search

centreon / centreon-plugins

Collection of standard plugins to discover and gather cloud-to-edge metrics and status across your whole IT infrastructure.
https://www.centreon.com
Apache License 2.0
310 stars 273 forks source link

os::windows::wsman::plugin mode updates isn't working #4412

Closed Luth1ng closed 1 year ago

Luth1ng commented 1 year ago

Hello,

I sucessfully configured my WindowsServer 2019 with the following guide : https://docs.centreon.com/pp/integrations/plugin-packs/getting-started/how-to-guides/windows-winrm-wsman-tutorial/

All the modes are working as expected except the updates service which output is : 

./centreon-plugins/src/centreon_plugins.pl --plugin=os::windows::wsman::plugin --hostname=10.0.2.6 --wsman-port=5986 --wsman-scheme=https --wsman-username='centreon' --wsman-password='password' --wsman-auth-method=basic --mode=updates --debug --verbose --wsman-debug=debug
May 11 18:12:23 [10347] Endpoint: https://10.0.2.6:5986/wsman
May 11 18:12:23 [10347] cl->authentication.verify_peer: 0
May 11 18:12:23 [10347] *****set post buf len = 1254******
* About to connect() to 10.0.2.6 port 5986 (#0)
*   Trying 10.0.2.6...
* Connected to 10.0.2.6 (10.0.2.6) port 5986 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=WIN-SERVER-2
*       start date: May 11 12:27:54 2023 GMT
*       expire date: May 11 12:47:54 2024 GMT
*       common name: WIN-SERVER-2
*       issuer: CN=WIN-SERVER-2
> POST /wsman HTTP/1.1
Host: 10.0.2.6:5986
Accept: */*
Content-Type: application/soap+xml;charset=UTF-8
User-Agent: WS-Management for all
Content-Length: 1254
Expect: 100-continue

< HTTP/1.1 401
< Server: Microsoft-HTTPAPI/2.0
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="WSMAN"
< Date: Thu, 11 May 2023 14:12:23 GMT
< Connection: close
< Content-Length: 0
<
* Closing connection 0
May 11 18:12:23 [10347] Basic authentication is used
* About to connect() to 10.0.2.6 port 5986 (#1)
*   Trying 10.0.2.6...
* Connected to 10.0.2.6 (10.0.2.6) port 5986 (#1)
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=WIN-SERVER-2
*       start date: May 11 12:27:54 2023 GMT
*       expire date: May 11 12:47:54 2024 GMT
*       common name: WIN-SERVER-2
*       issuer: CN=WIN-SERVER-2
* Server auth using Basic with user 'centreon'
> POST /wsman HTTP/1.1
Authorization: Basic Y2VudLJlb25zcnI6Y0hxbGdydidhWVNVIUJKME9VbGg=
Host: 10.0.2.6:5986
Accept: */*
Content-Type: application/soap+xml;charset=UTF-8
User-Agent: WS-Management for all
Content-Length: 1254
Expect: 100-continue

< HTTP/1.1 100 Continue
< HTTP/1.1 500
< Content-Type: application/soap+xml;charset=UTF-8
< Server: Microsoft-HTTPAPI/2.0
< Date: Thu, 11 May 2023 14:12:23 GMT
< Content-Length: 1354
* HTTP error before end of send, stop sending
<
May 11 18:12:23 [10347] write_handler: recieved 1354 bytes, all = 1354

* Closing connection 1
May 11 18:12:23 [10347] curl error code: 0.
May 11 18:12:23 [10347] cl->response_code: 500.
May 11 18:12:23 [10347] cl->last_error code: 0.
UNKNOWN: Could not enumerate instances: use debug option to have details

And a working example : 

./centreon-plugins/src/centreon_plugins.pl --plugin=os::windows::wsman::plugin --hostname=10.0.2.6 --wsman-port=5986 --wsman-scheme=https --wsman-username='centreon' --wsman-password='password' --wsman-auth-method=basic --mode=time --debug --verbose --wsman-debug=debug
May 11 18:14:10 [14193] Endpoint: https://10.0.2.6:5986/wsman
May 11 18:14:10 [14193] cl->authentication.verify_peer: 0
May 11 18:14:10 [14193] *****set post buf len = 1067******
* About to connect() to 10.0.2.6 port 5986 (#0)
*   Trying 10.0.2.6...
* Connected to 10.0.2.6 (10.0.2.6) port 5986 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=WIN-SERVER-2
*       start date: May 11 12:27:54 2023 GMT
*       expire date: May 11 12:47:54 2024 GMT
*       common name: WIN-SERVER-2
*       issuer: CN=WIN-SERVER-2
> POST /wsman HTTP/1.1
Host: 10.0.2.6:5986
Accept: */*
Content-Type: application/soap+xml;charset=UTF-8
User-Agent: WS-Management for all
Content-Length: 1067
Expect: 100-continue

< HTTP/1.1 401
< Server: Microsoft-HTTPAPI/2.0
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="WSMAN"
< Date: Thu, 11 May 2023 14:14:10 GMT
< Connection: close
< Content-Length: 0
<
* Closing connection 0
May 11 18:14:10 [14193] Basic authentication is used
* About to connect() to 10.0.2.6 port 5986 (#1)
*   Trying 10.0.2.6...
* Connected to 10.0.2.6 (10.0.2.6) port 5986 (#1)
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=WIN-SERVER-2
*       start date: May 11 12:27:54 2023 GMT
*       expire date: May 11 12:47:54 2024 GMT
*       common name: WIN-SERVER-2
*       issuer: CN=WIN-SERVER-2
* Server auth using Basic with user 'centreon'
> POST /wsman HTTP/1.1
Authorization: Basic Y2VudLJ1b25zcnI6Y0hxbGdydidhWVNVIUJKME9VbGg=
Host: 10.0.2.6:5986
Accept: */*
Content-Type: application/soap+xml;charset=UTF-8
User-Agent: WS-Management for all
Content-Length: 1067
Expect: 100-continue

< HTTP/1.1 100 Continue
< HTTP/1.1 200
< Content-Type: application/soap+xml;charset=UTF-8
< Server: Microsoft-HTTPAPI/2.0
< Date: Thu, 11 May 2023 14:14:10 GMT
< Content-Length: 1228
<
May 11 18:14:10 [14193] write_handler: recieved 1228 bytes, all = 1228

* Connection #1 to host 10.0.2.6 left intact
May 11 18:14:10 [14193] curl error code: 0.
May 11 18:14:10 [14193] cl->response_code: 200.
May 11 18:14:10 [14193] cl->last_error code: 0.
OK: Time offset 0 second(s): Local Time: 2023-05-11T14:14:10 (UTC) | 'time.offset.seconds'=0s;;;;

Many thanks for your help

Luth1ng commented 1 year ago

Well, my bad. Turned out my server has this GPO set to Disabled by default.

Press the Windows key + R to open up a Run box. Then, type "gpedit.msc" and hit Enter to open the Local Group Policy Editor.
Open Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components.
Click Windows Remote Shell.
View the state of the "Allow Remote Shell Access" setting.
Double click "Allow Remote Shell Access" to set the value to either "Not Configured" or "Enabled".

Update :

I also needed to add an AppLocker rule to permit the remote powershell session to be in FullLanguage mode instead of Constrained : 

gpedit.msc > Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Script Rules > Create New Rule...
Next > Action: Allow > User or group: Remote Management Users > Path > Enter: * > Next > Create