Hello Guest

Author Topic: WMI modules not initialised.  (Read 123 times)

0 Members and 1 Guest are viewing this topic.

Offline hkennedy

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
WMI modules not initialised.
« on: February 20, 2017, 12:03:37 PM »
Hello I am trying to set up remote wmi monitoring for my servers. After creating the modules, I keep getting the "module not-initialised" under the module status after being set up for some time. Also, when I try to run a wmi query from the linux command, I get this error below:

wmic -U Domain/Administrator //host "select*from Win32_ComputerSystem"
Failed to bind to uuid 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 - NT_STATUS_NET_WRITE_FAULT
ERROR: dcom_create_object.
ERROR: Login to remote object.
NTSTATUS: NT_STATUS_LOGON_FAILURE - Logon failure

Can someone please help me out? Thanks

Offline antonio.s

  • Administrator
  • Smart member
  • *****
  • Posts: 288
  • Karma: 2
    • View Profile
Re: WMI modules not initialised.
« Reply #1 on: February 21, 2017, 01:40:40 AM »
Hello hkennedy,

Make sure your remote windows system is compatible with remote WMI, not all the systems are and sometimes you will need to enable it. About the message you are getting, it looks like it is indeed a problem with the logon/authentication. Usually you will need to provide user AND password to run remote wmi queries.

Kind regards,
Antonio.

Offline hkennedy

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
Re: WMI modules not initialised.
« Reply #2 on: February 21, 2017, 02:02:35 PM »
I indeed tested the compatibility of remote WMI from a windows machine, and I got query results without any issues. I have even tried to force NTLMv2 Auth from the linux command and I am still getting errors. is there any way to force another type of authentication?

Offline antonio.s

  • Administrator
  • Smart member
  • *****
  • Posts: 288
  • Karma: 2
    • View Profile
Re: WMI modules not initialised.
« Reply #3 on: February 22, 2017, 11:30:21 PM »
Hello hkennedy,

Currently the only way to run remote wmi checks from pandora is with user and password.

To help us get more info you can increase the parameter "verbosity" of the pandora_server.conf to 10, then restart the server. Check the server lo (pandora_server.log) with "tail -f" and then force the modules (or create a new one). An execution line should appear on the log and we should see the error that is retrieving.

Code: [Select]
verbosity 10
Don't forget to set the verbosity to a lower value once the tests have ended so you don't fill the entire disk with the server log.

Kind regards,
Antonio.

Offline hkennedy

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
Re: WMI modules not initialised.
« Reply #4 on: February 24, 2017, 12:07:56 PM »
I am attempting the remote wmi checks to our servers using credentials that successfully query from a remote windows machine. based on a PCAP I ran, The server is denying access from the Linux box but granting access to my windows machine using the same credentials. Is there a way to force a non initialised module? I was not able to find a way to do that.

Offline antonio.s

  • Administrator
  • Smart member
  • *****
  • Posts: 288
  • Karma: 2
    • View Profile
Re: WMI modules not initialised.
« Reply #5 on: February 27, 2017, 12:33:10 AM »
Hello hkennedy,

Pandora uses 'wmic' to perform the remote wmi checks, you can try to run the query from command to debug errors.

Try executing it without parameters to display the options.

Also you can increase the 'verbosity' parameter of the pandora_server.conf, then restart the pandora_server daemon and take a look at the log (pandora_server.log) to see the execution of the wmi module, it will also display the possible errors that are making the module not work.

To force it you can go to the agent's view and click on the "force" button on the upper right corner.

Kind regards,
Antonio.