Monitoring Windows Service Using Windows Agent

From AVNOC

Windows Service Monitoring

AVNOC provides techniques to monitor a windows server to examine running services.

The process requires a monitoring agent to be installed on the windows server, it can be downloaded here.

https://secure.avnoc.com/videos/NSCP-0.5.0.62-x64.msi


Download this installer to the windows server to be monitored.

Run the Installer.

Navigate to the install directory and replace the contents of nsclient.ini with:



# If you want to fill this file with all available options run the following command:
#   nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
#   nscp settings --activate-module <MODULE NAME> --add-defaults
# For details run: nscp settings --help


; TODO
[/settings/default]

; Undocumented key
;password = test

; Undocumented key
allowed hosts = 127.0.0.1,XX.XX.XX.XX

; CACHE ALLOWED HOSTS - If host names (DNS entries) should be cached, improves speed and security somewhat but won't allow you to have dynamic IPs for your Nagios server.
cache allowed hosts = 1

; TIMEOUT - Timeout when reading packets on incoming sockets. If the data has not arrived within this time we will bail out.
timeout = 30


[/settings/NSClient/server]
allowed ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
allowed hosts = 127.0.0.1,xx.xx.xx.xx
ca = ${certificate-path}/ca.pem
cache allowed hosts = true
certificate = ${certificate-path}/certificate.pem
certificate format = PEM
dh = ${certificate-path}/nrpe_dh_512.pem
performance data = true
port = 12489
socket queue size = 0
thread pool = 10
timeout = 30
use ssl = false
verify mode = none


; TODO
[/settings/NRPE/server]

; Undocumented key
verify mode = none

; ALLOW INSECURE CHIPHERS and ENCRYPTION - Only enable this if you are using legacy check_nrpe client.
insecure = false

; PORT NUMBER - Port to use for NRPE.
port = 5666

; COMMAND ALLOW NASTY META CHARS - This option determines whether or not the we will allow clients to specify nasty (as in |`&><'"\[]{}) characters in arguments.
allow nasty characters = 0

; EXTENDED RESPONSE - Send more then 1 return packet to allow response to go beyond payload size (requires modified client if legacy is true this defaults to false).
extended response = 1

; COMMAND ARGUMENT PROCESSING - This option determines whether or not the we will allow clients to specify arguments to commands that are executed.
allow arguments = 0

; ENABLE SSL ENCRYPTION - This option controls if SSL should be enabled.
use ssl = 1


; TODO
[/modules]

;SysTray.dll
;CheckEventLog.dll
;CheckHelpers.dll


; Undocumented key
CheckExternalScripts = 1

; Undocumented key
CheckHelpers = 1

; Undocumented key
CheckEventLog = 1

; Undocumented key
CheckNSCP = 1

; Undocumented key
CheckDisk = 1

; Undocumented key
CheckSystem = 1

; Undocumented key
WEBSErver = 1

; Undocumented key
NRPEServer = 1

; NSClientServer - A server that listens for incoming check_nt connection and processes incoming requests.
NSClientServer = enabled


; TODO
[/settings/external scripts/wrappings]

; BATCH FILE WRAPPING - 
bat = scripts\\%SCRIPT% %ARGS%

; VISUAL BASIC WRAPPING - 
vbs = cscript.exe //T:30 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %ARGS%

; POWERSHELL WRAPPING - 
ps1 = cmd /c echo If (-Not (Test-Path "scripts\%SCRIPT%") ) { Write-Host "UNKNOWN: Script `"%SCRIPT%`" not found."; exit(3) }; scripts\%SCRIPT% $ARGS$; exit($lastexitcode) | powershell.exe /noprofile -command -


[log]

;# LOG DEBUG
;  Set to 1 if you want debug message printed in the log file (debug messages are always printed to stdout when run with -test)
debug = 1


; A set of filters to use in real-time mode
[/settings/system/windows/real-time/checks]


; A set of options to configure the real time checks
[/settings/system/windows/real-time]


; Configure which services has to be in which state
[/settings/system/windows/service mapping]


; TODO
[/settings/system/windows/counters/default]


; TODO
[/settings/system/windows/counters]


; TODO
[/settings/log/file]


; TODO
[/settings/log]

; LOG LEVEL - Log level to use. Available levels are error,warning,info,debug,trace
level = info

; DATEMASK - The size of the buffer to use when getting messages this affects the speed and maximum size of messages you can recieve.
date format = %Y-%m-%d %H:%M:%S

; FILENAME - The file to write log data to. Set this to none to disable log to file.
file name = ${exe-path}/nsclient.log


; TODO
[/settings/system/windows]

; DEFAULT LENGTH - Used to define the default interval for range buffer checks (ie. CPU).
default buffer length = 1h


; TODO
[/settings/external scripts/scripts/default]

; IGNORE PERF DATA - Do not parse performance data from the output
ignore perfdata = 0


