search

mickem / nscp

NSClient++
http://nsclient.org
GNU General Public License v2.0
239 stars 94 forks source link

check_process - process not found #654

Closed lucafwp closed 4 years ago

lucafwp commented 4 years ago

Issue and Steps to Reproduce

The command does not find some of the running processes. If we launch the command without any filter, in the provided list of processes, a lot of them are not present.

Details

Additional Details

Command output:

C:\Program Files\NetEyeNSClient++>nscp.exe client --debug --query check_process process=csrss.exe show-all
L client Extra options: process=csrss.exe
L client Extra options: show-all
D core NSClient++ 0.5.2.35 2018-01-28 x64 Loading settings and logger...
D core Settings not ready so we cant lookup: base-path
D core Settings not ready so we cant lookup: exe-path
D settings Boot.ini found in: C:\Program Files\NetEyeNSClient++/boot.ini
D core Settings not ready so we cant lookup: shared-path
D settings Activating: ini://${shared-path}/nsclient.ini
D settings Creating instance for: ini://${shared-path}/nsclient.ini
D core Settings not ready so we cant lookup: shared-path
D settings Loading: C:\Program Files\NetEyeNSClient++/nsclient.ini
D core NSClient++ 0.5.2.35 2018-01-28 x64 booting...
D core Booted settings subsystem...
D core On crash: restart: NSCP
D core Archiving crash dumps in: C:\Program Files\NetEyeNSClient++/crash-dumps
D core Found: CheckDisk
D core Found: CheckEventLog
CRITICAL: critical(csrss.exe=stopped)|'csrss.exe state'=0;0;0 'count'=1;0;0
No module was specified...
D core Found: CheckExternalScripts
D core Found: CheckHelpers
D core Found: CheckNSCP
D core Found: CheckSystem
D core Found: CheckTaskSched
D core Found: CheckWMI
D core Found: NRPEServer
D core Found: NSClientServer
D core Loading module C:\Program Files\NetEyeNSClient++\modules\CheckDisk.dll ()
D core Loading module C:\Program Files\NetEyeNSClient++\modules\CheckEventLog.dll ()
D core Loading module C:\Program Files\NetEyeNSClient++\modules\CheckExternalScripts.dll ()
D core Loading module C:\Program Files\NetEyeNSClient++\modules\CheckHelpers.dll ()
D core Loading module C:\Program Files\NetEyeNSClient++\modules\CheckNSCP.dll ()
D core Loading module C:\Program Files\NetEyeNSClient++\modules\CheckSystem.dll ()
D core Loading module C:\Program Files\NetEyeNSClient++\modules\CheckTaskSched.dll ()
D core Loading module C:\Program Files\NetEyeNSClient++\modules\CheckWMI.dll ()
D core Loading module C:\Program Files\NetEyeNSClient++\modules\NRPEServer.dll ()
D core Loading module C:\Program Files\NetEyeNSClient++\modules\NSClientServer.dll ()
D core Loading plugin: CheckDisk
D core Loading plugin: CheckEventLog
D core Loading plugin: CheckExternalScripts
D core Loading plugin: CheckHelpers
D core Loading plugin: CheckNSCP
D check_nscp Crash folder is: C:\Program Files\NetEyeNSClient++/crash-dumps
D core Loading plugin: CheckSystem
D core Loading plugin: CheckTaskSched
D core Loading plugin: CheckWMI
D core Loading plugin: NRPEServer
D core Loading plugin: NSClientServer
D check_nt Allowed hosts definition: 127.0.0.1(255.255.255.255), 10.0.0.0(255.0.0.0), 192.168.0.0(255.255.0.0), 172.16.0.0(255.240.0.0), 0.0.0.0(0.0.0.0), ::1(ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
D core NSClient++ - 0.5.2.35 2018-01-28 Started!
E core No module was specified...
                    c:\source\master\service\plugin_manager.cpp:621
D core Attempting to stop all plugins
D core Stopping all plugins
D core Unloading plugin: CheckDisk...
D core Unloading plugin: CheckEventLog...
D core Unloading plugin: CheckExternalScripts...
D core Unloading plugin: CheckHelpers...
D core Unloading plugin: CheckNSCP...
D core Unloading plugin: CheckSystem...
D core Unloading plugin: CheckTaskSched...
D core Unloading plugin: CheckWMI...
D core Unloading plugin: NRPEServer...
D core Unloading plugin: NSClientServer...
D core Stopping: COM helper
D core Stopping: Settings instance
mintsoft commented 4 years ago

@lucafwp that log doesn't actually show the output of the checks. If you run nscp test you should end up in a "shell" that you can test with to see what's going on: https://docs.nsclient.org/howto/checks/

lucafwp commented 4 years ago

Hi @mintsoft, these are some tests made with client in test mode:

NOT WORKING: image

NOT WORKING: image

WORKING: image

Do you need the full output of command window?

mintsoft commented 4 years ago

Hmm! That definitely looks unusual. I can "understand" how disp+work.exe might not work, however I have no idea why igswd.exe would have an issue.

What do you get if you try:

check_process process=igswd.exe debug show-all scan-unreadable=yes

Does it show in the logging if you do:

check_process process=* debug show-all scan-unreadable=yes

?

lucafwp commented 4 years ago

Hi @mintsoft, sorry for the late answer. I think with the second command I've found the problem. The process is identified by NSClient with ".EXE" extension (uppercase).

This is the output of the first command: image As you can see process "igswd.exe" is correctly running but NSClient says stopped instead.

In the following file you can find output of the second command. check_process_output.txt

This is the line I was mentioning: D w32system Crit/warn/ok did not match: igswd.EXE=started

If I launch the first command using "igswd.EXE" the output shows the correct status"running". I've checked the executable file from the process but I can't understand why extension is uppercase: image

mintsoft commented 4 years ago

@lucafwp Ahh interesting! I hadn't considered that it might be case sensititivity. My gut feeling is that the thing that's responsible for running the actual process is actually using .EXE; you can check what it was executed as by looking at the processes CommandLine property in Process Explorer (http://live.sysinternals.com/procexp.exe) or with powershell: gwmi win32_process |Select Name,CommandLine

is it .exe or .EXE in there?

lucafwp commented 4 years ago

Hi @mintsoft seems you were right:

F:\usr\sap\SPR\D00\exe\igswd.EXE -mode=profile pf=\\SRBSASPR01\sapmnt\SPR\SYS\profile\SPR_D00_SRBSASPR01 \??\C:\Windows\system32\conhost.exe 0x4

Is there a way to execute a case-insensitive search with check_process?

mintsoft commented 4 years ago

@lucafwp Aha that would explain it! I have a feeling the answer is no, I've not found anything specific in the documentation to indicate that you can do it case-insensitively. You might be to workaround it by using something like: check_process exe=igswd (completely untested, just based on this : https://docs.nsclient.org/reference/windows/CheckSystem/#filter-keywords_6)

Otherwise @mickem might be able to clarify if there is a way of making it case-insensitive

lucafwp commented 4 years ago

Ok, I will try it. Thanks @mintsoft !