache Reads/sec
* \SQLServer:Databases(<dbname>)\Log File(s) Size (KB)
* \SQLServer:Databases(<dbname>)\Log File(s) Used Size (KB)
* \SQLServer:Databases(<dbname>)\Log Flush Wait Time
* \SQLServer:Databases(<dbname>)\Log Flush Waits/sec
* \SQLServer:Databases(<dbname>)\Log Flushes/sec
* \SQLServer:Databases(<dbname>)\Log Growths
* \SQLServer:Databases(<dbname>)\Percent Log Used
* \SQLServer:Databases(<dbname>)\Log Shrinks
* \SQLServer:Databases(<dbname>)\Log Truncations
* \SQLServer:Databases(<dbname>)\Percent Log Used
* \SQLServer:Databases(<dbname>)\Repl. Pending Xacts
* \SQLServer:Databases(<dbname>)\Repl. Trans. Rate
* \SQLServer:Databases(<dbname>)\Shrink Data Movement Bytes/sec
* \SQLServer:Databases(<dbname>)\Transactions/sec
You can enable/disable any of these or change the cycle time by editing the WinDatabase monitoring template.
Events will be sent depending upon one or more of the following statuses of the database
* AutoClosed: The database has been automatically closed.
* EmergencyMode: The database is in emergency mode.
* Inaccessible: The database is inaccessible. The server might be switched off or the network connection has been interrupted.
* Normal: The database is available.
* Offline: The database has been taken offline.
* Recovering: The database is going through the recovery process.
* RecoveryPending: The database is waiting to go through the recovery process.
* Restoring: The database is going through the restore process.
* Shutdown: The server on which the database resides has been shut down.
* Standby: The database is in standby mode.
* Suspect: The database has been marked as suspect. You will have to check the data, and the database might have to be restored from a backup.
'Normal' will send a clear event
'EmergencyMode' will send a critical event
'Inaccessible', 'Suspect', 'Shutdown' will send Error events
'RecoveryPending', 'Restoring', 'Recovering', 'Standby', 'AutoClosed', 'Offline' will send Warning events
Status can be multiple items from above. For example, taking a database offline will set the status to 'Offline, AutoClosed'.
The WinDBInstance monitoring template will monitor the status of a SQL Server instance to inform the user if it is up or down.
The WinSQLJob monitoring template will monitor the status of a job on a SQL Server instance to inform the user if it has succeeded, failed, unknown, or other state.
=== Thresholds ===
The following thresholds are set by default on the device monitoring template and will trigger an alert if they are reached
* CPU Utilization - 90% used
* Paging File Usage - 95% used
* Memory - 90% of total memory used
=== Event Management ===
Events could be collected from the Windows event log using a WinRM subscription. Events collected through this mechanism will be timestamped based on the time they occurred within the Windows event log. Not by the time at which they were collected.
To monitor EventLog events you should add to monitoring template with "Windows EventLog" datasource. For the Event Log field put the name of event log (e.g. "System") that you are interested in, and in the EventQuery you could put the filter for events. The filter can be either a PowerShell Where-Object block or XPath XML taken from a Windows Event Viewer Custom View.
The default Get-WinEvent xml filter returns all events from the last polling cycle. This list can be searched for specific Ids, severity, or specific words in the message using PowerShell.
* To target all events with a Warning or higher severity:
[[File:CustomViewOptions.png|thumb|250px|CustomViewOptions]]
For servers with pre-3.5 .NET installed: <code>{ $$_.EntryType -le [System.Diagnostics.EventLogEntryType]::Warning}</code>
<code>$$_</code> is the event object of EventLogEntry class. <code>EntryType</code> is the attribute which determines severity, and could contain one of the following values: <code>Error, Warning, Information, SuccessAudit,<code> or</code> <code>FailureAudit</code>. Also it has such attributes as <code>Message, MachineName, TimeGenerated, Source</code>. Full list you could find at http://msdn.microsoft.com/en-us/library/vstudio/system.diagnostics.eventlogentry .
Note: This query is structured to look for "less than," although we are looking for events "greater than" in severity. This is because the EntryType is an enumeration where the integer values map to 1= Error, 2 = Warning, etc. This means lower numbers indicate higher severity.
For servers with .NET 3.5 & Later:
<code>{ $$_.Level -le [System.Diagnostics.Eventing.Reader.StandardEventLevel]::Warning}</code>
Or to look for a specific event id:
<code>{ $$_.Id -eq 4001}</code>
<code>$$_</code> is the event object of EventLogRecord class. <code>Level</code> is the severity of the event. <code>Id</code> is the property to compare for specific event ids. You can find the full listing of properties at https://technet.microsoft.com/en-us/library/Hh849682.aspx.
Note: This query is structured to look for "less than or equal" although we are looking for events "greater than or equal" in severity. This is because the Level is an enumeration where the integer values map to 1 = Critical, 2 = Error, 3 = Warning, etc. This means lower numbers indicate higher severity. The LogAlways event level evaluates to 0, which is less than a Warning. These events are typically Informational and will display if using the sample powershell query above. To work around this, you could add <code> -and $$_.Level -gt [System.Diagnostics.Eventing.Reader.StandardEventLevel]::LogAlways</code> into your query or use the xml option.
[[File:CustomViewXML.png|thumb|250px|CustomViewXML]]
The full list of event levels can be found at http://msdn.microsoft.com/en-us/library/system.diagnostics.eventing.reader.standardeventlevel%28v=vs.110%29.aspx
For more information about the System.Diagnostics.Eventing.Reader class, you could read http://msdn.microsoft.com/en-us/library/system.diagnostics.eventing.reader(v=vs.110).aspx
And to know more about writing PowerShell conditions, you could read http://www.powershellpro.com/powershell-tutorial-introduction/powershell-tutorial-conditional-logic/
* To use the xml query from a custom view in Windows Event Viewer, simply copy the xml and paste into the Event Query field of the event data source. Because we use a polling cycle to query the event log, any TimeCreated filter will be replaced by us to avoid duplicate events.
For example, a custom view that searches for events in the last hour, with severity of Warning or Critical, and Ids of 104, 110-115, 155 will result in the following XPath query:
[[File:EventDatasourceXML.PNG|thumb|250px|EventDatasourceXML]]
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[(Level=1 or Level=3) and (EventID=104 or (EventID >= 110 and EventID <= 115) or EventID=155) and TimeCreated[timediff(@SystemTime) <= 3600000]]]</Select>
</Query>
</QueryList>
Simply copy this and paste into the eventlog datasource Event Query field and save. We will convert the TimeCreated query and the following filter will be used:
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[(Level=1 or Level=3) and (EventID=104 or (EventID >= 110 and EventID <= 115) or EventID=155) and TimeCreated[timediff(@SystemTime) <= {time}]]]</Select>
</Query>
</QueryList>
'{time}' will be replaced by the number of milliseconds since the last query.
{{note}} The script to search for events and return relevant data is approximately 3700 characters. Due to the Windows 8192 character limit on the shell, any XML or PowerShell queries will need to be less than 4400 characters.
{{note}} The query for servers with .NET 3.5 and later uses the Get-WinEvent PowerShell cmdlet. If your server does not have one of these later versions, we will revert to using the Get-EventLog cmdlet. It is recommended, but not required, to install .NET version 3.5 SP1 or higher. If you have a mix of these servers using the same Event Log Data Source, you can mix and match the differing powershell queries. e.g. <code>{ $$_.Id -eq 4001 -or $$_.EventId -eq 4001 }</code>
To change event severity follow the steps:
# go to IIS Site events, and click on '/Status' event class.
# find 'EventClass Mappings' section and click on 'IISSiteStatus' link
# click the ''Edit'' button
# in the 'Transform' section, add "<code>evt.severity = NUM</code>" where NUM is one of (0: Clear, 1: Debug, 2: Info, 3: Warning, 4: Error, 5: Critical) at the bottom
# click the ''Save'' button
=== Custom Commands ===
You can use the custom command datasource in the Windows ZenPack to create custom data points, graphs and thresholds.
* Use either DOS shell commands or Powershell script
** Use any valid Windows executable or Powershell cmdlet
** Powershell commands separated by ';'. Always end script with ';'
** For tales eval, surround by single quotes. e.g. '${here/id}'
** For Powershell variables, use 2 '$'. e.g. $$myvar = 10
** There is a character limit of 8192 imposed by Microsoft. Zenoss header is ~450 characters so you have about 7500 characters for your script.
* Use standard parser to parse the output or create your own
** Nagios have the form <key>=<value>
** JSON - script must put data into JSON format
** Auto will save a returned value into a data point.
** Create custom parser in $ZENOSS_HOME/Products/ZenRRD/parsers/
* Viewing script output
** Create datapoint(s) to collect the data for graphing
** Create custom parser to send event or transform data
==== Example usage ====
;Script with TALES expression
# Select a windows target device
# Navigate to Device (/Server/Microsoft)
# On the right side panel, click '+' to add a 'Windows Shell' datasource
# Provide name (eg. custom) and type (Windows Shell) for the datasource
# View Edit and Details
# Set strategy to custom command
# Set parser to Nagios
# Uncheck Use Powershell
# Set script to echo 'OK^|value1=${here/zWinPerfmonInterval}'
# Add data point to data source called value1 which can be graphed
;Using a custom parser
Logon to the zenoss server and create a python file called test1.py in /opt/zenoss/Products/ZenRRD/parsers and restart zenoss
The content of test1.py
<nowiki>
from Products.ZenRRD.CommandParser import CommandParser
class test1(CommandParser):
def processResults(self, cmd, result):
result.events.append({
'summary':'test1 parser event',
'severity': 5,
'test1.detail': cmd.deviceConfig.name,
})
</nowiki>
# Select a windows target device
# Navigate to Device (/Server/Microsoft)
# On the right side panel, click '+' to add a 'Windows Shell' datasource
# Provide name (eg. custom) and type (Windows Shell) for the datasource
# View Edit and Details : strategy ->custom command and parser is test1
# Run zenpython to collect the data zenpython run -v10 -d <devicename>
# Check events after 5 minutes for the test1 event
;Powershell Scripting using Auto parser
# Select a windows target device
# Navigate to Device (/Server/Microsoft)
# On the right side panel, click '+' to add a 'Windows Shell' datasource
# Provide name (eg. custom) and type (Windows Shell) for the datasource
# View Edit and Details : strategy ->custom command, parser is Auto, and tick the Use Powershell box
# Enter script. Be sure to use a double dollar sign, '$$', in order to distinguish any powershell specific variables from a TALES expression.
# Add a datapoint to collect the return value from the script which you can then graph
=== Configuring Service Monitoring ===
There are multiple ways to configure Windows service monitoring depending on if you want to configure for a single service on a single server, a specific service across all Windows servers, all 'Auto' start services, or somewhere in between.
[[File:winservice.png|thumb|320px|WinService]]
==== Options ====
* Name - Enter a name for the data source
* Enabled - Enable or disable the data source
* Severity - Choose the severity of the alert
* Cycle Time - Frequency of how often the datasource will query service status
* Update services immediately - Changes will be picked up during modeling. To have changes take effect immediately, check this box to start a job to index all services on all devices. This job could take several minutes to complete as it will update every service component on every Windows device in the system.
* Service Options - Select the start type(s) to monitor. Add any services to include/exclude using a regex
* Service Status - Choose to be alerted if a service is either not Running, not Stopped, not Paused, not Running or Paused, or not Stopped or Paused.
See the following examples:
;Manually Enable or disable monitoring for a single service on a single server.
# Navigate to the service on the server.
# Click to select it.
# Select ''Details'' in the lower component pane.
# Choose the Fail Severity.
# Choose ''Monitoring'' from the gear menu.
# Choose Yes or No depending on what you want.
{{note}} Once monitoring has been enabled or disabled for a service, no monitoring template will apply. To reset this option for a service, uncheck the 'Manually Selected Monitor State' box in the Details of the service and save the change. This check box does not enable or disable monitoring for the service component.
;Enable monitoring by default for the WinRM service wherever it is enabled.
Option 1
# Navigate to Advanced -> Monitoring Templates.
# Verify the list of templates is grouped by template.
# Expand the ''WinService'' tree.
# Click once to select the ''/Server/Microsoft'' copy.
# Choose ''Copy / Override Template'' from the Template gear menu at the bottom left of the page.
# Select ''/Server/Microsoft (Create Copy)'' from the target list then click submit.
# Expand the resulting ''copy_of_WinService'' tree.
# Select the ''/Server/Microsoft'' copy.
# Choose ''View and Edit Details'' from the Template gear menu at the bottom left of the page.
# Change the template's name to ''WinRM''.
# Edit the datasource and optionally select the ''Update services immediately'' option.
# Tick the ''Auto'' checkbox under ''Service Options'' and click save.
Option 2
# Navigate to Infrastructure -> Windows Services
# Locate the WinRM service
# Select the start modes desired for this service
# Enable monitoring by setting a Local Value
# Optionally select a Local Failure Severity
# Save
{{note}} Setting a service to be monitored in this fashion will enable monitoring for the service regardless of device class.
;Enable/Disable monitoring by default for the WinRM service for a select group of servers.
# Create a new device class somewhere under ''/Server/Microsoft/Windows'' for the select group of servers.
# Move the servers to the new device class.
# Follow steps 1-5 from the previous section to create a copy of the WinService template.
# Choose your new device class as the target then click submit.
# Expand the ''WinService'' tree then select the copy in your device class.
# Choose ''View and Edit Details'' from the gear menu at the bottom left of the page.
# Change the template's name to ''WinRM'' then click submit.
# Double-click to edit the ''DefaultService' datasource.
# Optionally select the ''Update services immediately'' option. This will start a background job that could take several minutes to complete for a large number of Windows devices.
# Tick/Untick the ''Auto'' checkbox under ''Service Options'' and click save.
;Enable monitoring of all services with a start mode of 'Auto'.
# Navigate to Advanced -> Monitoring Templates.
# Verify the list of templates is grouped by template.
# Expand the ''WinService'' tree.
# Select ''/Server/Microsoft''.
# In the Data Sources pane, click the + button to add a new data source, give it a name, and choose Windows Service as the type.
# Choose ''View and Edit Details'' from the Data Sources gear menu.
# Optionally select the ''Update services immediately'' option. This will start a background job that could take several minutes to complete for a large number of Windows devices.
# Tick the ''Auto'' checkbox under ''Service Options'' and click save.
;Create an organizer to monitor auto start SQL Server services.
# Navigate to Advanced -> Monitoring Templates.
# Verify the list of templates is grouped by template.
# Expand the ''WinService'' tree.
# Select ''/Server/Microsoft''.
# In the Data Sources pane, click the + button to add a new data source, give it a name such as MSSQLSERVER, and choose Windows Service as the type.
# Choose ''View and Edit Details'' from the Data Sources gear menu.
# Optionally select the ''Update services immediately'' option. This will start a background job that could take several minutes to complete for a large number of Windows devices.
# Tick the ''Auto'' checkbox under ''Service Options''.
# Enter ''+MSSQLSERVER.*'' into the "Inclusions(+)/Exclusions(-)" text box and click save.
The order of precedence for monitoring a service is:
# User manually sets monitoring
# 'DefaultService' datasource from the WinService template associated with the service
# Datasource other than the DefaultService in the WinService template associated with the service
# Monitoring is enabled via the Infrastructure -> Windows Services page
{| class="wikitable"
|+ <span class="tablecap"><span class="tablecap">Windows Service Startmodes (Template vs Windows Services)</span></span>
!width="33%"|Startmodes
!width="33%"|Template includes Service startmode
!width="33%"|Template excludes Service startmode
|-
|Windows Service Class includes Service startmode
|monitored
|monitored
|-
|Windows Service Class excludes Service startmode
|monitored
|NOT monitored
|}
{{note}} The Windows Service Template (default WinService) must have at least one datasource enabled for monitoring to function.
