|
1 | | -# Custom WMI (Windows Management Instrumentation) Input Package |
| 1 | +# Custom WMI (Windows Management Instrumentation) input package |
2 | 2 |
|
3 | | -The Custom WMI Input integration is used to ingest data from the Windows Management Instrumentation (WMI) classes. |
4 | | -You can use this input to collect instances of any WMI class. Please be aware that |
5 | | -when working with WMI queries, it is the user’s responsibility to ensure that queries are safe, efficient, and do not cause unintended side effects. A notorious example of a problematic WMI class is Win32_Product. [Read more in Windows Documentation](https://learn.microsoft.com/en-us/troubleshoot/windows-server/admin-development/windows-installer-reconfigured-all-applications#more-information_). |
| 3 | +The Custom WMI Input integration reads metrics via [Windows Management Instrumentation](https://learn.microsoft.com/en-us/windows/win32/wmisdk/about-wmi) (WMI), a core management technology in the Windows operating system. |
| 4 | +By leveraging WMI Query Language (WQL), this integration allows you to extract detailed system information and metrics to monitor the health and performance of Windows systems. |
6 | 5 |
|
| 6 | +This input leverages the [Microsoft WMI](https://github.com/microsoft/wmi) library, a convenient wrapper around the [GO-OLE](https://github.com/go-ole) library which allows to invoke the WMI API. |
7 | 7 |
|
8 | 8 | ## Requirements |
9 | 9 |
|
10 | 10 | This integration requires Elastic-Agent 8.19.0 or 9.1.0 and above. |
11 | 11 |
|
12 | | -This integration is only available on Windows. We refer to the Metricbeat input for the [Compatibility](https://www.elastic.co/docs/reference/beats/metricbeat/metricbeat-metricset-windows-wmi#compatibility). |
| 12 | +## Compatibility |
13 | 13 |
|
| 14 | +This integration has been tested on the following platforms: |
14 | 15 |
|
15 | | -## Configuration |
| 16 | +| Operating System | Architecture | |
| 17 | +|---------------------------------------------|--------------| |
| 18 | +| Microsoft Windows Server 2019 Datacenter | x64 | |
| 19 | +| Microsoft Windows 11 Pro | x64 | |
| 20 | + |
| 21 | + |
| 22 | +## WMI Query Language (WQL) support |
| 23 | + |
| 24 | +This integration supports the execution of |
| 25 | +[WQL](https://learn.microsoft.com/en-us/windows/win32/wmisdk/wql-sql-for-wmi) |
| 26 | +queries, a SQL-like query language for retrieving information from WMI |
| 27 | +namespaces. |
| 28 | + |
| 29 | +Currently, this input package supports queries with `SELECT`, `FROM` and |
| 30 | +`WHERE` clauses. |
| 31 | + |
| 32 | +**Warning**: |
| 33 | +When working with WMI queries, it is the user’s responsibility to ensure |
| 34 | +that queries are safe, efficient, and do not cause unintended side |
| 35 | +effects. A notorious example of a problematic WMI class is |
| 36 | +`Win32_Product`. Read more in the related [Windows |
| 37 | +documentation](https://learn.microsoft.com/en-us/troubleshoot/windows-server/admin-development/windows-installer-reconfigured-all-applications#more-information_). |
| 38 | + |
| 39 | +## WMI arbitrator and query execution |
| 40 | + |
| 41 | +Query execution is managed by the underlying WMI framework, specifically |
| 42 | +by the [WMI |
| 43 | +arbitrator](https://learn.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/new-wmi-arbitrator-behavior-in-windows-server). |
| 44 | +The arbitrator is responsible for: |
| 45 | + |
| 46 | +- Scheduling and controlling query execution |
| 47 | + |
| 48 | +- Throttling or stopping queries based on system resource availability |
| 49 | + and conditions |
| 50 | + |
| 51 | +There is no way to directly stop a query once it has started. To prevent |
| 52 | +Elastic Agent from waiting indefinitely for a query to return a result or |
| 53 | +fail, Elastic Agent has a timeout mechanism that stops waiting for query |
| 54 | +results after a specified timeout. This is controlled by the |
