Execute scripts from check-mk_agent in 64-bit Powershell

(Note: Scroll to the end of the article to see on how to run Scripts from the check_mk-agent in the 64-bit Microsoft Powershell. The rest of the text is only for information purposes.)

Here in my company we are making use of a couple custom check scripts for monitoring our Microsoft Exchange servers. These checks cover mailbox, DAG, MAPI and replication health and are run by the NSClient++ NRPE module. Since we are considering a migration to the check_mk-agent, we were curious if these scripts would run with the check_mk-agents MRPE module (see detailed information here: http://mathias-kettner.de/checkmk_mrpe.html).

The integration of custom scripts in MRPE is kinda easy (but different from NSClient++). Here´s an example for the Exchange DAG health script in the NSC.ini from NSClient++:

check_exchange_dag =cmd /c echo scripts/exchange/exchange-DAG.ps1 | powershell.exe -command –  

So basically, NSClient++ opens Microsoft Powershell and runs the ps1 script file. The script itself is doing nothing more than executing a command and checking the output for a particular string (e.g. “failure” or “unhealthy”).

Implementing this check in check_mk-agent would look like this:

check = check_exchange_dag = Powershell.exe -command “.’c:\progra~1\check_mk\plugins\exchange\exchange-DAG.ps1′”

And this is what we first did. After a restart of the check-mk_agent we were able to add the new service within WATO. Unfortunately we were getting errors saying that the script is not allowed to run on that system (because the script is not signed!). After doing some investigation on Google we set the Execution Policy in Powershell to Unrestricted – meaning that the execution of unsigned scripts is allowed. All you have to do is running Set-ExecutionPolicy Unrestricted in Powershell.exe.

Surprisingly we were still getting the same errors on script execution. After further investigation we realized that Windows has two Powershells: a 32-bit and a 64-bit version. Since check-mk_agent is a 32-bit application it was executing the scripts in the 32-bit Powershell AND in this Powershell the executing of unsigned scripts was still prohibited. So we started the x86 Powershell and executed  Set-ExecutionPolicy Unrestricted again. After that we had the next problem: The x86 Powershell has no access to the 64-bit Exchange Add-Ins and as result it´s not able to execute the commands which are used within the script. So we had to find a way to run the script in the 64-bit Powershell out of a 32-bit application.

Being smart we changed the line in the check-mk_agent.ini as following:

check = check_exchange_dag = C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe -command “.’c:\progra~1\check_mk\plugins\exchange\exchange-DAG.ps1′”

After some testing we found out that Microsoft Windows is still using the 32-bit Powershell to execute the script.

After further investigation and frustration we finally found a solution (with the help of this post: http://stackoverflow.com/questions/5715049/running-powershell-script-on-a-remote-machine-using-pstool):

check = check_exchange_dag = c:\windows\sysnative\WindowsPowerShell\v1.0\Powershell.exe -command “.’c:\progra~1\check_mk\plugins\exchange\exchange-webservices.ps1′”

Calling Powershell with this path executes the script in the 64-bit mode and works!

Bottom Line: In order to run Powershell Scripts which are using 64-bit extension with check_mk´s 32-bit agent you have to do the following:

  •  Make sure that execution of unsigned scripts is allowed (as long as the script is unsigned.)
  • Execute the script with the above mentioned path to Powershell.exe

About sitweak
Monitoring, Network, Firewall, Mobile Security. I´m totally into that stuff!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: