BMC PATROL KM for Windows remote monitoring FAQs

This section addresses common questions about using the BMC PATROL Knowledge Module for Microsoft Windows to perform remote monitoring.

Which data collection method is used by remote monitoring?

Remote monitoring uses the PATROL Scripting Language (PSL) data collection method to discover instances and to get data through the remote External PSL Call (XPC).

What is the role of psx_server_remote.xpc in remote monitoring?

PATROL KM for Windows uses an XPC-based collection mechanism to support monitoring of the remote hosts. The psx_server_remote.xpc stand-alone executable communicates with PATROL Agent through standard input (stdin) and output (stdout) channels connected with pipes. The communication between PATROL Agent and the XPC server is handled by the SDK libraries through PSL function calls.

psx_server_remote.xpc is an XPC-based WinRM client that opens sessions with remote hosts, runs WMI queries on those hosts, and returns the output to the PSL collectors. For the PSL collectors, the command execution is transparent and the same PSL collectors work well with the local host and the remote host.

The XPC-based WinRM client has following advantages:

A single WinRM client (process) can handle multiple remote sessions simultaneously.
Multiple WMI queries can be executed over a single remote session simultaneously.

The XPC-based client is responsible for collecting information from the remote host for the application classes.

Which operating systems can I monitor remotely?

The following operating systems that are supported by PATROL Agent and PATROL KM for Windows can be monitored on a remote host:

Microsoft Windows XP Professional, SP 3, x86
Microsoft Windows XP Professional, SP 3, x86-64
Microsoft Windows Server 2003, SP 2, x86
Microsoft Windows Server 2003, SP 2, x86-64
Microsoft Windows Server 2003, SP 2, Itanium 2
Microsoft Windows Vista, SP 1, x86 and x86-64
Microsoft Windows Server 2008, x86 and x86-64, Itanium 2
Microsoft Windows Server 2008 Core x86 and x86-64
Microsoft Windows Server 2008 R2, x86-64, Itanium 2
Microsoft Windows Server 2008 R2 Core, 64-bit
Microsoft Windows 7 (x86, x86-64)
Microsoft Windows Server 2012, R2 x86-64
Microsoft Windows Server 2012, R2 Core, 64-bit

What are “user profiles” in remote monitoring?

User profiles provide a way to share credentials among multiple hosts. The hosts that have the same credentials can be grouped into a user profile. You can then assign that profile to all hosts.

Example:

Host A, Host B, and Host C have the same credentials (patqa1/patAdm1n). You can create a profile named Test with credentials, patqa1/patAdm1n.

All hosts that are added to the Test profile automatically refer to these profile credentials for authentication; you do not have to enter credentials every time, but you must specific the port and protocol depending on the remote host.

Which application classes are supported for remote monitoring?

The remote monitoring functionality in version 4.3.00 and later of PATROL KM for Windows, supports the following application classes:

NT_CACHE
NT_CPU
NT_CPU_CONTAINER
NT_HEALTH (version 4.5.00 onwards)
NT_LOGICAL_DISKS
NT_LOGICAL_DISKS_CONTAINER
NT_MEMORY
NT_NETWORK
NT_OS
NT_PAGEFILE
NT_PAGEFILE_CONTAINER
NT_SERVICES
NT_SERVICES_CONTAINER
NT_SYSTEM (version 4.4.00 onwards)
NT_PHYSICAL_DISKS_CONTAINER (version 4.4.00 onwards)
NT_PHYSICAL_DISKS (version 4.4.00 onwards)
NT_PROCESS (version 4.5.00 onwards)
NT_PROCESS_CONTAINER (version 4.5.00 onwards)
NT_PROCESS_GROUP (version 4.5.00 onwards)
NT_EVENTLOG
NT_EVINSTS

Limitations

The following application class limitations apply for remote monitoring on Windows computers:

Discovering an application class depends on the WMI query. Discovery might not work if the WMI counters are not available, the output is invalid, or the user account that you provided while adding the remote host does not have permission to execute the WMI query.

In the NT_SERVICES_CONTAINER application class, the Disable Automatic Restart and Configure Service menu commands do not work for remote hosts.

