Chat now with support
Chat mit Support

Foglight for Infrastructure 6.0.0 - User Guide

Using Foglight for Infrastructure Monitoring log files with Foglight Log Monitor Monitoring IBM PowerVM environments
Before you begin Managing PowerVM HMC agents Monitoring your PowerVM environment
Advanced system configuration and troubleshooting Reference
Foglight for Infrastructure views Foglight Log Monitor views Rules Metrics
Appendix: Building regular expressions in Foglight

Advanced system configuration for WinRM

Even though the local user will now have access to Windows Remote Management (WinRM), not all performance monitoring classes allow non-administrative users to access their instances. Some performance classes will still need advanced configuration for the non-administrative user to be able to perform queries/execute methods on their object instances. To perform the advanced configuration for non-administrative users, make sure to log into the remote machine using the Administrator account.

The advanced configuration for non-administrative users includes the following steps:

1
Adding a non-administrative user to user groups
2
Setting WinRM RootSDDL for a non-administrative user
3
Granting permission to the namespace
4
Granting permission to the service
5
Additional WinRM configuration in FIPS-compliant mode
Adding a non-administrative user to user groups

The non-administrative users must be added into the Performance Monitor Users group that enables the access to the object instances and the Event Log Readers group that grants the permission for reading event logs.

* 
NOTE: The non-administrative users should have been added to the Distributed COM Users group by default, which enables the remote connection using Windows Remote Management (WinRM).

To add a non-administrative user to the above user groups:

1
Run lusrmgr.msc.
2
From the Local Users and Groups (Local) > Users list, right click the non-administrative user who you want to add, and then click Properties from the context menu.
3
In the <non-administrative user> Properties dialog box, click Member of.
4
Click Add.
The Select Groups dialog box appears.
5
In the Select Groups dialog box, type Performance Monitor Users;Event Log Readers in the Enter the object names to select field, and then click Check Names.
6
Click OK to return to the <non-administrative user> Properties dialog box.
7
Click OK.
The selected user has been added to both user groups.
Setting WinRM RootSDDL for a non-administrative user

After adding a non-administrative user to the needed user groups, you will see the following result if the user permission is not allowed through SDDL.

winrm enum wmicimv2/Win32_ComputerSystem -u:<non-administrator user>
WSManFault
Message = Access is denied.
Error number: -2147024891 0x80070005
Access is denied.

To grant the WinRM RootSDDL permission to a non-administrative user:

1
Execute the following command to get the RootSDDL value.
winrm get winrm/config
2
You will see the following default RootSDDL value.
...
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
Notes:
O = Owner
G = Primary Group
D = DACL Entries
S = SACL Entries
...
3
Execute the following command, in order to modify the SDDL permission in DACL Entries and to allow the full control access to the Performance Monitor Users group (which SID is S-1-5-32-558).
* 
NOTE: The SID of the Performance Monitor Users group will be varied. Change the SID to the actual SID used in your environment, as needed.
winrm set winrm/config/service @{RootSDDL="O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-32-558)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)"}
4
You will see the following RootSDDL value.
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-32-558)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
Granting permission to the namespace

After setting WinRM RootSDDL for a non-administrative user, log into the remote machine using the administrative user credentials and execute the following command:

winrm enum wmicimv2/Win32_ComputerSystem -u:<non-adminstrtor user>

You will see the following result, if the non-administrative user does not have the permission to the namespace.

winrm enum wmicimv2/Win32_ComputerSystem -u:<non-adminstrtor user>
WSManFault
Message
ProviderFault
WSManFault
Message = The WS-Management service cannot process the request.
The WMI service returned an 'access denied' error.
Error number: -2144108284 0x80338104
The WS-Management service cannot process the request. The WMI service returned an 'access denied' error.

To grant the permission to the namespace for the current non-administrative user:

1
Run wmimgmt.msc.
The WMI Control (Local) Properties dialog box appears.
2
Right click WMI Control, and click Properties from the context menu.
3
Click Security > Root > cimv2, and then click Security.
The Security for ROOT\cimv2 dialog box appears.
4
Click Add.
The Select Users, Computers, Service Accounts, or Groups dialog box appears.
5
Type Performance Monitor Users;Event Log Readers in the Enter the object names to select field, and then click Check Names.
6
Click OK to return the Security for ROOT\cimv2 dialog box.
7
Selected the added user group, and then grant all permissions for this user group.
8
Click OK to return the WMI Control (Local) Properties dialog box.
9
Repeat Step 3 to Step 8 to grant all permissions for Security > Root and Security > Root > mscluster.
Granting permission to the service

Most services data can be collected if the Performance Monitor Users group has been granted the permission to services. If you still fail to collect some service data because of permission issues, on the remote machine, execute the following command where <service_name> is the Service name in the Service Property dialog box:

sc sdshow <service_name>

The permissions of the Built-in Administrator (BA) will appear after executing the above command. Execute the following command to grant the additional permissions, as needed.

sc sdset <service_name>...
* 
NOTE: Ensure that the Administrators have been granted with sufficient permissions; otherwise you will fail to monitor some services.