You can optionally include or exclude certain services to be monitored when selecting the ''Auto'', ''Manual'', and/or ''Disabled'' start mode(s) by entering a comma separated list of services. These can be the service names or a valid regular expression. Entered names and expressions are case insensitive. To exclude services, you must specify a '-' at the beginning of the name or regular expression. To include services, specify a '+' at the beginning of the name or regular expression. Exclusions will take precedence over inclusions, but the exclusions must be placed before the wildcard ''+.*'' inclusion.
{{note}} To enable monitoring by default of a service or services, you must choose a start mode by ticking the appropriate box. Unticking all three boxes disables monitoring by default.
{{note}} When saving changes to a service template and you choose to update services immediately, this will create a job to index all services on all devices. These changes may take several minutes to propagate to all of your devices depending upon the size of your organization. Updating is not recommended if you are making several changes in a short period of time. Updates are automatically applied at the time of the next model.
{{note}} The Windows Service datasource no longer depends on the 'DefaultService' data source name. User defined datasources are now honored.
=== DCDiag ===
Beginning with version 2.4.0, you can now monitor the output of DCDiag. By default all dcdiag tests are enabled in the Active Directory monitoring template. If a test fails an error event is issued. You can also add other tests, such as DNS, and supply specific test parameters.
See https://technet.microsoft.com/en-us/library/cc731968.aspx for more information on DCDiag.
{{note}} DCDiag must be run as a user with Administrator permissions. If you will be monitoring a Domain Controller with a non administrator user, you should disable these tests.
=== PortCheck ===
Beginning with version 2.4.0, you can now monitor specific ports in the Windows Zenpack. By default, the ZenPack will monitor ports 9389, 3268, 3269, 88, 464, 389, 636, 445, 135, and 3389, as part of the Active Directory monitoring template.
You can add and remove any port you wish to be monitored by editing the PortCheck datasource in the Active Directory monitoring template.
To monitor ports on a Windows server that is not a domain controller, simply create a new datasource and choose Windows PortCheck as the type. Then add the ports you wish to monitor with a short description of each.
See https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx for more information on Active Directory port usage.
=== WinRM Ping ===
WinRM Ping is a simple datasource that will attempt to retrieve basic data over winrm. If the device cannot return a simple query, then Zenoss will view this device as being down. An event will appear in the /Status/Winrm/Ping event class with any resulting error message. This is a more comprehensive test than using a ping. A simple ping test could easily result in a false positive in many scenarios. The following are just a few:
* A target's IP has been reassigned to a non-Windows device between models.
* The winrm service has stopped and cannot be restarted.
* The monitoring user account password has expired.
This datasource is not enabled by default.
== Requirements ==
This ZenPack has the following requirements.
;[[ZenPack:PythonCollector|PythonCollector ZenPack]]
: This ZenPack depends on [[ZenPack:PythonCollector|PythonCollector]] being installed, and having the associated ''zenpython'' collector process running.
;[[ZenPack:ZenPackLib|ZenPackLib ZenPack]]
: This ZenPack depends on [[ZenPack:ZenPackLib|ZenPackLib]] being installed.
;System Kerberos RPM
: The operating system's kerberos RPM must be installed. See the [[#Installing_Kerberos_Dependency]] section for details.
{{note}} During ZenPack installation, a job to reindex Windows Services may start. It is recommended to either stop zenjobs before installing or to wait until the job finishes before restarting Zenoss. If you restart before the job finishes, you may need to Abort and/or Delete the job after the restart.
=== Installing Kerberos Dependency ===
To use kerberos authentication the operating system's kerberos package must be installed on all Zenoss servers. On Enterprise Linux (Red Hat and CentOS) this is the ''krb5-workstation'' RPM and can typically be installed by running the following command as the ''root'' user.
<console>
yum -y install krb5-workstation
</console>
== Usage ==
=== Monitoring User Account ===
A monitoring user account must be either an Administrator or a least privileged user.
The Least Privileged User requires the following privileges and permissions:
* Enable, Method Execute, Read Security, Remote Access to the following WMI namespaces
** "Root"
** "Root/CIMv2"
** "Root/DEFAULT"
** "Root/RSOP"
** "Root/RSOP/Computer"
** "Root/WMI"
** "Root/CIMv2/Security/MicrosoftTpm"
If IIS is installed, one of the following namespaces depending upon IIS version
** "Root/Webadministration"
** "Root/microsoftiisv2"
* Permission to use the winrm service
* ReadPermissions, ReadKey, EnumerateSubKeys, QueryValues rights to the following registry keys
** "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib",
** "HKLM:\system\currentcontrolset\control\securepipeservers\winreg",
** "HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}",
** "HKLM:\SYSTEM\CurrentControlSet\Services\Blfp\Parameters\Adapters",
** "HKLM:\Software\Wow6432Node\Microsoft\Microsoft SQL Server",
** "HKLM:\Software\Microsoft\Microsoft SQL Server"
* Membership in the following local groups or domain level groups for a Domain Controller
** "Performance Monitor Users",
** "Performance Log Users",
** "Event Log Readers",
** "Distributed COM Users",
** "WinRMRemoteWMIUsers__"
* “Read Folder” access to "C:\Windows\system32\inetsrv\config" if it exists
* Each service needs the following permissions
** SERVICE_QUERY_CONFIG
** SERVICE_QUERY_STATUS
** SERVICE_INTERROGATE
** READ_CONTROL
** SERVICE_START
{{note}} An Administrator level user can be denied local logon and remote desktop access through a group policy object.