In the NT_SERVICES application class, the Start, Stop, Pause, and Reset menu commands do not work for remote hosts and recovery action to auto restart is not supported for remote hosts.
In the NT_OS application class, the values of the Up Time and Last Reboot At InfoBox fields are not displayed.
In the NT_PROCESS_CONTAINER application class, the View Process Status KM command does not work for remote hosts.
In the NT_PROCESS application class, the View Process Details KM command does not work for remote hosts.
The options Restart the process using the specified command when the process is terminated and Terminate the process when the process' CPU% usage exceeds the defined PATROL threshold for n minutes, from the Process Settings window (KM commands > Configure Manual Process Monitoring > Process Settings) do not work for remote hosts.
In case of the NT_HEALTH application class, only MemoryUsage and SystemPaging parameters are displayed.

Which WMI queries do application classes refer to?

The following table lists the application classes and the WMI queries that they use.

What is the collection mechanism for monitoring event logs?

Event Log Configuration Event Log: Select this check box to enable Event Log monitoring. By default, all Windows event logs are monitored if they are registered in the Windows registry at the following location:

HKLM\SYSTEM\CurrentControlSet\Services\Eventlog

	List of Users	Click button to configure user details.
List of Event Logs: Click button to configure the event logs.
Log Name	Specify the event log name for which you want to create a filter.
List of Filters: Click button to filter the event logs.
Name	Enter a unique name that represents the event filter, and follows these rules: The filter name cannot exceed 127 characters. The filter name cannot use the following format: user@domain.com. If this format is used for the filter name, the filter fails to filter events.
Description	Enter a short description of the filter you are creating. This is additional information regarding the filter and you can change the description at any time.
Report/Notify	Select one of the following options, as appropriate: Report the number of events that match the filter criteria during each collection period - If you select this option, PATROL monitors the number of events that match the filter criteria during each collection cycle. Depending on which event types the filter monitors, the following parameters are used to report this data: Number of Error Events (ELMError) Number of Failure Audit Events (ELMFailureAudit) Number of Information Events (ELMInformation) Number of Other Type Events (ELMOtherTypes) Number of Events (ELMStatus) Number of Success Audit Events (ELMSuccessAudit) Number of Warning Events (ELMWarning) Notify immediately when an event matches the filter criteria - If you select this option, PATROL immediately changes a parameter to an alarm state when an event matches the filter criteria.Depending on which event types the filter monitors, the following parameters are displayed in an alarm state when an event matches the filter: Notifications of Error Events (ELMErrorNotification) Notifications of Failure Audit Events (ELMFailureAuditNotification) Notifications of Warning Events (ELMWarningNotification) Notifications of Windows Events (ELMNotification) (This parameter is active only when you have selected both of the option, Notify immediately and consolidate event types.
Source Details	Click button to configure the source name.
	Name	Specify the event log source name or a regular expression.
	OK	Click to save the configuration.
	Cancel	Click to close the dialog.

	Use name as a regular expression	Select this check box if you specified a regular expression in the Name field.
	Disable case sensitivity	Select this check box to disable case sensitivity for the source filtering. You can specify whether to make filter comparisons in a case-independent manner for the source, user, category, and string options of a Windows event filter. To disable case-independent comparisons for any of the options, ensure that the corresponding Disable Case Sensitivity check box while configuring windows event monitoring is cleared. The /PSX_P4WinSrvs/PWK_PKMforMSWinOS_config/EventLogMonitoring/eventlog/EventFilters/filter/FilterDisableCase configuration variable stores information about case-sensitivity of the event filter options. This variable has five bit values, depending upon case sensitivity, one bit corresponding to each of Source, User, Category, String, and Computer name, respectively. If any bit value is 1, a case-independent filter comparison is made for the corresponding field. You can set this variable to either of the following values: 00000 = none checked (default) 11111 = all 5 categories checked A combination of 0s and 1s, depending on which of the 5 categories were checked To disable case-sensitivity in the event filters, set the value of the FilterDisableCase configuration variable to 00000.
	Include/Exclude Source List	Select one of the following options, as appropriate: Include all event sources in the list Exclude all event sources in the list
Event Type Details	This option helps you to configure event details.
	Event Types to Monitor	Select one or more of the following event types to use in the filter for monitoring. Critical Error Warning Information Verbose Success_Audit Failure_Audit Others
	Consolidate event types when reporting	Select this option if you want various types of events (for example, Warning, Information, Error) to be reported by using one parameter, ELMStatus (or ELMNotification if you configured to be notified immediately when an error occurs while defining the Report/Notify option). Clear this check box, if you want to have separate parameters for each event type that can raise alarms independently.
Event ID Details	Click button to configure event ID details.
	Windows Event ID(s)	You can select one or more multiple IDs in the following ways: Single event ID. For example: 100 Comma-separated list of multiple event IDs. For example: 100,110,120 Range of event IDs. For example: 100-120 Regular expression. For example: 1[0-5]3

