[ZBX-11621] Zabbix Agent >3.0.0 wmi.get commands return EventID 5858 Error Created: 2016 Dec 19  Updated: 2017 May 30  Resolved: 2017 Jan 13

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Agent (G)
Affects Version/s: 3.0.5, 3.2.1
Fix Version/s: 3.0.8rc1, 3.2.4rc1, 3.4.0alpha1

Type: Incident report Priority: Minor
Reporter: Tim Welch Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: agent
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows 2012 R2

Attachments: Zip Archive EventLogErrorFix.zip    

 Description   

When running wmi.get from the zabbix host as seen below:

[root@lpzabbix01 ~]# zabbix_get -s XXXXXXXX -p 10050 -k wmi.get["root\cimv2","Select serialnumber from win32_bios"]
VMware-XX 09 41 fa 13 df XX de-86 01 95 XX 72 79 e5 XX

While the command finishes successfully every time, we receive these EventID 5858's as ERROR in Windows EventLog.

Id = {A010B855-20E6-0001-CCD5-2CA0E620D201}; ClientMachine = XXXXXXXX; User = NT AUTHORITY\SYSTEM; ClientProcessId = 704; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : Select serialnumber from win32_bios; ResultCode = 0x80041032; PossibleCause = Unknown

To make matter worse, which is why I started digging into the issue, Zabbix is polling windows at least every 2 minutes via wmi.get for certain values. So with around 100 windows servers in our environment, this is generating a whole lot of logging that is going into our central logging repository.

Id = {B9AFD564-20E4-0001-EB6A-DBB9E420D201}; ClientMachine = XXXXXXXX; User = NT AUTHORITY\SYSTEM; ClientProcessId = 1540; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : select CSDVersion from Win32_OperatingSystem; ResultCode = 0x80041032; PossibleCause = Unknown

Id = {C9C8B17D-20E2-0000-3112-E2C9E220D201}; ClientMachine = XXXXXXXX; User = NT AUTHORITY\SYSTEM; ClientProcessId = 1376; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : select CSDVersion from Win32_OperatingSystem; ResultCode = 0x80041032; PossibleCause = Unknown

Id = {B9AFD564-20E4-0001-EB6A-DBB9E420D201}; ClientMachine = XXXXXXXX; User = NT AUTHORITY\SYSTEM; ClientProcessId = 1540; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : select Version from Win32_OperatingSystem; ResultCode = 0x80041032; PossibleCause = Unknown

I'm not sure the reason for this, other than a KB article that claims the connection isn't closed properly.

https://support.microsoft.com/en-us/kb/3124914

RESOLUTION: The WMI client application should be modified to issue calls to IEnumWbemClassObject::Next to retrieve the full result set, before releasing the IWbemContext object. If no objects are received, make sure that the timeout value (lTimeout) is greater than 0 and that WBEM_S_TIMEDOUT (0x40004) is not being returned.```

 Comments   
Comment by Tim Welch [ 2016 Dec 19 ]

We are running both 3.0.0 and 3.2.0 of the agent on windows with the same issue.

Comment by Viktors Tjarve [ 2017 Jan 05 ]

Dear Mr. Welch,
I have been unable to reproduce the error in Windows EventLog using wim.get. After looking deeper into this issue I have improved handling of the objects returned by IEnumWbemClassObject::Next.

Binary files with improvements are added to attachments. Please try using them and let me know if this solved your problem or not.

Kind Regards,
Viktors

Comment by Tim Welch [ 2017 Jan 05 ]

Thank you, Viktors!

The uploaded EventLogErrorFix.zip appears to have fixed the issue. I am no longer receiving EventID:5858 messages in my ErrorLog.

Comment by Viktors Tjarve [ 2017 Jan 06 ]

Fixed in development branch svn://svn.zabbix.com/branches/dev/ZBX-11621

Comment by Sergejs Paskevics [ 2017 Jan 09 ]

(1) Looks good. Please, check my minor changes r64957.

viktors.tjarve I changed obj_num type to ULONG to mach types. Check my changes in r65008.
Other than that all looks good. RESOLVED.

s.paskevics CLOSED.

Comment by Viktors Tjarve [ 2017 Jan 11 ]

Fixed in:

  • pre-3.0.8rc1 r65027,
  • pre-3.2.4rc1 r65028,
  • pre-3.3.0 (trunk) r65029.
Generated at Wed Apr 24 10:11:25 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.