Icinga-Powershell-Framework creates a lot of eventLog errors

Hi at all,

we are testing the PowerShell-Framework on our Windows Machines. Before I create an issue on Git I want to ask you if you have similar problems:
After controlling the EventLog we saw a lot of error messages from the sources Perflib and Perfent like:

etc.

On Windows Server without installed Framework there are not so much errors like this. Has someone any ideas? Are our servers maybe to restricted with the permissions?
One of my colleagues from the server admin group controlled the server and doesn’f found any issue with the performance counter and has this also reseted.

Thank you!

Hello and thank you for your message. This is an “issue” we are currently looking into.
The problem is that the user you are running the Icinga Agent with is not having full access to all Performance Counter objects. Sadly, this results in some errors inside the EventLog.

This issue is caused for every counter which is queried, because in the background it seems like available categories are fetched.

Once we got a proper solution for this, there will be a knowledgesse entry. For now, there is sadly no proper solution for this.

Hi @cstein, thanks for the answer.

We install our agents, like mentioned in the docs, with the network-user. Does this mean we have to run, instead of recommended, with an admin user that the Framework is working correctly? That would actually be a contradiction between instruction and reality :wink:

In general this is not recommended. For now there is how ever no proper solution available to resolve this.
You can mitigate this by running the Icinga Agent as LocalSystem, then the “permission” errors are gone. How ever, I’m still not recommending this and would advice to - well - “just live” with this situation for the moment until we found a proper solution to resolve this.

Then you should chance your docs and/or the standard user in the setup routines, if this is not recommanded :wink:



Or write here a hint, if icinga and the framework is installed, the daemon should run as LocalSystem. This makes a lot easier for us. Especially if we install the framework afterwards.

The only hint for running icinga not as Network User I found here now: https://icinga.com/docs/windows/latest/doc/frameworkusage/33-Run-Icinga-Agent-As-Other-Service-User/#example-1-change-service-user-to-localsystem

Like I said, NT AUTHORITY\Network Service is the default and recommended. If the EventLog entries are bothering you, there is no way to resolve this issue by now besides running the Icinga Agent as LocalSystem

For security reasons, I do not recommend this. Once we figured out on how to grant permissions to specific Performance Counter services, this is all resolved. For now there is no solution available.

I do not want to set LocalSystem as default or encourage users to run it that way. I’m just offering a workaround in case the EvengLog messages are bothering you, until we found a proper solution.

2 Likes

Ok, thank you.
For now we will discuss this internal. I will also suggest your workaround our server admins if they want to monitor such performance counters or for security reasons they want to wait for an official solution. It will be their decision. :wink:

Is there a github issue for tracking this? I looked but couldn’t find one, and we’re hitting the same issue.

Hi, no I didn’t create one. Because first I wanted to know what it could be and @cstein gave me an answer why this happens. And that was ok/enough for me (us) :wink:

Hello, yes there is an issue available: Documentation: How to set Perfcounter Permissions · Issue #119 · Icinga/icinga-powershell-plugins (github.com)

Right now we have no proper solution for this and are not able to reduce the impact. We are working internally on different approaches right now, but there is nothing we can share as of today sadly.

1 Like