	Use Event ID as a regular expression	Select this check box if you specified a regular expression in the Windows Event ID(s) field.
	Include/Exclude Event ID List	Select one of the following options, as appropriate: Include all event IDs in the list Exclude all event IDs in the list
Event Handling	Choose how to handle your Windows events.
	Annotate Graph parameter with event details	Select this check box to annotate event details to Graph parameters.
	Write event details to a text parameter	Select this check box to add event details to text parameters.
	Use event details for a recovery action	Select this check box to enable using the event details for recovery actions.
	Report multiple events as a single event when the event occurs	Specify the number of events that must be reported as a single event depending on the value that you specify in the Time within seconds field. By default, this value is set to 1.
	Time within seconds	Specify the number of seconds that must be used for reporting multiple events as a single event. By default, this value is set to 0.
	Enter text automatic or Filter name to Acknowledge Alarm	Specify how you want to acknowledge the alarm raised by the event filter. You can specify one of the following values: automatic: If you specify automatic, then PATROL acknowledges alarms and returns the filter to an OK state if the filter criteria are not met during the most recent collection cycle. In other words, if the events you are monitoring do not occur during the collection cycle, the event filter state is changed back to OK. With this option you are not actively monitoring for alarms, you might not notice when the monitored events occurs because any alarms will be reset during the next collection cycle if the monitored events do not re-occur. Note: If you select the Notify immediately when an event matches the filter criteria option, PATROL cannot acknowledge the alarm or return the filter to an OK state. PATROL keeps the filter in alarm until an operator manually acknowledges the alarm. filterName: If you specify the filter name, then PATROL changes the filter state from an alarm state to an OK state when the criteria of a second event filter are met. To use this option, you must create an event filter that monitors for the required event and that is configured to notify PATROL immediately when that filter criteria is met, and then specify the filter name in this field. By default, this value is set to automatic.
Advanced Properties	Click this tab to specify advanced properties for events.
	User Name	Specify the user name associated with the events that you want to monitor or exclude from monitoring.
	OK	Click to save the configuration.
	Cancel	Click to close the dialog.

	Include/Exclude User List	Select one of the following options, as appropriate: Include all users in the list - Specifies that all of the users in the list are monitored by the event filter. Select this option when you only want to monitor specific users. Exclude all users in the list - Specifies that all the users except those in the list are monitored by the event filter. Select this option when you want to monitor all the users, except for a few specific users, which you want to exclude from the event filter.
	Disable Case Sensitivity	If you select this option, the event filter makes filter comparisons in a case-independent manner.

	List of Categories	Click button to provide category details for the events you want to monitor.
	Category Name	Specify the category name associated with the events that you want to monitor or exclude from monitoring.
	OK	Click to save the configuration.
	Cancel	Click to close the dialog.

	Include/Exclude Category List	Select one of the following options, as appropriate: Include all categories in the list - Specifies that all of the categories in the list are monitored by the event filter. Select this option when you only want to monitor specific categories. Exclude all categories in the list - Specifies that all the categories except those in the list are monitored by the event filter. Select this option when you want to monitor all the categories, except for a few specific categories, which you want to exclude from the event filter.
	Disable Case Sensitivity	If you select this option, the event filter makes filter comparisons in a case-independent manner.

	String Details	Click button to provide string details associated with the events you want to monitor.
	Include String	Specify the string associated with the events that you want to include for monitoring. When entering a string that includes special characters that are used in regular expressions, such as a dollar sign ($), a period (.), a parenthesis (), or a slash (), you must escape each special character with a slash. For example, if the string is $Error, you must enter the string as \$Error.
	OK	Click to save the configuration.
	Cancel	Click to close the dialog.
	Exclude String	Specify the string associated with the events that you want to exclude for monitoring. When entering a string that includes special characters that are used in regular expressions, such as a dollar sign ($), a period (.), a parenthesis (), or a slash (), you must escape each special character with a slash. For example, if the string is $Error, you must enter the string as \$Error.
	Disable Case Sensitivity	If you select this option, the event filter makes filter comparisons in a case-independent manner.
	OK	Click to save the configuration.
	Cancel	Click to close the dialog.
	Close	Click this option to save your details
	Computer Details	Click to provide details regarding the computers associated with the events that you want to monitor.
	Computer Name	Specify the computer associated with the events that you want to monitor or exclude from monitoring.
	OK	Click to save the configuration.
	Cancel	Click to close the dialog.
	Include/Exclude User List	Select one of the following options, as appropriate: Include all computers in the list - Specifies that all of the computers in the list are monitored by the event filter. Select this option when you only want to monitor computers. Exclude all computers in the list - Specifies that all the computers except those in the list are monitored by the event filter. Select this option when you want to monitor all the computers, except for a few specific computers, which you want to exclude from the event filter.
	Disable Case Sensitivity	Select this check box to disable case sensitivity for computer comparison.
OK	Click to save the configuration.
Cancel	Click to close the dialog.

How many remote hosts can one PATROL Agent monitor?

There is no maximum limit on the number of remote hosts that one PATROL Agent can monitor. However, in the PATROL Performance, Scalability and Reliability (PSR) lab, the largest configuration tested consisted of 75 hosts with the Event Log KM, and 125 hosts without the Event Log KM.

Can I use an earlier version of PATROL Agent?

Yes. You can use any of the earlier PATROL Agent versions supported. BMC recommends you to use the latest version of the PATROL Agent for better performance. BMC recommends you to use the latest version of PATROL Agent available.

Can I monitor Windows computers from PATROL Agent for UNIX?

No, you cannot monitor Windows computers from a UNIX computer.

How do I configure PATROL KM for Windows for remote monitoring?

The NT_REMOTE_HOST and NT_REMOTE_CONTAINER application classes have been introduced to monitor remote hosts.

To add a remote host for monitoring

Install PATROL Agent and PATROL KM for Windows on a computer.
Add the computer in step 1 in the PATROL console as a Managed Node.
Load NT_REMOTE.kml.
After full discovery is complete, right-click the Remote Monitoring container and choose KM Commands > Configure Remote Hosts.
In the Configure Remote Host Monitoring dialog box, provide the host name, user name, password, port number and protocol of the remote host to be monitored, and then click Apply.

Note: You can also add a host by using a profile.

To modify a remote host

Right-click the Remote Monitoring container and choose KM Commands > Configure Remote Hosts.
In the Configure Remote Host Monitoring dialog box, highlight the remote host that you want to modify, select the Modify option, and then click Apply.
In the Modify Remote Host dialog box, edit the remote host information as required, and then click Apply.

To delete a remote host

Right-click the Remote Monitoring container and choose KM Commands > Configure Remote Hosts.
In the Configure Remote Host Monitoring dialog box, highlight the remote host that you want to remove.
Select the Remove option, and click Apply.

How do I create user profiles for a remote host?

You can create user profiles from the Configure Profiles dialog box.

To create a user profile for a remote host

Right-click the Remote Monitoring container and choose KM Commands > Configure Profiles.
In the Configure Profiles dialog box, provide the profile name, user name, and password, and then click Apply.

To modify a user profile

Right-click the Remote Monitoring container and choose KM Commands > Configure Profiles.
In the Configure Profiles dialog box, select the profile that you want to modify, and then select the Modify option.
Click Apply.
Edit the profile details as required, and then click Apply.