The following sample demonstrates how to grant permission to the SCMANAGER service:

1
Execute the following command:
sc sdshow SCMANAGER
2
You will see the following result:
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)
3
Add “(A;;CCLCRPRC;;;S-1-5-32-558)” between “D:” and “(A;;CC;;;AU)”, and execute the sc sdset command to grant the permission to the SCMANAGER service. For example, execute the following command:
sc sdset SCMANAGER D:(A;;CCLCRPRC;;;S-1-5-32-558)(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)
Additional WinRM configuration in FIPS-compliant mode

Foglight for Infrastructure WindowsAgent supports to establish Windows Remote Management (WinRM) connections in FIPS-compliant mode. However, when establishing the WinRM connection using Negotiate authentication scheme in FIPS-compliant mode, the password of the credential is required to be no less than 14 characters, otherwise, the connection will be rejected.

If you figured out that your agent’s WinRM connection is not working, check below list to see if it is caused by the password length restriction issue:
Access the Foglight Management Server’s Homes > Alarms dashboard and check if there is an “Insufficient Password Length” alarm related to your monitored host. See the example as below:
Or check the logs of Foglight Agent Manager where the WindowsAgent instance is deployed and see if there are log messages as below.
2019-12-23 10:49:09.713 WARN [WinRMWebServiceManagementConnection[25]-0] com.quest.glue.core.remoteconnection.negotiate.SPNEGOAuthenticationScheme - Authentication failed: unable to log in to https://hostname...:5986 (org.bouncycastle.crypto.fips.FipsUnapprovedOperationError: password must be at least 112 bits

If either of above cases exists, you need to change your monitored host password to no less than 14 characters in order to successfully monitor your host with WinRM connection using Negotiate authentication scheme in FIPS-compliant mode.

Configuring default local user credentials for Infrastructure Agents

To monitor target hosts, Infrastructure Agent instances require user credentials to get access to the system resources. If the Foglight Agent Manager is physically located on the host being monitored, default local user credentials are automatically created while deploying the Infrastructure cartridge.

However, under certain circumstances, such as the default lockbox cannot be found in the server, the cartridge deploying process will not create local user credentials. Then, if you want to do local monitoring with Infrastructure Agents, you will have to manually add the credentials to the server.

To create default local user credential for monitoring local host:
1
Log in to the Foglight browser interface.
2
On the navigation panel, under Dashboards, click Administration > Credentials.
3
On the Credentials page that appears in the display area, click Manage Credentials.
4
On the Manage Credentials dashboard that appears in the display area, click Add.
The Select the Type of Credential to Add list appears.
5
In the Select the Type of Credential to Add list, click User Client’s Login At Connection Time.
The Add A New “User Client’s Login At Connection Time” Credential wizard appears.
6
On the Credential Name and Lockbox page, select the lockbox in which you want to store the local user credential, and specify a unique credential name. Click Next.
* 
TIP: If you cannot find a suitable lockbox in the list, click Add to create a new one.
The Resource Mapping page appears.
7
Specify mapping conditions of the credential.
a
On the Resource Mapping page, click Add.
The New Resource Mapping Condition dialog box appears.
b
Select the appropriate Usage according to your operating system. To open the Usage drop-down list, click the down-facing arrow on the right. Select either of the following:
Local Unix machine - Infrastructure Monitoring for Unix
Local Windows machine - Infrastructure Monitoring for Windows
c
Click the down-facing arrow on the right to open the Access Resources Using drop-down list. Select the Is Local Host.
d
Ensure that equals and Evaluate This Condition are selected. Click Add.
e
The New Resource Mapping Condition dialog box closes and the Resource Mapping page refreshes. The newly specified resource mapping is displayed.
f
Optional—you can refine your credential settings. For example, to specify the time during which the credential is valid, the number of failed attempts after which the credential will be locked, the number of times the credential can be used, or the period of time during which the credential data is cached on the server. For complete information, see the Administration and Configuration Help.
8
Click Finish.
The Add A New “User Name and Password” Credential wizard closes and the Manage Credentials dashboard refreshes. The newly added local user credential is displayed in the list.

 

Reference

Foglight displays monitoring data in views that group, format, and display data. The main types are described below.

Dashboards are top-level views that contain lower-level views. The dashboards supplied with Foglight, as well as those created by users, are accessible from the navigation panel.

Lower-level views in Foglight can be added to dashboards or can be accessed by drilling down from a dashboard. They receive and display data directly from the Management Server or from other views. Some views filter or select data that appears in other views in the same dashboard. Some are tree views with expandable nodes for selecting servers, applications, or data.

For more details, see these topics:
Foglight for Infrastructure views
Foglight Log Monitor views
Rules
Metrics

Foglight for Infrastructure views

Foglight for Infrastructure ships with several predefined views, to help you monitor your infrastructure environment:
Quick View
Summary view
Resource Utilizations view
Host Monitor views
Processes views
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen