Please refer to the latest version of the Foglight Agent Manager user guide for specific details on Configuring Windows Remote Management (WinRM).
Steps to investigate from Foglight Management Server (FMS)
- Navigate to Navigation Panel | Dashboards | Administration | Credentials | Manage Credentials
- Select the credential to be used for monitoring of the remote host and select edit | Credential Properties
- If using a domain service account for remote monitoring, ensure the following is performed
- Insert the Fully Qualified Domain under the Domain field
- Insert the User Name without a domain under the User Name field
example: foglight_svc
- If using a local service account for remote monitoring, ensure the following is performed
- Leave the Domain field empty
Steps to investigate from remote host
- Remote to target host and open command line with admin privileges
- Run the following command:
winrm get winrm/config (This command will display the WinRM configuration for this host) - Make note of the following items under "Service"
Example:
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 15
EnumerationTimeoutms = 60000
MaxConnections = 25
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
- Note: If the WinRM configuration does not display due to it not being configured, run the following:
winrm qc or winrm quickconfig (same command)
Configuring the remote host for monitoring with WinRM
- Using a domain service account
- winrm set winrm/config/service/auth @{Basic="false"}
Note: Basic is used when using a local service account - winrm set winrm/config/service @{AllowUnencrypted="true"}
Note: AllowUnencrypted determines whether or not HTTP (true) or HTTPS (false) connection is used - Ensure Kerberos = true WinRM service configuration
- Ensure Negotiate = true WinRM service configuration
- Using a local service account
- winrm set winrm/config/service/auth @{Basic="true"}
- winrm set winrm/config/service/auth @{Negotiate="true"}
- winrm set winrm/config/service @{AllowUnencrypted="true"}
Note: AllowUnencrypted determines whether or not HTTP (true) or HTTPS (false) connection is used
Reviewing Application Event Logs
WinRM logs activity to an event log on the target machine. This includes both success and failure messages for authentication.
To view application event logs:
- On the target machine, right-click My Computer and select Manage.
- In the navigation tree on the left, choose System Tools | Event Viewer | Applications and Services Logs | Microsoft | Windows | Windows Remote Management | Operational.
The default Operational log contains the most common events.
To enable additional debug logging information:
- Click View.
- Click Show Analytic and Debug Logs.
- Right-click the log file you want to view.
- Select Enable Log.
Enabling connection type debugging from the Foglight Agent Manager (FglAM)
If the only information you are interested in is the types of connections that are being established, there is a command-line setting that enables logging the connection types.
Run the Agent Manager with the following switch:
-Dquest.debug.windowsinfo.types
NOTE: This logging occurs every time a connection is established and can be very verbose. It is recommended for debugging purposes only.
For additional debug logging refer to: How to enable Kerberos Debug at the FglAM level (4309953)
When investigating WinRM configuration problems please collect the following items:
- Foglight Agent Manager (FglAM) support bundle
Dashboards| Administration| Agents| FglAM Support Bundle - Output of the WinRM configuration
winrm get winrm/config >> _winrm.cfg - Output of the WinRM listener configuration
winrm enum winrm/config/listener >> _winrmlistener.cfg - FMS support bundle