To delete a user profile

Right-click the Remote Monitoring container and choose KM Commands > Configure Profiles.
In the Configure Profiles dialog box, select the profile that you want to modify, and then select the Remove option.
Click Apply.

What are the Performance and Scalability metrics for remote monitoring?

The following table lists the metrics based on 4 processors and 4GB of RAM for 125 remote hosts monitored without the Event Log KM for 120 hours on the Windows 2008 R2 operating system.

The following table lists the metrics based on 4 processors and 4GB of RAM for 75 remote hosts monitored with the Event Log KM for 120 hours on the Windows 2008 R2 operating system.

How do I configure remote hosts via the PATROL Configuration Manager (PCM)?

You can add remote hosts in the PATROL Agent by creating the following rulesets in PCM:

To add a remote host in the PATROL Agent, create the following rulesets:

"/REMOTE/HOSTS/hosts" = { APPEND = "HostName:PortNo" }
"/REMOTE/HOSTS/remoteHost/userAccount" = { REPLACE = "UserName" }
"/REMOTE/HOSTS/remoteHost/connectionProtocol" = { REPLACE = "1 or 2" }
"/SecureStore/NT_REMOTE_HOST/remoteHost/connectPassword" = { REPLACE = "NT_OS;NT_SERVICES_CONTAINER;NT_REMOTE_HOST/EncryptedPassword" }

To add a remote host in the PATROL Agent using profiles, create the following rulesets:

"/REMOTE/HOSTS/hosts" = { APPEND = "HostName:PortNo" }
"/REMOTE/HOSTS/remoteHost/accountProfile" = { REPLACE = "ProfileName" }
"/REMOTE/HOSTS/remoteHost/connectionProtocol" = { REPLACE = "1 or 2" }
"/REMOTE/PROFILE/profileList" = { APPEND = "ProfileName" }
"/REMOTE/PROFILE/ProfileName/hostList" = { APPEND = "HostName:PortNo" }
"/SecureStore/NT_REMOTE_HOST/ProfileName/connectPassword" = { REPLACE = "NT_OS;NT_SERVICES_CONTAINER;NT_REMOTE_HOST/EncryptedPassword" }

The following table gives a description of the items to be entered in the preceding rulesets:

Item	Description
remoteHost	Name of the remote host
HostName:PortNo	HostName: name of the remote host PortNo: WinRM listener port number
UserName	User name that you will use to configure remote hosts
1 or 2	Used to identify the protocol for WinRM connection: 1 = HTTP 2= HTTPS
ProfileName	Profile name that you will use to share credentials
EncryptedPassword	Encrypted password that you will enter in a secure key store. You can encrypt the password in the following ways: Use the encrypt() function. Syntax: encrypt ("password","DES") Use the pwd_encrypt password binary file from %patrol_home%\bin

For information on configuring remote hosts in the PATROL console, see Configuring remote hosts.

How do I perform remote monitoring in a High Availability environment?

You can perform remote monitoring on a virtual PATROL Agent in a High Availability environment.

For more information, see BMC PATROL Agent Reference Manual.

Can I monitor more than 125 remote hosts on a single computer?

Yes, you can monitor more than 125 remote hosts on a single computer. To do this, you have to run another PATROL Agent on a port different from the one you are already using, and add upto 125 remote hosts. In the PATROL PSR lab, a maximum of two PATROL Agents have been tested to function simultaneously. To monitor more than 125 hosts at the same time, ensure that you have enough hardware resources to support this configuration in your environment.

How do I debug PATROL KM for Windows for remote monitoring?

You can enable and disable the application trace at the XPC level for the remote XPC for a particular remote host.

To enable debugging for an application class of a remote host

Right-click the remote host instance and choose KM Commands > Configure Application Trace.
The Configure Application Trace dialog box appears, as displayed in the following figure:
Select the application class that you want to debug, and then click Apply.
The Configure Application Trace dialog box displays the application class details.
Click Done.
Note
The debug information for the XPC trace is stored in the %patrol_home%/log/psx_server_remote.log file.

To disable debugging for an application class of a remote host

Right-click the remote host instance and choose KM Commands > Configure Application Trace.
In the Configure Application Trace dialog box, select the application class that you want to stop debugging, and then click Apply.
Clear all check boxes in the Configure Application Trace dialog box.
Click Apply.
Click Done.

