-
Incident report
-
Resolution: Fixed
-
Minor
-
3.0.5, 3.2.1
-
Windows 2012 R2
When running wmi.get from the zabbix host as seen below:
[root@lpzabbix01 ~]# zabbix_get -s XXXXXXXX -p 10050 -k wmi.get["root\cimv2","Select serialnumber from win32_bios"] VMware-XX 09 41 fa 13 df XX de-86 01 95 XX 72 79 e5 XX
While the command finishes successfully every time, we receive these EventID 5858's as ERROR in Windows EventLog.
Id = {A010B855-20E6-0001-CCD5-2CA0E620D201}; ClientMachine = XXXXXXXX; User = NT AUTHORITY\SYSTEM; ClientProcessId = 704; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : Select serialnumber from win32_bios; ResultCode = 0x80041032; PossibleCause = Unknown
To make matter worse, which is why I started digging into the issue, Zabbix is polling windows at least every 2 minutes via wmi.get for certain values. So with around 100 windows servers in our environment, this is generating a whole lot of logging that is going into our central logging repository.
Id = {B9AFD564-20E4-0001-EB6A-DBB9E420D201}; ClientMachine = XXXXXXXX; User = NT AUTHORITY\SYSTEM; ClientProcessId = 1540; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : select CSDVersion from Win32_OperatingSystem; ResultCode = 0x80041032; PossibleCause = Unknown
Id = {C9C8B17D-20E2-0000-3112-E2C9E220D201}; ClientMachine = XXXXXXXX; User = NT AUTHORITY\SYSTEM; ClientProcessId = 1376; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : select CSDVersion from Win32_OperatingSystem; ResultCode = 0x80041032; PossibleCause = Unknown
Id = {B9AFD564-20E4-0001-EB6A-DBB9E420D201}; ClientMachine = XXXXXXXX; User = NT AUTHORITY\SYSTEM; ClientProcessId = 1540; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : select Version from Win32_OperatingSystem; ResultCode = 0x80041032; PossibleCause = Unknown
I'm not sure the reason for this, other than a KB article that claims the connection isn't closed properly.
https://support.microsoft.com/en-us/kb/3124914
RESOLUTION: The WMI client application should be modified to issue calls to IEnumWbemClassObject::Next to retrieve the full result set, before releasing the IWbemContext object. If no objects are received, make sure that the timeout value (lTimeout) is greater than 0 and that WBEM_S_TIMEDOUT (0x40004) is not being returned.```