WMI Active Discovery

In the Create a Datasource window, you will need to select “WMI” under the Collector field. This will update the Active Discovery section for WMI configuration.

Once you have selected WMI as your Collector protocol/Discovery method, you will be asked to configure the following spaces: WMI Namespace, WMI Class, and Property used as instance identifier. Collectively, these three fields compose the basic WMI filesystem hierarchy in which all Window’s objects reside. As such, they define the parameters as to where our Collector should retrieve information from your devices.

In this hierarchy, WMI Namespace designates the root, top-level. For monitoring purposes, the vast majority of relevant data can be found in the CIMv2 namespace, hence why this field comes auto-populated with CIMv2. Should you be looking for information in another namespace or working with an operating system that does not use CIMv2 (ie. Kernel 5.x, which uses Default\CIMv2), you can simply designate the desired namespace.

Nestled within WMI namespaces are WMI Classes. These classes contain information that manage both hardware and system features. For instance, MSFT_NetAdapter class would contain the full list of properties relevant to a particular network adapter.

The lowest tier in WMI’s file system hierarchy, nestled within WMI classes, are the WMI properties. These properties‘ values are the basic information which LogicMonitor will collect and on which LogicMonitor will alert (ie. the WMI property is equivalent to this Datasource’s instance). Examples of properties residing within the aforementioned MSFT_NetAdapter class include Name, DeviceID, MaxSpeed, PortNumber, etc.

WMI Active Discovery supports flexible instance filtering. Multiple filters can be added to include or exclude different objects.

The examples below show two filters:

1. A filter has been added to exclude all “name” instances that do not RegexMatch “exchange.” This ensures that only Exchange process are discovered.
2. A filter was added to exclude all instances that are in an “ok” status. In the Win32_Service Class, this will return status properties with a value of Error, Degraded, Unknown, Pred Fail, Starting, Stopping, Service, Stressed, NonRecover, No Contact, or Lost Comm.

LogicMonitor WMI Active Discovery automatically discovers instances of a datasource on a particular Windows system based on specified WMI Class, Property and Namespace information. Your LogicMonitor collector will discover all instances of the WMI Class and return each instance with the WMI Property as the instance identifier. You can add one or more Active Discovery filters based on WMI Properties, so that only discovered instances that meet the filter criteria will be returned.

For example, to get the names of all network adapter instances in a Windows system, you could specify the following WMI Class and Property information:

WMI Class: Win32_NetworkAdapter

WMI Property: Name

The network adapter instances would be returned with their names as instance identifiers as follows:

Intel® PRO/1000 MT Network Connection

Citric Virtual Adapter

Microsoft ISATAP Adapter

With WMI Active Discovery you can choose to extract ILP information about each instance discovered in a WMI Class. This extracted information is stored as one or more system properties for the device, and can aid in the understanding and troubleshooting of the device.

Consider the following table showing instances discovered by WMI Active Discovery with and without ILP, and the information gathered for each:

When you check the ‘Extract instance-level properties from this class’ checkbox, you can enter the WMI Class Properties you wish to obtain for each instance of the specified WMI Class:

You will be prompted for information about how the two WMI Classes you are extracting ILPs from should be linked. Specifically, you will need to specify a WMI Property that is shared between the two WMI Classes. LogicMonitor will only discover instances from the second WMI Class if the WMI Property specified matches between these two classes.

For the network adapter example above, every network adapter name record in the Win32_NetworkAdapter will have a corresponding network adapter name record in the Win32_NetworkAdapterConfiguration class. The WMI “name” property is a common property between the Win32_NetworkAdapter and Win32_NetworkAdapterConfiguration classes, and can therefore be used to link these two classes.

If any Active Discovery filters are specified, only discovered instances that meet the filter criteria will be returned.

Without ILP enabled you can only add filters based on the instance identifiers (i.e. SNMP property values) for the discovered SNMP instances. If you choose to extract ILPs, you may add filters based on the ILPs discovered. For example, with ILPs you can easily create an Active Discovery filter that filters out only disabled network adapters, or processes running on specific versions of Windows.