Monitor Type: Resources — Windows/WMI

Monitor Parameters: Monitor Type

<Prev Internet Index Resources – over SNMP and SSH Next>


Monitor Type: Resources – Windows/WMI

Monitor Type Properties
Resources
Disk space

Path (UNC or local path) – is a path to a network shared folder or local directory. A directory dialog appears if you click the Select button; it allows selecting a share or directory. You can also check space on special shares such as C$ on hosts where you have administrator rights. When you create a new Disk space monitor, the directory dialog opens automatically.

In order to monitor local disk space on a standalone computer (no network connection) you should create a host polled by IP address 127.0.0.1 and use local paths to the directories on this host. In this case it is not possible to use UNC names.

Authentication – specifies what Windows account to use. This monitor uses the user credentials selected in the Credentials section below.

Note: It is not allowed to mount two shares on one remote server with two different sets of credentials. The following error message will be issued: "Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again." See here for the details.

Note: If the IPHost Network Monitor is installed on Windows 10, then it is not possible to mount (i.e. to monitor) a SYSVOL and NETLOGON shares in other domains using UNC paths due to security reasons. Only NETBIOS names can be used. If you need to monitor these system shares (e.g., as a part of a Domain Controller monitoring), you can use a solution described here.

File

The parameters are similar to the Disk Space monitor parameters. A file dialog opens if you click the Select button. When you create a new File monitor, the file dialog opens automatically.

In order to monitor local files on a standalone computer (no network connection) you should create a host polled by IP address 127.0.0.1 and use local paths to these files on this host. In this case it is not possible to use UNC names.

WMI Query

WMI Monitor – this parameter specifies what resource should be monitored. There are three predefined monitors:

  • the number of Bytes Sent/sec
  • the number of Bytes Received/sec
  • Uptime (days)

Also, you can specify a WQL query by selecting the Custom (run WMI Query) value. In addition to standard WMI query format (WQL) you can use extended format: search for SUM(counter) or COUNT(counter) from the WMI data source. For example:

SELECT SUM(BytesSentPersec) FROM Win32_PerfFormattedData_Tcpip_NetworkInterface

– this query calculates the total number of bytes sent through all network interfaces.

SELECT COUNT(*) FROM WIN32_Service WHERE Name=’WebClient’ AND Started=TRUE

– this query returns 0 if the ‘WebClient’ service is stopped or does not exist and 1 if it is started. It can be regarded as an alternate way of monitoring Windows Service operability (via the Windows Service monitor).

If you don’t use the SUM or COUNT keywords then the data in the first column of the first row from the result set returned by a query is interpreted as an INTEGER number (performance value).

WMI namespace – is a namespace to use. Windows system performance counters use the root\cimv2 namespace. Other products use their own namespaces. For example, Microsoft Exchange declares several useful WMI data sources under the root\MicrosoftExchangeV2 namespace; one example is the exchange_SMTPQueue data source with properties like NumberOfMessages.

Authentication – specifies what Windows account to use. This monitor uses the user credentials selected in the Credentials section below.

Counter Type lets you select how to interpret data from monitor.
Only integer variables and variables that can be interpreted as integers can be selected for the Delta counter type. The other two counter types, Current Value and Value Change, allow using variables of any type, but using non-integer variables for the Current Value counter type only makes sense if you define the String response validation section in monitor’s state conditions where you test the returned non-integer value for presense in a list of allowed or disallowed values.

Divide returned value by parameter can be used to normalize the returned value. For example, WMI counters can return 64-bit data such as free space left on the HDD in bytes, and these values should be scaled down to fit a 32-bit signed integer range supported by IPHost Network Monitor.
You can also Take delta of current and previous poll and optionally Normalize by time that value like in SNMP monitor.

Windows Service

Service Name – is a service’s short name (not its display name) shown on the service property page from the Services dialog (such as W32Time on the screenshot below).

Service Name

Authentication – has the same meaning as the identical parameter for the Disk Space monitor.

WMI Disk space

Disk name (C or D, no quotes) – is a name of a local (not mounted) disk on a local or remote computer.

Show [Free|Used] disk space drop-down menu allows to select what you need to monitor: free or used disk space.

And show as drop-down menu allows to select measure units: Gb, Mb, or percentage of total disk space.

Authentication – specifies what Windows account to use. This monitor uses the user credentials selected in the Credentials section below.

Note: Unlike generic Disk space monitor this monitor does not require the monitored filesystem to be a network shared resource.

WMI CPU

Metric is a drop-down menu that allows to select what performance counter you want to monitor:

  • Total active time shows the amount of time the processor spends processing a non-idle threads.
  • User time shows the percentage of time the processor spends running the user mode tasks.
  • System time shows the percentage of time the processor spends running the system tasks.
  • Interrupts per second shows the number of interrupts the processor is servicing from applications or hardware devices. High rates might indicate hardware problems.
  • Context switches per second shows how often the kernel switches the CPU from one thread to another. A high rate might indicate that there are too many threads competing for the processors.

Authentication – has the same meaning as the identical parameter for the WMI Disk space monitor.

