As described in Work with component monitors, SAM includes several "component monitor types" that use various methods to focus on elements such as services, logs, or processes. WMI Monitors are component monitors that use WMI communication to obtain the result of a WMI Query Language (WQL) query. The typical result retrieves the performance data calculated by WMI providers such as the Windows OS or Microsoft Exchange Server.
One example of a WMI Monitor is the DFS Volume State component monitor in the Distributed File System (DFS) template that assesses the status and overall performance of a Microsoft DFS service.
Note the following details that apply to most component monitors categorized as WMI Monitors:
- All WQL queries are run within the
- Named instances of SQL Server may have custom class names that do not match the predefined SAM templates, so you'll need to manually change the class name in any WMI Monitor collecting data for a named SQL Server instance. For example, if a named instance is "NAMED,” change
- The statistic displayed for this type of component monitor in the Orion Web Console is either:
- The current performance counter value, or
- The difference in returned values between polling cycles, if the Count statistic as difference option is enabled.
If you create a custom WMI Monitor in the Component Monitor Wizard, you'll be prompted to provide several values, as described next.
A default description of the monitor, which you can add to or replace. The variable to access this field is
Determines whether the component is enabled. Disabling the component leaves it in the application in a deactivated state not influencing either SolarWinds SAM application availability or status.
Credential for Monitoring
Select a Windows credential with WMI rights on the target node. This is typically a Windows administrator-level credential.
Click a credential in the list, or use the <Inherit credential from node> option. If the credential you need is not in the credentials list, add it in the SAM Credentials Library.
Configure the method used to gather data:
- WMI (WinRM/DCOM): Use WinRM, with DCOM as a fallback method. See Use WinRM as the default polling method for WMI-based component monitors in SAM.
- RPC (Remote Procedure Call): Use RPC communication.
WinRM Authentication Mechanism
If the SAM WinRM toggle is enabled for application polling on the Orion server and target nodes, select an authentication method for the connection. The default setting is Negotiate.
- Default: Specifies the transport to use for WS-Management protocol requests and responses: HTTP or HTTPS. The default is HTTP.
- Digest: User name and password are required. The client sends a request with authentication data to an authenticating server, usually a domain controller. If the client is authenticated, then the server receives a Digest session key to authenticate subsequent requests from the client.
- Negotiate: The client sends a request to the server to determine the protocol to use for Simple and Protected Negotiation (SPNEGO) authentication, which can be either:
- Kerberos for domain accounts, or
- NTLM for local computer accounts
- Basic: User name and password are required, as sent via HTTP or HTTPS in a domain or workgroup.
- Kerberos: User name and password are required for mutual authentication between the client and server, using encrypted keys. The client account must be a domain account in the same domain as the server. When a client uses default credentials, Kerberos is the authentication method if the connection string is not one of the following: localhost, 127.0.0.1, or [::1].
- NtlmDomain: User name and password are required for NTLM authentication. The client proves its identity by sending a user name, password, and domain name.
- CredSssp: User name and password are optional. The Credential Security Support Provider (CredSSP) lets an application delegate the user credentials from the client to the target server for remote authentication. The client is authenticated over the encrypted channel by using the SPNEGO protocol with either Kerberos or NTLM.
Specify the namespace where all WQL queries are run. The default value is
Type the WQL query you want to run on the target node. This is typically a performance counter query, but it can be any WQL query. All WQL queries are run within the root/CIMV2 namespace.
The WQL query for this monitor returns a numeric value. It will not report errors.
This option changes the statistic to be the difference in counter values between polling cycles. It only applies to monitors whose counter value increases consistently during each polling interval. Examples of when this option is not applicable include cases such as the following:
- Counter values sometimes increase and sometimes decrease from one polling interval to another (typical behavior for many counters)
- Counter values consistently decrease from one polling interval to another
If this option is not applicable, negative data values are replaced with zero (0). The counter monitor shows 0 as the statistic data value in related widgets and 0 as the value on statistic data charts for this interval.
Select the "Yes, convert returned value" option to display fields where you can select a common function or enter a custom formula. The Custom Conversion option provides basic arithmetic operators (+, -, *, /), plus built-in mathematical functions for more advanced conversions. See Convert values in data transformations for SAM component monitors.
Statistic Warning Threshold
Specify a threshold that indicates a warning level was breached. Logical operators are in the drop down list, followed by a blank field where you can enter a value. For example:
Less than 15 for warning,
Less than 5 for critical. See Application Monitor Thresholds.
Add notes for easy reference. You can access this field by using the variable,