=== Port Requirements ===
The ZenPack communicates with a Windows device over port 5985 for HTTP or 5986 for HTTPS requests. Compatible ports of 80 and 443 are also acceptable.
For domain authentication, Kerberos communicates on port 88 of the KDC and on port 749 of the Admin Server.
{{note}} If using the compatibility ports of 80 or 443, you must create the appropriate listener in your server's WinRM configuration.
=== Adding a Windows Device ===
Use the following steps to start monitoring a Windows server using local authentication in the Zenoss web interface.
# Navigate to the Infrastructure page.
# Select the Server/Microsoft/Windows device class.
#* The Windows server must be added to this class or to a child of this class.
# Click Details and set the configuration properties for zWinRMUser and zWinRMPassword.
# Click See All.
# Choose ''Add Single Device'' from the add device button.
# Fill out the form.
#* ''Name or IP'' must be resolvable and accessible from the collector server chosen in the ''Collector'' field.
# Click ''ADD''.
----
Alternatively you can use zenbatchload to add Windows servers from the command line. To do this, you must create a text file with hostname, username and password of all the servers you want to add. Multiple endpoints can be added under the same ''/Devices/Server/Microsoft/Windows'' section. Here is an example...
<syntaxhighlight lang="text">
/Devices/Server/Microsoft/Windows
win2008-1d.example.com zWinRMUser="Administrator", zWinRMPassword="password"
Win2012-1d.example.com zWinRMUser="Administrator", zWinRMPassword="password"
</syntaxhighlight>
You can then load the Windows servers into Zenoss Core or Resource Manager as devices with the following command.
<syntaxhighlight lang="bash">
zenbatchload <filename>
</syntaxhighlight>
=== Configuration Options ===
The [[#Adding a Windows Device]] steps shown above are for the simplest case of using Windows local authentication. The following configuration properties can be used to support monitoring other environments.
;zWinRMUser
: The syntax used for zWinRMUser controls whether Zenoss will attempt Windows local authentication or domain (kerberos) authentication. If the value of zWinRMUser is ''username'', local Windows authentication will be used. If zWinRMUser is ''[email protected]'', domain authentication will be used. The zWinKDC and potentially the zWinRMServerName properties become important.
;zWinRMPassword
: Password for user defined by ''zWinRMUser''.
;zWinKDC
: The zWinKDC property must be set if domain authentication is used. It must be the IP address or resolvable name of a valid Windows domain controller. To use multiple KDCs, you can enter a comma separated list of valid addresses or supply different KDCs across different Device Classes. See the Kerberos Tickets section for more information.
;zWinTrustedRealm
: Enter the name of the domain which is trusted by the user's domain. This can be a child or other domain which has a trust relationship with the user's domain. For example, if zWinRMUser is ''[email protected]'', and austin.example.com is a child of the example domain, enter ''austin.example.com'' into zWinTrustedRealm.
;zWinTrustedKDC
: This property must be set if zWinTrustedRealm is set. It must be the IP address or resolvable name of a valid Windows domain controller for the trusted realm.
;zWinRMServerName
: This property should only be used in conjunction with domain authentication when the DNS PTR record for a monitored server's managed IP address does not resolve to the name by which the server is known in Active Directory. For example, if myserver1 is known as myserver1.ad.example.com by Active Directory and is being managed by IP address 192.51.100.21, but 192.51.100.21 resolves to www.example.com, you will have to set zWinRMServerName to ''myserver1.ad.example.com'' for domain authentication to work.
: If many Windows servers in your environment don't have DNS PTR records that match Active Directory, it is recommended that you set the name of the Zenoss device's to be the fully-qualified Active Directory name and set zWinRMServerName to ''${here/titleOrId}'' at the /Server/Microsoft/Windows device class. This avoids the necessity of setting zWinRMServerName on every device.
: If the server name cannot be resolved and you are using domain authentication, it is recommended that you set the Id of the device to the IP address and the Title to the server name it is known by in Active Directory. Then use ''${here/title}'' for zWinRMServerName. This situation can occur when no DNS server is available. Kerberos always performs a reverse lookup when obtaining a ticket to use a service on a computer. If your servers are known by multiple names, the reverse lookup may return the wrong name and you will see "Server not found in kerberos database" errors. See the troubleshooting section on this topic for a solution.
;zWinScheme
: This must be set to either ''http'' or ''https''. The default is ''http''.
;zWinUseWsmanSPN
: If the HTTP/HTTPS service principals are exclusively in use for a particular service account, such as on an IIS server, set this option to true to use the WSMAN service principal name. You can use this option for all domain joined Windows Servers that are using a domain monitoring account.
{{note}} A domain controller may need “Validated write to service principal name” permission for the NETWORK SERVICE account in order for the WSMAN service principal name to be used.
;zWinRMPort
: The port on which the Windows server is listening for ''WinRM'' or ''WS-Management'' connections. The default is ''5985''. It is uncommon for this to be configured as anything else.
;zWinPerfmonInterval
: The default interval in seconds at which ''Windows Perfmon'' datapoints will be collected. The default is ''300'' seconds or 5 minutes. It is also possible to override the collection interval for individual counters.
;zWinKeyTabFilePath
: This property is currently used and reserved for future use when keytab files are supported.
;zDBInstances
: This setting is only relevant when the ''zenoss.winrm.WinMSSQL'' modeler plugin is enabled. Multiple instances can be specified to monitor multiple SQL Server instances per server using different credentials. The default instance is ''MSSQLSERVER''. Fill in the user and password to use SQL authentication. Leave the user and password blank to use Windows authentication. The default ''MSSQLSERVER'' credentials will be used for all instances not specified.
;zWinRMEnvelopeSize
: This property is used when the winrm configuration setting for MaxEnvelopeSizekb exceeds the default of 512k. Some WMI queries return large amounts of data and this envelope size may need to be enlarged. A possible symptom of this is seeing an xml parsing error during collection.
;zWinRMLocale
: The locale to use for communicating with a Windows server. The default is ''en-US''. This property is reserved for future use.
;zWinRSCodePage
: The code page which is in use on the Windows Server for the monitoring user account. The default is to use 65001, the identifier for unicode. The full list is here: https://msdn.microsoft.com/en-us/library/windows/desktop/dd317756(v=vs.85).aspx. To determine the code page in use on a Windows server, run <code>chcp</code> at a command prompt.
;zWinRMKrb5includedir
: Optional directory which contains one or more kerberos configuration files. This is useful when extra kerberos options are needed, such as disabling reverse dns lookup. See http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html for a description of ''includedir'' and krb5.conf options available. The directory must exist and contain only kerberos configuration files. If the directory contains non-kerberos configuration files, it will be ignored.
{{note}} HyperV and MicrosoftWindows ZenPacks share krb5.conf file as well as tools for sending/receiving data. Therefore if either HyperV or Windows device has a correct zWinKDC setting, it will be used for another device as well.
;zWinUseLegacyRRDPath
: Whether to use older directory structure to manage RRD files. Set this to True if upgrading directly from 2.5.x of this ZenPack if using Zenoss versions earlier than 5.x. This setting has no effect on Zenoss versions 5.x and above.
{{note}} The migration to ZenPackLib in version 2.6 of this ZenPack introduced an issue leading to apparent data loss in RRD graphs for filesystems, interfaces, and other components. Since ZenPackLib uses a different directory heirarchy for RRD storage, component graphs after upgrade became empty (since the file paths changed). This setting mitigates that issue for users upgrading directly from 2.5.x versions of this ZenPack. The attempt is made during ZenPack installation to choose the correct version of this value.
<br clear=all>
=== Configuring MSSQL Server Modeling/Monitoring ===
; Supported SQL Server versions:
: SQL Server 2005
: SQL Server 2008
: SQL Server 2008 R2
: SQL Server 2012
: SQL Server 2014
: SQL Server 2016
; Support for SQL Server and Windows Authentication:
* Windows Authentication: In ''zDBInstances'' property specify only SQL instances names, leave user and password fields blank.
* SQL Server Authentication: In ''zDBInstances'' property provide user name and password for each SQL instance.
* Specifying authentication per instance is no longer required with version 2.4.2 and above. We will use the credentials specified for the MSSQLSERVER instance by default.
Use the following steps to configure SQL Server Authentication on your SQL Server:
# Connect to SQL Instance using MSSQL Management Studio.
# Select instance ''Properties'' > ''Security'' and make sure that ''SQL Server and Windows Authentication mode'' is enabled.
# Open ''Security'' > ''Logins'', select the user you specified in ''zDBInstances'' property or the ''zWinRMUser'' property if using Windows Authentication.
# Check user ''Properties'' > ''Status'' and make sure that the user is Enabled.
# Check user ''Properties'' > ''Server Roles'' and make sure that the user has the ''public'' role.
## If using an Administrator user, make sure it has the ''sysadmin'' role.
## If not using an Administrator user, check user ''Properties'' > ''Securables'' and make sure the user has been granted ''View server state'' rights.
; Support for Local and Failover Cluster SQL instances:
This ZenPack adds support for both local and failover cluster SQL Server instances.
Local SQL Server instances can be modeled/monitored within windows devices (devices in ''Server/Microsoft/Windows'' device class).
SQL Server failover cluster instances can be modeled/monitored within cluster devices (devices in ''Server/Microsoft/Cluster'' device class).
: Use the following steps to model/monitor SQL Server instances:
# Create a device in ''Server/Microsoft/Windows'' device class if you intend to model local SQL instances, or in ''Server/Microsoft/Cluster'' device class if you intend to model failover cluster instances.
# Optionally specify the instance names to be modeled in ''zDBInstances'' zProperty. Provide user names and passwords if SQL Server Authentication is to be used.
# Enable ''zenoss.winrm.WinMSSQL'' modeler plugin.
# Remodel device.
; SQL Server Monitoring
The monitoring templates for SQL Server are component templates so there is no need to perform a bind. They will automatically be used to monitor databases, instances, and jobs.
{{note}} The default instance of MSSQLSERVER appears as the host name.
{{note}} The authenticated user will need to be granted permission to view the server state. For example, "GRANT VIEW SERVER STATE TO 'MYDOMAIN\zenoss_user'" or through the GUI in SQL Server Management Studio. The user must also be interactive, i.e. the account must not be denied local logon rights.
=== Working with WinCommand Notification Action ===
This ZenPack adds a new event notification action that can be used by the zenactiond daemon to allow an arbitrary command to be executed on the remote windows machine.
Use the following steps to set up a notification:
# Select ''Events'' > ''Triggers'' from the Navigation Menu.
# Create a trigger, selecting the rules that define it.
# Select ''Notifications'' from the left panel. Add a new notification, enter a name for it and select ''WinCommand'' Action from the drop-down menu. Click Submit.
# In the ''Edit Notification'' dialog on the ''Notification'' tab associate the trigger with the notification and optionally select the notification properties (Enabled, Send Clear, Send only on Initial Occurrence, Delay, Repeat).
On the ''Content'' tab of the notification specify the 'Windows CMD Command'' to run when configured triggers are matched. You may optionally specify ''Clear Windows CMD Command'' to run when the triggering event clears.
# Submit changes.
For more information please refer to [http://community.zenoss.org/docs/DOC-10690 Working with Triggers and Notifications]
== <span id="winrm_setup">Setting up WinRM Service for Target Windows Machines</span> ==
Group Policy
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management
WinRMClient
* No setting changes required for client
WinRMService
* Allow remote server management through WinRm
- HTTP (Windows default is HTTPS see note below for more information)
* Allow unencrypted Traffic (Only necessary when using basic authentication)
- Basic Authentication (Windows default is Kerberos see note below for more information)
* Allow Basic Authentication
WinRS
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Shell
* Allow Remote Shell Access
* Max number of processes per shell = 4294967295
* Max number of shells per user = 2147483647
* Shell Timeout = 7200000
Individual Machine configuration
* Open ports 5985 (http)/5986(https) for WinRM
* Run command prompt as Administrator
* winrm quickconfig
* winrm s winrm/config/service '@{MaxConcurrentOperationsPerUser="4294967295"}'
* winrm s winrm/config/winrs '@{MaxShellsPerUser="2147483647"}'
* winrm s winrm/config/winrs '@{IdleTimeout="7200000"}'
Basic Authentication (Windows default is Kerberos see note below for more information)
* winrm s winrm/config/service/auth '@{Basic="true"}'
* winrm s winrm/config/service '@{AllowUnencrypted="true"}'
{{note}} The above instructions use the max values for MaxConcurrentOperationsPerUser and WinRS MaxShellsPerUser. If you do not want to set these to the max, then a value of 50 should be adequate. The default is 5 on both, which will cause problems because Zenoss will open up concurrent requests for each WQL query and set of Perfmon counters.
{{note}} If you choose to use Basic authentication it is highly recommended that you also configure HTTPS. If you do not use the HTTPS protocol your user name and password will be sent over in clear text. If you have challenges setting up HTTPS on the Windows clients but require the user name and password to be encrypted, then using the Kerberos authentication is the best option. HTTPS is not required for Kerberos but is recommended. If you choose to use Kerberos authentication, then your payload will be encrypted.
{{note}} If you are using kerberos on EL6 and higher to connect to your Windows Server, your data will be encrypted over HTTP. For kerberos on EL5, encryption is not supported so you must set the winrm AllowUnencrypted option to true.
{{note}} If you choose to take the WinRM default configurations you must supply Kerberos authentication settings in the zProperties. The Kerberos authentication process requires a ticket granting server. In the Microsoft Active Directory environment the AD Server is also the KDC. The zWinKDC value must be set to the IP address of the AD Server and the collector must be able to sent TCP/IP packets to this server. Once this is set your zWinRMUserName must be a FQDN such as [email protected] and the zWinRMPassword must be set correctly for this user account.
{{note}} In order to use a single domain user in a child domain or other trusted domain, set zWinKDC to the AD server of the user's domain. Then enter the trusted domain name and associated AD server in the zWinTrustedRealm and zWinTrustedKDC properties, respectively.
{{note}} The HTTPS setup must be completed on each client. At this time we do not have notes on automating this task but are currently in the process of testing several options. To successfully encrypt your payload between the Zenoss server and the Windows client you must install a Server Authentication certificate on the client machine. The process for requesting and installing the appropriate certificate can be found at the following URL.
http://blogs.technet.com/b/meamcs/archive/2012/02/25/how-to-force-winrm-to-listen-interfaces-over-https.aspx
Once the client has the correct certificate installed you only need to change the zWinScheme to HTTPS and zWinRMPort to 5986. If you are still having challenges setting up HTTPS on the client you can execute the following command on any AD server to verify the appropriate SPN record exists for Kerberos authentication.
<console>
c:\>setspn -l hostname1
</console>
If you do not see a record with HTTPS/ at the beginning of the hostname you can create the record, but this is not typically necessary as Windows will use the HOST/ record as the default for most built in services.
<console>
c:\>setspn -s HTTPS/hostname1.zenoss.com hostname1
</console>
== Transitioning from WindowsMonitor ==
If you are installing this ZenPack on an existing Zenoss system or upgrading from an earlier Zenoss version you may have a ZenPack named ''ZenPacks.zenoss.WindowsMonitor'' already installed on your system. You can check this by navigating to Advanced -> ZenPacks.
This ZenPack functionally supersedes ''ZenPacks.zenoss.WindowsMonitor'' for Windows platforms that support WinRM, but does not automatically migrate monitoring of your Microsoft Windows resources when installed. The ZenPacks can coexist gracefully to allow you time to manually transition monitoring to the newer ZenPack with better capabilities.
# Navigate to the Infrastructure page.
# Expand the Server/Windows/WMI device class.
# Single-click to select a Windows device.
# Click the delete (''-'') button in the bottom-left.
# Click OK to confirm deleting the Windows device.
# Add the device back using the [[#Adding a Windows Device]] instructions above. Be sure to select the /Server/Microsoft/Windows device class and not the /Server/Windows/WMI device class.
# Repeat steps 3-6 for each Windows device.
{{note}} It is also possible to drag and drop selected Windows devices from one class to another. You will need to remodel the devices after the move.
Old Windows ZenPacks:
* PySamba
* WindowsMonitor
* ActiveDirectory
* IISMonitor
* MSExchange
* MSMQMonitor
* MSSQLServer
New Windows ZenPacks:
* [[ZenPack:PythonCollector|PythonCollector]] is a requirement for this ZenPack. It provides the polling facility through the zenpython collector daemon.
* This ZenPack (all the functionality of the old Windows ZenPacks is rolled into this one ZenPack)
The old ZenPacks come as part of the Zenoss Core 4.2.x RPM. They can be installed on top of an RM install with the msmonitor RPM
=== Using Old and New Windows ZenPacks Together ===
There are some scenarios where it may be useful to use the old and new Windows ZenPacks together. In most cases this is as simple as putting servers you wish to be monitored by the new ZenPack in the /Server/Microsoft/Server device class and servers you wish to be monitored by the old ZenPack in the /Server/Windows/WMI device class.
Due to this ZenPack's dependency on WinRM 2.0 it is not possible to monitor Windows versions earlier than Windows 2003 SP1. If you have a requirement to monitor these earlier Windows versions you must use the older [[ZenPack::Microsoft_Windows|WindowsMonitor ZenPack]] that uses DCOM/RPC instead of WinRM.
There are also circumstances where you may currently be using the old Windows ZenPack and only want to initially use the new ZenPack for its new functionalities such as the ''Windows Shell'' datasource. This can be achieved using the following steps.
# Keep the servers under the /Server/Windows/WMI device class.
# Verify that all of the following configuration properties are set:
#* ''zWinUser'': In DOMAIN\Username format for DCOM/RPC collection.
#* ''zWinPassword'': Password for zWinUser account.
#* ''zWinRMUser'': In [email protected] format for WinRM collection.
#* ''zWinRMPassword'': Password for zWinRMUser account.
# Create a monitoring template containing a ''Windows Shell'' datasource and bind it to the server.
== Limitations of Current Release ==
The current release is known to have the following limitations.
* Support for team NICs is limited to Intel and Broadcom interfaces.
* The custom widget for MSSQL Server credentials is not compatible with Zenoss 4.1.x, therefore the ''zDBInstances'' property in this version should be set as a valid JSON list (e.g. ''[{"instance": "MSSQLSERVER", "user": "", "passwd": ""}]'' ).
* When upgrading to version 2.2.0, you may see a segmentation fault during the install. This occurs when upgrading from versions 2.1.3 and previous. To ensure a successful installation, run the install once more and restart Zenoss.
* Payload encryption is not supported on EL5 systems. This is due to the fact that the default kerberos library on EL5 systems does not contain the necessary functionality.
* Current functionality for monitoring Server 2003 has not been removed from the ZenPack, but no future development will be done for Server 2003.
* Starting with version 2.6.0 of the ZenPack, existing Windows Service components are no longer compatible. These will be removed upon installation. Once the device is modeled with the Services plugin enabled, Windows Service components will be discovered. Any existing monitoring templates will still apply. Any services that were manually selected to be monitored will not. See the section on [[#Configuring Service Monitoring|Configuring Service Monitoring]].
A current list of known issues related to this ZenPack can be found with [https://jira.zenoss.com/issues/?jql=%22Affected%20Zenpack(s)%22%20%3D%20MicrosoftWindows%20AND%20status%20not%20in%20(closed%2C%20%22awaiting%20verification%22)%20ORDER%20BY%20priority%20DESC%2C%20id this JIRA query]. You must be logged into JIRA to run this query. If you don't already have a JIRA account, you can [https://jira.zenoss.com/secure/Signup!default.jspa create one here].
=== Kerberos Tickets ===
The ZenPack will automatically generate a kerberos configuration file, krb5.conf, in the $ZENHOME/var/krb5/ directory. To use a custom configuration file, place it in the $ZENHOME/var/krb5/config/ directory. In Zenoss 5.x, this location is in a container so you will need to be certain to commit any changes made. Upgrading Zenoss will lose these changes, so you will need to update your container after upgrade. The file name can be anything that contains alphanumeric, dashes, and underscores.
To add a permanent location for you configuration file, you can make use of the zWinRMKrb5includedir property. This must be a location accessible from within a container and contain ONLY kerberos configuration file(s). If the location is invalid or contains files other than kerberos configuration files, it will be ignored and not added to the main krb5.conf file.
Example:
A common problem with Kerberos is that a reverse DNS lookup will result in multiple records returned, and not always the correct one. Kerberos by default always performs a forward and reverse lookup when establishing a ticket. To disable the reverse lookup, create a file in either the default location or in a user specified location and add the following:
<syntaxhighlight lang="text">
[libdefaults]
rdns = False
</syntaxhighlight>
See http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html for more information on the includedir and other kerberos options.