WMI Memory

Metric is a drop-down menu that allows to select what kind of memory to monitor:

  • Physical memory
  • Page file
  • Virtual memory

Show [Free|Used] memory drop-down menu allows to select what to measure: free or used memory. And show as parameter allows to select units: Mb or percentage of total memory of the kind.

Authentication – has the same meaning as the identical parameter for the WMI Disk space monitor.

WMI Process

Metric is a drop-down menu that allows to select what to monitor:

  • Processes total shows the number of processes with the specified name and/or arguments.
  • CPU usage total shows the total amount of CPU time used by all the processes with the specified name and/or arguments.
  • Memory usage total hows the total amount of memory used by all the processes with the specified name and/or arguments.

Name is a process name, how it is shown in Windows Task Manager, for example, ‘svchost.exe’ (no quotes).

Mandatory arguments are the arguments to identify a process. For example, if you specify ‘-k netsvc’ (no quotes), then only processes with this argument will be counted.

Authentication – has the same meaning as the identical parameter for the WMI Disk space monitor.

Windows Event Log

Event log parameter specifies what event log channel should be monitored. There are five predefined logs:

  • Application – contains events logged by applications or programs.
  • Security – contains events such as valid and invalid logon attempts, as well as events related to resource use, such as creating, opening, or deleting files or other objects. Administrators can specify what events are recorded in the security log. For example, if you have enabled logon auditing, attempts to log on to the system are recorded in the security log.
  • Setup – contains events related to application setup.
  • System – contains events logged by Windows system components. For example, the failure of a driver or other system component to load during startup is recorded in the system log.
  • Forwarded Events – used to store events collected from remote computers. To collect events from remote computers, you must configure both the forwarding and the collecting computers and create an event subscription.

Also, you can specify another event log channel by selecting the Custom… value. The channel name can be set either directly or via the Select Event Log Channel dialog that opens if the Select button is pressed and shows list of all event log channel that are registered on monitor’s host:

Select Event Log Channel

Monitor can filter events from selected event log by various parameters listed below. Generally, if no value is spesified for a certain parameter, monitor will not filter events by this parameter.

Levels – A classification of the event severity, you can select one or more levels.

Sources – the software that logged the event, which can be either a program name, such as “SQL Server”, or a component of the system or of a large program, such as a driver name.
You can monitor events from multiple sources. Sources can be set either directly as comma-separated list of sources names or via Select Event Log Sources dialog that opens if the Select button is pressed and shows list of all event sources registered on monitoring host.

Select Event Log Channel

Unregistered event sources will not be listed in Select Event Log Sources dialog, but you still can filter events they produce by setting the source name manually.
To find out the name of the event source you can use Windows Event Viewer tool. Find the needed event in the Event Viewer and double-click it to open event properties, then switch to Details tab and expand System properties by clicking plus sign. The event source name is displayed in System -> Provider -> [Name].

Task categories is comma-separated list of numbers. Task category is used to represent a subcomponent or activity of the event publisher (event source).
To find out the task category of the event you can use Windows Event Viewer tool. Find the needed event in the Event Viewer and double-click it to open event properties, then switch to Details tab and expand System properties by clicking plus sign. The task category number is displayed in System -> Task.

Keywords – default event categories or tags, select one or more to filter events.

User – the name or the security identifier (SID) of the user on whose behalf the event occurred. When this setting contains user name, the monitor will try to get SID for defined user before quering for events. If monitor fails to get SID, it will report an invalid settings error.
Retrieving SID by user name may not working correctly for remote hosts, so it is recommended to use SID for this parameter.
To find out the event user SID you can use Windows Event Viewer tool. Find the needed event in the Event Viewer and double-click it to open event properties, then switch to Details tab and expand System properties by clicking plus sign. The user SID is displayed in System -> Security -> [UserID].
Note: User accounts in Control Panel is showed by their full name that might be different from user name. However, for the monitor to work properly, it is required that you always use user name, not a full name in this setting. User names can be viewed using, for example, Local Users and Groups Manager tool.

Computer is the name of the computer on which the event occurred. The computer name is typically the name of the monitored host computer, but it might be the name of a computer that forwarded the event or it might be the name of the monitored host computer before its name was changed.

Use Event ID should be… filter to filter events by Event ID, you can either define list of accepted Event IDs or accept any events except whose ID is listed.

Event message should… setting allows to filter events by substring that every event message should contain or should not contain.

Monitor can either report number of events that occured since previous poll or for the defined period. For example, you can choose to report number of events occured for the last hour.

Use Make Event Log raw data available in alerts setting to enable collection of matching messages from Event Log into $EventAdditionalDetails variable which can be used in alerts. If this setting is not selected or there are no matching events from Event Log, then $EventAdditionalDetails will contain text "none".

Monitor is using Windows credentials for accessing remote hosts.

Note: Windows API have limitations for number of expressions that could be used in a single event log query. Some of the monitor Event log filtering settings allow user to specify multiple values and editors do not limit number of these values, however, every value is a separate expression in the event log query, so if you exceed the limit the following error message will be issued:
"EvtQuery failed: The specified query is invalid. (possible reason: Too many values have been set in Sources, Task categories and/or Event ID filters. Try to decrease number of filtering values). (0x00003a99)"

<Prev Internet Index Resources – over SNMP and SSH Next>