Microsoft Protocol – SNMP agent removing a service from the Services table if not running?

Solved770 viewsadl2099 Microsoft SNMP Windows service monitoring WMI
3
0 Comments

Hi Dojo,
I'm using the Microsoft SNMP protocol to monitor the state of a "GivenService" via the Service Table so that I can build a dashboard to report the state of this "GivenService" across a few servers in the monitored infrastructure - all fine as long as the service status is "Running" on the target Windows OS:

I've configured the alarm template to provide a warning for any other value of the parameter "Svc Oper. State" shown above.

Here's the issue... when the state is no longer "Active", I cannot retrieve the entry in the table:

Any hint from any Wintel Wizard, perhaps to configure the service in a different way?

Wondering if it is a limitation of the Microsoft SNMP agent - if so, is it worth deploying the WMI-based protocol to monitor the state of a given service across different Windows servers?
Or would it be the same?

Any steer will be helpful.
Thanks

Alberto De Luca [DevOps Enabler] Selected answer as best 23rd June 2023

2 Answers

2
1.02K 2 Comments

We're using the WMI driver to monitor windows machines. We have a few where we alarm on a missing process, you do need to make sure "Auto Clear Task Manager" is set to off.

The process of interest needs to have been seen since the element started, otherwise it won't detect that it is missing.

In the alarm template, alarm on task name, set a filter for the appliaction of interest (e.g. Notepad*) then in the green status box have the same again, and in the red status box have "Not Found".

Chris Glover [DevOps Advocate] Posted new comment 26th June 2023
Alberto De Luca [DevOps Enabler] commented

Top notch, Chris – Thanks for sharing

I think that’s what I need – pretty much like DVB services in MPTS on probes 😉
or missing PIDs in a dekTec, back in my TV days ^^

“Video killed the radio star” – The Buggles
(soundtrack for re-deployment 😉 )
2
2.43K 1 Comment

Hi Alberto,

This seems to be a quirk of both Windows, and the driver. Namely, when polling the OIDs for services on the host, Windows only replies with the active services. This results in the Services Table Config (on the Service Monitor Config page), which doesn't retain deleted keys as it is an SNMP table. The enabled rows are then pushed to the Services Table.

I presume the developers at the time assumed that inactive services would be reported as well, or Windows has changed its behaviour over time. The problem with retaining inactive services is that we won't know if the service is stopped, or actually deleted. So although it's possible to solve this in the driver, it may need manual maintenance to then remove deleted services.

Alberto De Luca [DevOps Enabler] Edited comment 23rd June 2023
Alberto De Luca [DevOps Enabler] commented

Thanks for your explanation, Floris, much appreciated – it makes perfect sense.

Indeed I remember that in the past I was using a Microsoft driver to monitor services, but it’s likely that it was the WMI version, as I had not encountered this before – I’ll check if that version can be deployed in the target environment, as it sounds like a quicker fix.

If not (e.g. fw port restrictions) we’ll check with the squad if the “missing” behaviour described by Chris in his answer could be a viable option for the SNMP version too.