telegraf icon indicating copy to clipboard operation
telegraf copied to clipboard

Published 20 hours ago verified publisher icon influxdata

Telegraf Windows Registry Input Plugin

Open 1tft opened this issue 1 year ago • 3 comments

Use Case

We want to consume string and numeric values from Windows registry. Here you can find usefull generic windows information like windows version, settings and much more. Also some apps are storing important information here.

Expected behavior

Telegraf can read values (String, DWORD, QWORD) from given Windows Registry path like HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate

Actual behavior

Currently getting string and numeric values from Windows registry is not possible with Telegraf standard plugins. Also no chance with inputs.win_wmi because it uses WQL-Interface which does not support method-calls.

Additional info

Currently you have to use inputs.exec to execute a custom poweshell script to get Windows Regitry values. Executing powershell scripts is not always a good solution because of security concerns and for users without Powershell coding knowledge.

1tft avatar Jan 30 '24 17:01 1tft

Thanks for filing the feature request. We shall take a look!

powersj avatar Jan 30 '24 20:01 powersj

We also need this function to get values from the registry, such as the UBR version, which is not included in any WMI class

Flightliner380 avatar Feb 02 '24 12:02 Flightliner380

Yes, would be a very useful feature , we need.

PSHWorkShop avatar Feb 07 '24 09:02 PSHWorkShop

@1tft and @PSHWorkShop, please test the binary in PR #15300 and let me know if that works for you! The new feature adds more than only querying the registry but allows to invoke arbitrary WMI methods. Therefore, to read a registry value you should do

# Input plugin to query Windows Management Instrumentation
# This plugin ONLY supports Windows
[[inputs.win_wmi]]
  ## Hostname or IP for remote connections, by default the local machine is queried
  # host = ""
  ## Credentials for the connection, by default no credentials are used
  # username = ""
  # password = ""

  [[inputs.win_wmi.method]]
    ## WMI namespace, class and method to use
    namespace = 'root\default'
    class_name = "StdRegProv"
    method = "GetStringValue"
    ## Returned WMI method values to use as tags instead of fields
    # tag_properties = ["ReturnValue"]
    ## Named arguments for the method call
    [inputs.win_wmi.method.arguments]
      hDefKey = '2147483650'
      sSubKeyName = 'Software\Microsoft\windows NT\CurrentVersion'
      sValueName = 'ProductName'

to read HKLM\Software\Microsoft\windows NT\CurrentVersion\ProductName...

srebhan avatar May 06 '24 16:05 srebhan

Hello,

The code works, but if you get multiple values from different registry code you get the same field name.

[[inputs.win_wmi]]

[[inputs.win_wmi.method]] ## WMI namespace, class and method to use namespace = 'root\default' class_name = "StdRegProv" method = "GetStringValue" #tag_properties = ["sValue"] ## Returned WMI method values to use as tags instead of fields # tag_properties = ["ReturnValue"] ## Named arguments for the method call [inputs.win_wmi.method.arguments] hDefKey = '2147483650' sSubKeyName = 'Software\Microsoft\windows NT\CurrentVersion' sValueName = 'ProductName'

[[inputs.win_wmi.method]] ## WMI namespace, class and method to use namespace = 'root\default' class_name = "StdRegProv" method = "GetDWORDValue" ## Returned WMI method values to use as tags instead of fields # tag_properties = ["ReturnValue"] ## Named arguments for the method call [inputs.win_wmi.method.arguments] hDefKey = '2147483650' sSubKeyName = 'Software\Microsoft\windows NT\CurrentVersion' sValueName = 'UBR'

[[inputs.win_wmi.method]] ## WMI namespace, class and method to use namespace = 'root\default' class_name = "StdRegProv" method = "GetStringValue" #tag_properties = ["sValue"] ## Returned WMI method values to use as tags instead of fields # tag_properties = ["ReturnValue"] ## Named arguments for the method call [inputs.win_wmi.method.arguments] hDefKey = '2147483650' sSubKeyName = 'Software\Microsoft\windows NT\CurrentVersion' sValueName = 'CurrentBuild'

Result:

StdRegProv,host=PC1 ReturnValue=0i,sValue="Windows Server 2021" 17150xxxxx000000000 StdRegProv,host=PC1 ReturnValue=0i,sValue="22631" 17150xxxxx0000000000 StdRegProv,host=PC1 ReturnValue=0i,uValue=3527i 17150xxxxx0000000000

Could you not use the value of sValueName = 'ProductName' field name, or specify the return field in parameters. Example: ReturnField = 'MyProductName'

[inputs.win_wmi.method.arguments] hDefKey = '2147483650' sSubKeyName = 'Software\Microsoft\windows NT\CurrentVersion' sValueName = 'ProductName' ReturnField = 'MyProductName'

Better should be:

StdRegProv,host=PC1 ReturnValue=0i,MyProductname="Windows 10 Pro" 1715058810000000000 StdRegProv,host=PC1 ReturnValue=0i,MyValueName="22631" 1715058810000000000 StdRegProv,host=PC1 ReturnValue=0i,myUBR=3527i 1715058810000000000

PSHWorkShop avatar May 07 '24 05:05 PSHWorkShop

@PSHWorkShop currently we use the name of the value returned by the function call. Your approach will run into problems if the method returns multiple fields I think, therefore I'm not sure if this is a good idea.

I added a fields option where you can specify a mapping between the name of the returned value and the field name. Does that work for you?

srebhan avatar May 07 '24 15:05 srebhan

Using this config

[[inputs.win_wmi]]
   name_override = "system_meta"

  [[inputs.win_wmi.method]]
    namespace = 'root/default'
    class_name = "StdRegProv"
    method = "GetStringValue"
    [inputs.win_wmi.method.arguments]
      hDefKey = '2147483650'
      sSubKeyName = 'Software\\Microsoft\\windows NT\\CurrentVersion'
      sValueName = 'ProductName'
      [inputs.win_wmi.method.fields]
        sValue = "ProductName"


  [[inputs.win_wmi.method]]
    namespace = 'root/default'
    class_name = "StdRegProv"
    method = "GetStringValue"
    [inputs.win_wmi.method.arguments]
      hDefKey = '2147483650'
      sSubKeyName = 'Software\\Microsoft\\windows NT\\CurrentVersion'
      sValueName = 'CurrentBuildNumber'
      [inputs.win_wmi.method.fields]
        sValue = "CurrentBuildNumber"


   [[inputs.win_wmi.method]]
     namespace = 'root/default'
     class_name = "StdRegProv"
     method = "GetDWORDValue"
     [inputs.win_wmi.method.arguments]
       hDefKey = '2147483650'
       sSubKeyName = 'Software\\Microsoft\\windows NT\\CurrentVersion'
       uValueName = 'UBR'
       [inputs.win_wmi.method.fields]
         uValue = "UBR"

prints out these metrics:

> system_meta,CurrentBuildNumber="20348",ReturnValue=0i 1715172372000000000
> system_meta,ProductName="Windows Server 2022 Standard",ReturnValue=0i 1715172372000000000
> system_meta,ReturnValue=0i,UBR=2402i 1715172372000000000

fields option works for us.

We dont know that one sValueName (property) can return more than 1 value and so you cant use automatically property name instead of "sValue", "uValue" etc..

Later we use merge aggregator plugin to get only one metric.

1tft avatar May 08 '24 12:05 1tft

Yeah, there might be WMI calls that return more than one property (e.g. EnumValues) so we cannot autorename.

srebhan avatar May 08 '24 18:05 srebhan