| 55 | +`wmi.warning_threshold` setting. |
| 56 | + |
| 57 | +**Note**: While Elastic Agent stops waiting for the result, the underlying WMI query |
| 58 | +may continue running until the WMI arbitrator decides to stop execution. |
| 59 | + |
| 60 | + |
| 61 | + |
| 62 | +## WMI type support |
| 63 | + |
| 64 | +The `microsoft/wmi` library internally uses the WMI Scripting API. This API, as per the |
| 65 | +[official WMI documentation](https://learn.microsoft.com/en-us/windows/win32/wmisdk/querying-wmi), |
| 66 | +does not provide direct type conversion for `uint64`, `sint64`, and `datetime` |
| 67 | +[Common Information Model](https://learn.microsoft.com/en-us/windows/win32/wmisdk/common-information-model) (CIM) types; |
| 68 | +instead, these values are returned as strings. |
| 69 | + |
| 70 | +To ensure the correct data type is reported, Elastic Agent dynamically fetches the |
| 71 | +CIM type definitions for the properties of the WMI instance classes returned by the query, |
| 72 | +and then performs the necessary data type conversions. |
16 | 73 |
|
17 | | -The extensive documentation for the input is currently available [here](https://www.elastic.co/docs/reference/beats/metricbeat/metricbeat-metricset-windows-wmi). We highly encourage users to become familiar with the linked documentation. |
| 74 | +To optimize performance and avoid repeatedly fetching these schema definitions |
| 75 | +for every row and every request, an LRU cache is utilized. This cache stores |
| 76 | +the schema definition for each WMI class-property pair encountered. For queries involving |
| 77 | +superclasses, such as `CIM_LogicalDevice`, the cache will populate with individual entries |
| 78 | +for each specific derived class (leaf of the class hierarchy) whose instances are returned by the query (for example, `Win32_DiskDrive` or `Win32_NetworkAdapter`). |
18 | 79 |
|
19 | | -The most commonly used configuration options are available on the main integration page, while more advanced and customizable options currently resides under the "Advanced options" part of the integration settings page. |
| 80 | +**Note**: |
| 81 | +The properties of type `CIM_Object` (embedded objects) are not yet supported and are ignored. |
20 | 82 |
|
21 | | -### Date Fields Mapping |
22 | 83 |
|
23 | | -Elastic-Agent converts WMI properties of type "datetime" to timestamps, but these are serialized as strings in the output. Since date detection is disabled by default, these fields will be stored as strings unless explicitly mapped as dates. To ensure proper mapping, we recommend explicitly setting the mapping in the `@custom` template. |
24 | | -Refer to [this guide](https://www.elastic.co/docs/reference/fleet/data-streams#data-streams-index-templates-edit) |
25 | | -and [this guide](https://www.elastic.co/docs/manage-data/data-store/index-basics#manage-component-templates) for additional |
| 84 | +**Note**: |
| 85 | +The properties of type `CIM_Reference` (references) used in [WMI Association Classes](https://learn.microsoft.com/en-us/windows/win32/wmisdk/declaring-an-association-class) are currently returned as strings as reported by the microsoft/wmi library. |
| 86 | + |
| 87 | + |
| 88 | + |
| 89 | +## Date fields mapping |
| 90 | + |
| 91 | +Elastic Agent converts WMI properties of type "datetime" to timestamps, but these are serialized as strings in the output. Since date detection is disabled by default, these fields will be stored as strings unless explicitly mapped as dates. To ensure proper mapping, we recommend explicitly setting the mapping in the `@custom` template. |
| 92 | +Refer to [Edit the Elasticsearch index template](https://www.elastic.co/docs/reference/fleet/data-streams#data-streams-index-templates-edit) |
| 93 | +and [Manage component templates](https://www.elastic.co/docs/manage-data/data-store/index-basics#index-management-manage-component-templates) for additional |
26 | 94 | details. |
| 95 | + |
| 96 | +## Configuration |
| 97 | + |
| 98 | +| Option | Description | Default | |
| 99 | +|-----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------| |
| 100 | +| `wmi.namespace` | The default WMI namespace used for queries. This can be overridden per query. | `"root\\cimv2"` | |
| 101 | +| `wmi.warning_threshold` | The time threshold after which Elastic Agent will stop waiting for the query result and return control to the main flow of the program. A warning is logged indicating that the query execution has exceeded the threshold. Refer to [WMI arbitrator and query execution](#wmi-arbitrator-and-query-execution) for more details. | Equal to `period` | |
| 102 | +| `wmi.include_queries` | If set to `true`, the query is added in the output document. | `false` | |
| 103 | +| `wmi.include_query_class` | If set to `true`, the metricset includes the queried class. This is useful if superclasses are queried. The default value is `false`. | `false` | |
| 104 | +| `wmi.include_null_properties` | If set to `true`, the output documents will include the properties that have a `null` value. | `false` | |
| 105 | +| `wmi.include_empty_string_properties` | If set to `true`, the output documents will include the properties that are empty strings. | `false` | |
| 106 | +| `wmi.max_rows_per_query` | Limits the number of rows returned by a single WMI query. The default value is `0`, which is a special value indicating that all fetched |
| 107 | +results should be returned without a row limit. | `0` | |
| 108 | +| `wmi.schema_cache_size` | The maximum number of WMI class-property pairs that can be cached per single query. Every query keeps its own separate cache. This cache helps improve performance when dealing with queries that involve inheritance hierarchies. Read more in [WMI type support](#wmi-type-support).<br>For example, if a superclass is queried, the cache stores entries for each WMI concrete instance class (the leaves of the class hierarchy) and their associated properties. Therefore, querying a superclass that returns a result set containing instances of `10` different classes, each with `50` properties, will result in a cache size of `500` entries (`10×50`). | `1000` | |
| 109 | +| `wmi.queries` | The list of queries to execute. The list cannot be empty. Refer to [Query configuration](#query-configuration) for the format of the queries. | *(required)* | |
| 110 | + |
| 111 | + |
| 112 | +### Query configuration |
| 113 | + |
| 114 | +Each item in the `queries` list specifies a WMI query to perform. |
| 115 | + |
| 116 | +| Option | Description | Required/Default | |
| 117 | +|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------| |
| 118 | +| `class` | The WMI class. Specifies the `FROM` clause in the query. | Required | |
| 119 | +| `properties`| List of properties to return. Specifies the `SELECT` clause. Set to an empty list (default) to retrieve all available properties. | Default: empty list | |
| 120 | +| `where` | The `WHERE` clause. Read more about the format in the related [Windows documentation](https://learn.microsoft.com/en-us/windows/win32/wmisdk/where-clause). | Optional | |
| 121 | +| `namespace` | The WMI namespace for this query (overrides the global `namespace` value for this query). | Optional | |
| 122 | + |
| 123 | +### Example |
| 124 | + |
| 125 | +Example WQL query: |
| 126 | + |
| 127 | +```sql |
| 128 | +SELECT Name, ProcessId, WorkingSetSize |
| 129 | +FROM Win32_Process |
| 130 | +WHERE Name = 'lsass.exe' AND WorkingSetSize > 104857600 |
| 131 | +``` |
| 132 | + |
| 133 | +Equivalent YAML configuration: |
| 134 | + |
| 135 | +```yaml |
| 136 | +- class: Win32_Process |
| 137 | + properties: |
| 138 | + - Name |
| 139 | + - ProcessId |
| 140 | + - WorkingSetSize |
| 141 | + where: "Name = 'lsass.exe' AND WorkingSetSize > 104857600" |
| 142 | +``` |
0 commit comments