Opsview - Configure Exchange Opspack

This opspack guide Exchange-Client-Connectivity-Monitoring explains how to configure Kerberos as an authentication method to get started with making checks, this is an agentless method of making checks

 using WinRM on the Exchange Server that you wish to monitor:-

Syntax Example as below (to be ran as an opsview user):-

./check_by_winrm.py -H 10.x.x.x --transport 'kerberos' --username 'USERNAME' --password 'PASSWORD' --scheme 'http' -D -i check_microsoft_exchange.ps1 -m MSExConnectivity.ActiveSync.Requests -n '10.x.x.x' -Transport 'kerberos' -Username 'USERNAME' -Password 'PASSWORD' -Scheme 'http' -w '' -c ''

The -i is used here to ignore certificate verification but bear in mind it will not ignore certificates therefore the OpenSSL command in step 6 will help verify this,

1. Download the script for WinRM configuration

Refer article- Powershell-agentless-monitoring

Run the script on the server

https://downloads.opsview.com/ConfigureRemoting.ps1.

2. Run below on Powershell CMD

winrm quickconfig

For HTTP: 
netstat -an | findstr 5985

For HTTPS: 
netstat -an | findstr 5986

3. Execute below in Powershell CMD

winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/client/auth '@{Basic="true"}'

4. Run below in Powershell CMD

Add-WindowsFeature winrm-IIS-Ext

5. Verify the below output from Powershell CMD

WinRM e winrm/config/listener

6. From the monitored by the collector/orchestrator to the host (exchange server)

openssl s_client -connect exchangeserver.com:5986 -showcerts

7. check connectivity to endpoint from collector/orchestrator, response should be 0 for ok

[root@collector01 ~]# nc -z -w1 10.x.x.x 5986;echo $?
0
[root@collector01~]# nc -z -w1 10.x.x.x 5985;echo $?
0

8. Log into the collector assuming checks are performed from a collector to the Exchange Server, also note the user used to monitor the exchange should be a domain admin
---

Configure the /opt/opsview/krb5/etc/krb5.conf with your domain as below respective to your environment
(Make sure you execute commands as opsview rather than root)

[opsview@collector01 etc]$ cat /opt/opsview/krb5/etc/krb5.conf
#
# /opt/opsview/krb5/etc/krb5.conf
[libdefaults]
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_realm = localdomain.com

[login]
krb4_convert = true
krb4_get_tickets = false



---------------------------------------------------------------------------------
permissions -rw-r----- 1 root opsview 234 Oct 31 12:09 /opt/opsview/krb5/etc/krb5.conf
-rw-r----- <-> 640

7. check files in /opt/opsview/krb5/etc/krb5.conf.d/local.cfg

Add DC name in the below file:-

[root@collector01 krb5.conf.d]# ls -la
total 8
drwxrwx--- 2 root opsview 52 Oct 13 08:55 .
drwxr-x--- 3 root opsview 62 Oct 31 11:25 ..
-rwxrwxrwx 1 opsview opsview 239 Oct 13 08:49 local.cfg
-rwxrwxrwx 1 opsview opsview 380 Oct 31 11:24 opsview_realms.cfg

remove file opsview_realms.cfg for credentials

8. if the domain.cfg file is not present create it

[root@collector01 krb5.conf.d]$ cat local.cfg
#
# Managed by User
#
[realms]
LOCALDOMAIN.COM = {
kdc = dc1.localdomain.com
kdc = dc2.localdomain.com
admin_server = dc1.localdomain.com
master_kdc = dc1.localdomain.com
}

[domain_realm]
localdomain.com = localdomain.com

-----------------------------------------------------------------------------------
permissions -rwxrwxrwx 1 opsview opsview 239 Oct 31 12:10 local.cfg
-rwxrwxrwx <-> 777

9. change directory to apply credentials - /opt/opsview/krb5/bin

./kinit USER@LOCALDOMAIN.COM

(If user successfully attains a ticket it will exit without any output)

NOTE:

You must execute commands as opsview rather than root, if you make the mistake to run a command as root use the below to be run from the orchestrator to delete cached information:

ansible all -m shell -a 'rm -rf /tmp/*krb5*'

Make sure WinRM is configured correctly, rerun the steps and make sure the HTTPS listener has been initialized. Failure to use HTTPS will result in connections being refused, also Kerberos will need HTTPS auth.

Example Variables as below: