Configure a Windows device for Zenoss

Zenoss Core is an enterprise-level systems and network monitoring solution. This post will show you how to configure Windows Server 2008 R2 to be properly monitored by Zenoss.

There are two primary channels for Zenoss to collect information from a Windows device. Zenoss can retrieve data via SNMP and WMI. SNMP gives us the most flexibility and the best device support, but WMI allows Zenoss to retrieve Windows-specific information like services and the event logs.

Simple Network Management Protocol (SNMP)
Zenoss Core uses SNMP to model attributes about a device (CPU, memory, disk, network, etc.). We need to make sure the Windows SNMP agent/service is properly installed and configured before the communication between our Windows device and the Zenoss Network Management Station (NMS) can happen.

# Install SNMP Services
We will first install the SNMP service. Run the following commands from an elevated PowerShell prompt:

PS> Import-Module -Name ServerManager
PS> Add-WindowsFeature -Name SNMP-Services

Verify the SNMP installation. Run the following command from an elevated PowerShell prompt:

PS> Get-WindowsFeature -Name snmp*

Display Name                                            Name
------------                                            ----
[X] SNMP Services                                       SNMP-Services
    [X] SNMP Service                                    SNMP-Service
    [X] SNMP WMI Provider                               SNMP-WMI-Provider

# Configure the SNMP Service
We will now configure the SNMP service to link to our Zenoss server. Since we still have a PowerShell session open, enter the following command to open the Services MMC:

PS> services.msc

1. Double-click SNMP Service to open the properties window.
2. Select the Agent tab.
3. Enter your information in the Contact and Location fields.
4. Enable the Physical, Applications, End-to-end and optionally the Internet service-based options.
5. Click the Apply button.

1. Select the Security tab.
2. Add your Community Name and the Community rights. The Community Name will need to match what has been configured on the Zenoss server.
3. Add the Zenoss server hostname (or IP address) to the Accept SNMP packets from these hosts list.
4. Click the Apply button, then click the OK button to close the window.

# Install SNMP Informant
The base Windows SNMP agent does not return information about the host’s CPU, memory, or file system. The installation of the free SNMP Informant extension agent will “beef up” the native agent by exposing these essential components.

1. Browse to http://www.snmp-informant.com and download the free SNMP Informant-STD package.
2. Unzip the package and step thru the standard GUI Wizard-based install.

Restart the SNMP service to establish the changes. Run the following command from an elevated PowerShell prompt:

PS> Restart-Service -Name snmp

Windows Management Instrumentation (WMI)
We will implement the security principle of least privilege by creating, and using, a non-privileged AD domain user for remote WMI access. I will be using an account named zenwmiq in my example. We will need to set permissions in a few different areas to allow our zenwmiq user to query and return the required data.

# Local Security Groups
We will need to add our user to a few local security groups. Run these commands from an elevated PowerShell prompt:

PS> net localgroup "Distributed COM Users" zenwmiq /ADD
PS> net localgroup "Performance Monitor Users" zenwmiq /ADD
PS> net localgroup "Event Log Readers" zenwmiq /ADD

# WMI Namespace Security
Steve Lee (Microsoft Senior Test Manager) created a pair of PowerShell WMI namespace security scripts. The Get-WmiNamespaceSecurity.ps1 and Set-WmiNamespaceSecurity.ps1 scripts allow us to get/set the WMI namespace permissions on the local computer as well as a remote one. We will need to add the Enable Account and Remote Enable permissions for our zenwmiq user to the Root/CIMV2 namespace.

List the current security settings for the Root/CIMV2 namespace. Run this command from an elevated PowerShell prompt:

PS> Get-WmiNamespaceSecurity.ps1 -Namespace root/cimv2

Add our access control entry (ACE) to the Root/CIMV2 access control list (ACL). Run this command from an elevated PowerShell prompt:

PS> Set-WmiNamespaceSecurity.ps1 -Namespace root/cimv2 -Operation add -Account tendocalc\zenwmiq -Permissions Enable,RemoteAccess

Let’s verify our ACE was correctly added to the namespace ACL. Run this command from an elevated PowerShell prompt:

PS> Get-WmiNamespaceSecurity.ps1 -Namespace root/cimv2 | ? {$_.Name -like '*zen*'} | fl

Name       : TENDOCALC\zenwmiq
Permission : {Enable, RemoteAccess}
Inherited  : False

# Service Control Manager
The Service Control Manager ACL will also need to be modified to allow our zenwmiq user to enumerate and list the status of the services on our host.

We first need to get the security identifier (SID) of our domain user. Run these commands from an elevated PowerShell prompt:

PS> $account = New-Object Security.Principal.NTAccount "tendocalc\zenwmiq"
PS> $account.Translate([Security.Principal.SecurityIdentifier]).Value
S-1-5-21-4215953012-3604629762-2942499649-1497

We will use the service control (sc) command-line tool to get/set the security descriptor for the Service Control Manager (SCM). The sc command-line tool lets system administrators query and change the system privileges assigned to services. Let’s first display the current security descriptor for SCM. Run this command from an elevated PowerShell prompt:

PS> sc.exe sdshow scmanager

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

We now need to add our user (and linked rights) to the current ACL in the SDDL format. The following table shows the required rights we will need for our user:

String	Access Right	Description
CC	SC_MANAGER_CONNECT	Required to connect to the service control manager.
LC	SC_MANAGER_ENUMERATE_SERVICE	Required to call the EnumServicesStatusEx function to list the services that are in the database.
RP	SC_MANAGER_QUERY_LOCK_STATUS	Required to call the QueryServiceLockStatus function to retrieve the lock status information for the database.
RC	READ_CONTROL	Required to call the QueryServiceObjectSecurity function to query the security descriptor of the service object.

“Inject” the ACE as the last entry of the Discretionary Access Control List (DACL). Run this command from an elevated PowerShell prompt:

PS> sc.exe sdset scmanager 'D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CCLCRPRC;;;S-1-5-21-4215953012-3604629762-2942499649-1497)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)'

Firewall
If the host firewall is enabled, we need to verify the proper inbound ports are open for connectivity with Zenoss. You can enable the rule (and rule groups) with the Windows Firewall with Advanced Security console, but I will use the netsh utility in my examples.

# SNMP
The installation of the SNMP components should enable the required firewall rule. You can verify this by running this command from an elevated PowerShell prompt:

PS> netsh advfirewall firewall show rule name="SNMP Service (UDP In)"

# WMI
WMI traffic is blocked by default, so we will need to enable the WMI rule group to open the ports. Run this command from an elevated PowerShell prompt:

PS> netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes

# ICMP
The ICMPv4 echo request packet type will need to be allowed for Zenoss to verify availability thru ping. Run this command from an elevated PowerShell prompt:

PS> netsh advfirewall firewall set rule name="File and Printer Sharing (Echo Request - ICMPv4-In)" new enable=yes

Read More