windows certificate store scan


mnagel
 Share

Recommended Posts

I have written a DS that uses PowerShell to discover any SSL Certificate within the Windows certificate stores and generates alerts for those expiring soon and for those that have already expired.  The alert messages are still generic as I am fighting a weird timeout issue with the data collection code against remote devices.  The AD code works fine and the data collection code is virtually identical, simpler in fact as we have the serial number on hand.  If I run it from the collector itself in a PS console, it also works fine.  Just seems to go to lunch when run from within LM itself.  If anyone wants to take a look and see if they can find the problem, that would be much appreciated -- my intent is to polish it up and release it publicly.  It is in code review, not clear how long that will take with the new LMExchange feature.

2YPMLN

Link to comment
Share on other sites

Thanks!  And, we shall see :).  I stepped away for now on the whole data collection timeout thing to clear my head.  Feels like it is LM causing it, but can't see how.  I based the general structure on the "_Windows patches needed" DS Mike Suding wrote.  Also tried the PSSession avenue other DSes use, but made no difference.  Same exact code run from the collector PS shell returns data quickly.  Hopefully we can figure it out -- this information is otherwise hard to get from external tests.

Link to comment
Share on other sites

  • LogicMonitor Staff

Hey @mnagel, I think I found the issue. Your if statement in the collection script checks to see if $TargetUser matches "wmi.user". Unfortunately, tokens behave differently in collection than AD. In AD, a nonexistent property will return the token name. In a collection script, a nonexistent property will return a blank string. I think if you change your collection script to match on "" for user and pass, it will work.

I'll talk to the collector team about how we might be able to fix this and make things consistent.

Link to comment
Share on other sites

Thanks! I need to make one more pass on it to enable custom alert messages. I added two different virtual datapoints so messages can say "expired XX ago" versus "will expire in XX". Looking forward to one day being able to just check stuff when alert messages are actually handled by template processors :).

Link to comment
Share on other sites

  • LogicMonitor Staff

@mnagel it's through review.

Our system isn't smart enough to notice that we've reviewed an identical script. It just flags anything with code for review (including Groovy CDPs). It would be nice to check them against a list of previously reviewed code and possibly bypass SR in that case.

Link to comment
Share on other sites

  • 2 years later...

Could you please confirm about prerequisites to monitor Certificate store ? any specific privileges requires for WMI user to read all certificate from Store? here i am trying to monitor Certificate Server however when i tried to scan this Certificate server from above Datasource not found anything . could you please guide me here, if i am missing anything. 

 

Just for  a reference, we are migrating SCOM to LM , so since SCOM is monitoring PKI(Certificate) Server and captured all certificate and details  , same we are trying to get it done via LM.

 

 

Link to comment
Share on other sites

  • 3 months later...

Hi 

I am using this DS and getting a situation where in the AD script is picking up the instances but in the collector attributes script it no longer finds the instances. Thou other servers in same environment it works perfectly. Any assistance to help debug, work this out is much appreciated. I cant find any difference in the instances collected in the AD script

Link to comment
Share on other sites

4 minutes ago, Barb said:

Hi 

I am using this DS and getting a situation where in the AD script is picking up the instances but in the collector attributes script it no longer finds the instances. Thou other servers in same environment it works perfectly. Any assistance to help debug, work this out is much appreciated. I cant find any difference in the instances collected in the AD script

More than likely it is a permissions problem on the server either for calling PowerShell remotely, or for actual script block (below).

$ScriptBlock = {
    param (
        [bool]$Debug,
        [String]$SerialNumber
    )
    
    if ($Cert = Get-ChildItem -Path cert:LocalMachine -Recurse | Where-Object { $_.SerialNumber -eq $SerialNumber }) {
        # NotAfter can return multiple values, we'll just take the first (zeroth) one using [0]
        $TimeSpan = New-TimeSpan -Start (Get-Date) -End $Cert.NotAfter[0]
        $DaysLeft = $TimeSpan.Days
        Write-Host "DaysLeft=$DaysLeft"
    }
}

You might find more detail in the wrapper.log on your collector as far as what errors are happening (or possibly via Poll Now).  NOTE: this code may have changed a bit since the last publication -- I think we did some work to skip replaced certificates at some point.  I just pushed out the latest iteration (ZZKW9P), but it will need to be reviewed again.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share