windows_exporter icon indicating copy to clipboard operation
windows_exporter copied to clipboard

Published 20 hours ago verified publisher icon prometheus-community

mpcomputerstatus: create initial windows defender wmi collector

Open rismoney opened this issue 2 years ago • 6 comments

I am new to golang, but I figured I'd take the initiative and attempt to create a collector based on a need to get defender statistics into prometheus as noted here - https://github.com/prometheus-community/windows_exporter/issues/858

I am not able to compile this yet. Below L84-L86 I added as I thought I needed to adjust for the proper namespace. Any advice on how to make this work would be great!

Thank you.

rismoney avatar Oct 27 '21 14:10 rismoney

I am also missing properties that should be in the MOF as described here https://docs.microsoft.com/en-us/previous-versions/windows/desktop/defender/msft-mpcomputerstatus

rismoney avatar Oct 27 '21 14:10 rismoney

the nil/err fixes, and commenting import "github.com/prometheus-community/windows_exporter/log" worked.

snip from localserver:9182/metrics

# HELP windows_msft_mpcomputerstatus_antispyware_signature_age (AntispywareSignatureAge)
# TYPE windows_msft_mpcomputerstatus_antispyware_signature_age gauge
windows_msft_mpcomputerstatus_antispyware_signature_age 0
# HELP windows_msft_mpcomputerstatus_antivirus_signature_age (AntivirusSignatureAge)
# TYPE windows_msft_mpcomputerstatus_antivirus_signature_age gauge
windows_msft_mpcomputerstatus_antivirus_signature_age 0
# HELP windows_msft_mpcomputerstatus_computer_state (ComputerState)
# TYPE windows_msft_mpcomputerstatus_computer_state gauge
windows_msft_mpcomputerstatus_computer_state 0
# HELP windows_msft_mpcomputerstatus_full_scan_age (FullScanAge)
# TYPE windows_msft_mpcomputerstatus_full_scan_age gauge
windows_msft_mpcomputerstatus_full_scan_age 4.294967295e+09
# HELP windows_msft_mpcomputerstatus_nis_signature_age (NISSignatureAge)
# TYPE windows_msft_mpcomputerstatus_nis_signature_age gauge
windows_msft_mpcomputerstatus_nis_signature_age 0
# HELP windows_msft_mpcomputerstatus_quick_scan_age (QuickScanAge)
# TYPE windows_msft_mpcomputerstatus_quick_scan_age gauge
windows_msft_mpcomputerstatus_quick_scan_age 0

A few adds - not sure if it's possible/sane:

PS C:\Users\ad-rsiegel> Get-CimInstance -ClassName MSFT_MpComputerstatus -Namespace "root/microsoft/windows/defender" | select *enabled*


AMServiceEnabled          : True
AntispywareEnabled        : True
AntivirusEnabled          : True
BehaviorMonitorEnabled    : True
IoavProtectionEnabled     : True
NISEnabled                : True
OnAccessProtectionEnabled : True
RealTimeProtectionEnabled : True

Maybe convert T/F to 0/1 metric based data.

Also would want something like this: So a few adds I'd want added as next steps. Not sure if they're easy/hard/possible: (Get-CimInstance -ClassName MSFT_MpThreatDetection -Namespace "root/microsoft/windows/defender").count

rismoney avatar Oct 27 '21 22:10 rismoney

so I wonder if the right way to handle the version numbers of the components is like this: https://medium.com/teamzerolabs/staying-on-track-of-aging-node-packages-with-monitoring-in-prometheus-f915540e72df

or

https://www.robustperception.io/exposing-the-software-version-to-prometheus

Not sure how to work this in...

rismoney avatar Nov 11 '21 01:11 rismoney

Hey, sorry for delays in reviews. On the sample metrics, I think they look rather suspicious - all zeros or int_max. So probably we're not getting the data out correctly. What output do you get from powershell on that class?

As for the true/false, then I agree. Typically we'd use a gauge for each of them, so eg windows_defender_antivirus_enabled.

carlpett avatar Nov 13 '21 21:11 carlpett

Delayed here too, due to other constraints. No worries. The numbers are actually correct despite looking suspicious, because I was testing on a well updated endpoint, that never ran a full scan. I am going to double check those and see that they exactly reflect powershell, but as of now they are spot on.

Get-MpComputerStatus |select *age,computerstate


AntispywareSignatureAge : 0
AntivirusSignatureAge   : 0
FullScanAge             : 4294967295
NISSignatureAge         : 0
QuickScanAge            : 0
computerstate           : 0

So what I am not sure is how to properly add the code to handle booleans such as

AntivirusEnabled          : True

rismoney avatar Nov 24 '21 04:11 rismoney

What value does the WMI class return for AntivirusEnabled? Depending on the return value type (string or uint), you could coerce that to a 0 for a false value and a 1 for a true value.

breed808 avatar Nov 28 '21 08:11 breed808

Hi, what's the status for this feature ?

lenglet-k avatar Apr 21 '23 15:04 lenglet-k

I have moved on... while this exporter is extremely performant on some things due to great optimizations, it is difficult to customize w/o recompiling for missing capabilities (ie in the telegraf win_wmi input) plugin. Ideally a lot of the collectors should not be hardcoded around what metrics are available, but instead allow for a more user configuration driven solution. It's a tough balance.

rismoney avatar May 03 '23 18:05 rismoney