; A list of wrapped scripts (ie. scruts using a template mechanism). The template used will be defined by the extension of the script.
[/settings/external scripts/wrapped scripts]


; TODO
[/settings/external scripts/alias]


; TODO
[/settings/eventlog/real-time/filters/default]

; EMPTY MESSAGE - The message to display if nothing matches the filter (generally considered the ok state).
empty message = eventlog found no records

; MAGIMUM AGE - How long before reporting "ok". If this is set to "false" no periodic ok messages will be reported only errors.
maximum age = 5m


; A set of filters to use in real-time mode
[/settings/eventlog/real-time/filters]


; TODO
[/settings/eventlog/real-time]

; STARTUP AGE - The initial age to scan when starting NSClient++
startup age = 30m

; REAL TIME CHECKING - Spawns a background thread which detects issues and reports them back instantly.
enabled = 0

; LOGS TO CHECK - Comma separated list of logs to check
log = application,system

; DEBUG - Log missed records (useful to detect issues with filters) not useful in production as it is a bit of a resource hog.
debug = 0


; A list of scripts available to run from the CheckExternalScripts module. Syntax is: <command>=<script> <arguments>
[/settings/external scripts/scripts]


; TODO
[/settings/external scripts/alias/default]


; TODO
[/settings/shared session]


; TODO
[/settings/crash]

; RESTART SERVICE NAME - The url to submit crash reports to
restart target = NSCP

; CRASH ARCHIVE LOCATION - The folder to archive crash dumps in
archive folder = ${crash-folder}

; RESTART - Submit crash reports to nsclient.org (or your configured submission server)
restart = true

; SUBMISSION URL - The url to submit crash reports to
submit url = https://crash.nsclient.org/post

; ARCHIVE CRASHREPORTS - Archive crash reports in the archive folder
archive = true


; TODO
[/settings/external scripts]

; COMMAND TIMEOUT - The maximum time in seconds that a command can execute. (if more then this execution will be aborted). NOTICE this only affects external commands not internal ones.
timeout = 60

; COMMAND ALLOW NASTY META CHARS - This option determines whether or not the we will allow clients to specify nasty (as in |`&><'"\[]{}) characters in arguments.
allow nasty characters = 0

; COMMAND ARGUMENT PROCESSING - This option determines whether or not the we will allow clients to specify arguments to commands that are executed.
allow arguments = 0


; TODO
[/paths]

; Path for shared-path - 
shared-path = c:\Program Files\NSClient++

; Path for module-path - 
module-path = ${shared-path}/modules

; Path for crash-folder - 
crash-folder = ${shared-path}/crash-dumps

; Path for exe-path - 
exe-path = c:\Program Files\NSClient++

; Path for base-path - 
base-path = c:\Program Files\NSClient++

; Path for certificate-path - 
certificate-path = ${shared-path}/security


; TODO
[/settings/WEB/server]

; PORT NUMBER - Port to use for WEB server.
port = 8443s

; CERTIFICATE - Ssl certificate to use for the ssl server
certificate = ${certificate-path}/certificate.pem


; Files to be included in the configuration
[/includes]


; TODO
[/settings/eventlog]

; LOOKUP NAMES - Lookup the names of eventlog files
lookup names = 1

; DEBUG - Log more information when filtering (useful to detect issues with filters) not useful in production as it is a bit of a resource hog.
debug = 0

; BUFFER_SIZE - The size of the buffer to use when getting messages this affects the speed and maximum size of messages you can recieve.
buffer size = 131072


Replace XX.XX.XX.XX with your AVNOC Agents IP Address and save the file.

Set the service to auto start.

Make sure the service to be monitored is listed in commands

Wm003.png


Wm004.png

The monitoring target of malware is in our list.

Lets add the Asset to the hosting portal.

Add the Asset as you normally would.

Select the monitoring tab for the Asset

Scroll down to Service Checks


Wm005.png

Select the correct service check.

Save the file.

Provision for errors.

Add a New Monitoring Command


Synchronize Commands With AVNOC

There is a good chance the command has already been snapped in. Run the synchronize with AVNOC command and see if what your looking for shows up after synchronization.

Wm008.png

Add the Command

If the command is not in the commands list.

Add the nomenclature to AUX

Wm006.png

Wm007.png

This will setup the command for the command processing structure.

Now, lets add the command


Wm010.png

Wm009.png

Monitoring Commad Fields

UPC
Field Value Required
Command ID Select the name that was entered into AUXNAGCMD YES
Command Alias Use the name that was entered into AUXNAGCMD YES
Command to execute /usr/lib/nagios/plugins/check_nt -H $HOSTADDRESS$ -v SERVICESTATE -c Stopped -l YOURSERVICENAME -p 12489 YES
Last User NO
Last Date NO

Replace YOURSERVICENAME with the Service Name to Check on the Target Server.

Determine Service Name to Monitor

Wm011.png