How do I configure WinRM?

You can use one of the following commands to configure the WinRM:

winrm quickconfig -transport:http
winrm quickconfig -transport:https

Note

If you are logged in on a non-Administrator account, you must either right-click the Command Prompt icon in the Start Menu and select Run as Administrator, or use the Runas command at the command prompt.

The winrm quickconfig command creates a firewall exception only for the current user profile. If the firewall profile is changed for any reason, you must run the winrm quickconfig command again to enable the firewall exception for the new profile.

WinRM automatically configures the ports that it uses. The port number might be different, depending on the version of WinRM that you install.

For WinRM 1.1:

The default HTTP port used is 80.
The default HTTPS port used is 443.

For WinRM 2.0 or later:

The default HTTP port used is 5985.
The default HTTPS port used is 5986.

The winrm quickconfig command also performs following tasks:

Starts the WinRM service.
Sets the WinRM service type to auto start.
Creates a listener to accept requests on any IP address.
Enables a firewall exception for WS-Management traffic (HTTP only).

Tip

If WinRM reports that it is unable to verify the status of the firewall, start the firewall service and run the winrm quickconfig command again. You can stop the firewall service after configuring WinRM, if desired.
If WinRM reports that it is unable to create a WinRM listener on HTTPS because the WinRM Server does not have a valid SSL certificate, check whether the SSL certificate is valid and ensure that it meets all requirements.

For an SSL certificate to be valid, its CN value must match the host name, it must not be expired, revoked, or self-signed, and it should be valid for server authentication.

In order to update the trusted hosts list use below command:

winrm set winrm/config/client @{TrustedHosts="<hostname1>,<hostname2>"}

How do I view the WinRM configuration?

You can use the following commands to display WinRM configuration details:

For the WinRM configuration:
winrm get winrm/config
For the WinRM Client configuration:
winrm get winrm/config/client
For the WinRM Server configuration:
winrm get winrm/config/service
For Winrs configuration:
winrm get winrm/config/winrs
For listener information:
winrm enumerate winrm/config/listener
For the WinRM version details:
winrm id

Can I change the WinRM configuration as a standard user?

By default, an Administrator user has permissions to change the WinRM configuration. In addition, a standard user who is a member of administrator group can also change the WinRM configuration.

How do I start and stop the WinRM service?

You can use the following command to start and stop the WinRM service:

sc <start|stop> winrm

You can use SCM to start and stop the Windows Remote Management service (WSManagement).

How do I verify the WinRM connection for a specific remote host?

You can use the following commands to verify the WinRM connection with a remote host.

To verify a remote host connection via HTTP or HTTPS using a domain account:
- winrm id -r:http://<hostname>:<port> -u:<domain\username> -p:<password>
- winrm id -r:https://<hostname>:<port> -u:<domain\username> -p:<password>
  OR
- winrs -r:http://<hostname>:<port> -u:<domain\username> -p:<password><sys_command>
- winrs -r:https://<hostname>:<port> -u:<domain\username> -p:<password><sys_command>
To verify a remote host connection via HTTP or HTTPS using a local account:
Note
In Microsoft Windows Vista and later versions of Windows, the User Account Control (UAC) affects access to the WinRM service. When Negotiate authentication is used in a workgroup or domain, only the built-in Administrator account can access the service.
To allow all accounts in the Administrators group to access the service using the Regedit utility, set the value of the
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy registry key to 1.
- winrm id -r:http://<hostname>:<port> -u:<username> -p:<password>
- winrm id -r:https://<hostname>:<port> -u:<username> -p:<password>
  OR
- winrs -r:http://<hostname>:<port> -u:<username> -p:<password> <sys_command>
- winrs -r:https://<hostname>:<port> -u:<username> -p:<password> <sys_command>
Note
<sys_command> refers to any Microsoft Windows operating system command, such as DIR or SYSTEMINFO.

How do I resolve connectivity issues for the WinRM command?

You might encounter one of the following scenarios while verifying the remote host connection with the winrm command.