Introduction
This article should help you to configure a Windows Services Sensor and should guide you through different possibilities this sensor has.
Configure
Before you start the configuration, please make sure that you cover the following requirements:
- Activate remote Powershell settings on the target host (issue the following commands in the powershell console of a target)
Enable-PSRemoting –force
set-item -force WSMan:\localhost\Service\Auth\Basic $true
set-item -force WSMan:\localhost\Client\AllowUnencrypted $true
set-item -force WSMan:\localhost\Service\AllowUnencrypted $true
- Make sure that you have an Account which is member of the local Administrator Group of the Target-Host (no need to be a Domain Admin!)
- TCP Port 5985 (and 5986) needs to be opened between GreenLight and Target-Host
Authentication Profile
We recommend to create an authentication profile in the Communication Section which you then assign later on to a single or multiple Nodes.
This account needs to have local Admin privileges on the target host (as mentioned above)
Server Settings
Now, let' start with the configuration of Windows Services on the Node Level
- Open a Server and select Windows. In addition to that please select OS Services and Statistics
- Next, assign the profile which you have created before
- On the next Page, Open the Services Tab
Click the Load Services button in order to retrieve all Windows Services from the host
Whenever the items are loaded successfully, just drag&drop those which you want to monitor to the right side of the window
- Save / Close the Server settings
Sensor Settings
Let's create a Windows Services Sensor from the Sensor Template list.
- On the Settings Tab, leave Use node settings
So all services which you have marked as monitored services will be covered by the server. This allows you to use a single sensor for monitoring different hosts with different windows services
- As an action you can create the following
Copy/paste: ${result.details['greenlight.osservice.stopped']}
Result
The result is a notification like this
The Key/Value pairs you get from this Sensor is the following