Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

logon: BREAKING: replace wmi query by Win32 API calls and expose detailed logon sessions. (click PR for more information) #1687

Merged
merged 3 commits into from
Oct 13, 2024
Merged

logon: BREAKING: replace wmi query by Win32 API calls and expose detailed logon sessions. (click PR for more information) #1687

merged 3 commits into from
Oct 13, 2024

Conversation

jkroepke
Copy link
Member

@jkroepke jkroepke commented Oct 12, 2024
edited
Loading

This PR reworks the logon collector.

It replaces the slow WMI query with Win32 API syscalls. Instead expose the amount of session types, each logon session is exposes.

The windows_logon_logon_type metric as been replaced by windows_logon_session_logon_timestamp_seconds.

The windows_logon_session_logon_timestamp_seconds metric hold each single session on each system. As value, the logon time is used. Username and Domain name is exposed as well.

The status label from windows_logon_logon_type metric has been renamed to type and matches the case from the Windows documentation. remote_interactive -> RemoteInteractive

If running as SYSTEM user, system session will be exposed as well.

The collect time has been reduced by 90%+

Old metrics

# HELP windows_exporter_collector_duration_seconds windows_exporter: Duration of a collection.
# TYPE windows_exporter_collector_duration_seconds gauge
windows_exporter_collector_duration_seconds{collector="logon"} 0.0323647
# HELP windows_logon_logon_type Number of active logon sessions (LogonSession.LogonType)
# TYPE windows_logon_logon_type gauge
windows_logon_logon_type{status="batch"} 0
windows_logon_logon_type{status="cached_interactive"} 0
windows_logon_logon_type{status="cached_remote_interactive"} 1
windows_logon_logon_type{status="cached_unlock"} 0
windows_logon_logon_type{status="interactive"} 10
windows_logon_logon_type{status="network"} 10
windows_logon_logon_type{status="network_clear_text"} 0
windows_logon_logon_type{status="new_credentials"} 0
windows_logon_logon_type{status="proxy"} 0
windows_logon_logon_type{status="remote_interactive"} 1
windows_logon_logon_type{status="service"} 5
windows_logon_logon_type{status="system"} 1
windows_logon_logon_type{status="unlock"} 0

New metrics

# HELP windows_logon_session_timestamp_seconds timestamp of the logon session in seconds.
# TYPE windows_logon_session_timestamp_seconds gauge
windows_logon_session_logon_timestamp_seconds{domain="",id="0x0:0x8c54",type="System",username=""} 1.72876928e+09
windows_logon_session_logon_timestamp_seconds{domain="Font Driver Host",id="0x0:0x991a",type="Interactive",username="UMFD-1"} 1.728769282e+09
windows_logon_session_logon_timestamp_seconds{domain="Font Driver Host",id="0x0:0x9933",type="Interactive",username="UMFD-0"} 1.728769282e+09
windows_logon_session_logon_timestamp_seconds{domain="Font Driver Host",id="0x0:0x994a",type="Interactive",username="UMFD-0"} 1.728769282e+09
windows_logon_session_logon_timestamp_seconds{domain="Font Driver Host",id="0x0:0x999d",type="Interactive",username="UMFD-1"} 1.728769282e+09
windows_logon_session_logon_timestamp_seconds{domain="Font Driver Host",id="0x0:0xbf25a",type="Interactive",username="UMFD-2"} 1.728769532e+09
windows_logon_session_logon_timestamp_seconds{domain="Font Driver Host",id="0x0:0xbf290",type="Interactive",username="UMFD-2"} 1.728769532e+09
windows_logon_session_logon_timestamp_seconds{domain="JKROEPKE",id="0x0:0x130241",type="Network",username="vm-jok-dev$"} 1.728769625e+09
windows_logon_session_logon_timestamp_seconds{domain="JKROEPKE",id="0x0:0x24f7c9",type="Network",username="vm-jok-dev$"} 1.728770121e+09
windows_logon_session_logon_timestamp_seconds{domain="JKROEPKE",id="0x0:0x276846",type="Network",username="vm-jok-dev$"} 1.728770195e+09
windows_logon_session_logon_timestamp_seconds{domain="JKROEPKE",id="0x0:0x3e4",type="Service",username="vm-jok-dev$"} 1.728769283e+09
windows_logon_session_logon_timestamp_seconds{domain="JKROEPKE",id="0x0:0x3e7",type="System",username="vm-jok-dev$"} 1.728769279e+09
windows_logon_session_logon_timestamp_seconds{domain="JKROEPKE",id="0x0:0x71d0f",type="Network",username="vm-jok-dev$"} 1.728769324e+09
windows_logon_session_logon_timestamp_seconds{domain="JKROEPKE",id="0x0:0x720a3",type="Network",username="vm-jok-dev$"} 1.728769324e+09
windows_logon_session_logon_timestamp_seconds{domain="JKROEPKE",id="0x0:0x725cb",type="Network",username="vm-jok-dev$"} 1.728769324e+09
windows_logon_session_logon_timestamp_seconds{domain="JKROEPKE",id="0x0:0x753d8",type="Network",username="vm-jok-dev$"} 1.728769325e+09
windows_logon_session_logon_timestamp_seconds{domain="JKROEPKE",id="0x0:0xa3913",type="Network",username="vm-jok-dev$"} 1.728769385e+09
windows_logon_session_logon_timestamp_seconds{domain="JKROEPKE",id="0x0:0xbe7f2",type="Network",username="jok"} 1.728769531e+09
windows_logon_session_logon_timestamp_seconds{domain="JKROEPKE",id="0x0:0xc76c4",type="RemoteInteractive",username="jok"} 1.728769533e+09
windows_logon_session_logon_timestamp_seconds{domain="NT AUTHORITY",id="0x0:0x3e3",type="Service",username="IUSR"} 1.728769295e+09
windows_logon_session_logon_timestamp_seconds{domain="NT AUTHORITY",id="0x0:0x3e5",type="Service",username="LOCAL SERVICE"} 1.728769283e+09
windows_logon_session_logon_timestamp_seconds{domain="NT Service",id="0x0:0xae4c7",type="Service",username="MSSQLSERVER"} 1.728769425e+09
windows_logon_session_logon_timestamp_seconds{domain="NT Service",id="0x0:0xb42f1",type="Service",username="SQLTELEMETRY"} 1.728769431e+09
windows_logon_session_logon_timestamp_seconds{domain="Window Manager",id="0x0:0xbfbac",type="Interactive",username="DWM-2"} 1.728769532e+09
windows_logon_session_logon_timestamp_seconds{domain="Window Manager",id="0x0:0xbfc72",type="Interactive",username="DWM-2"} 1.728769532e+09
windows_logon_session_logon_timestamp_seconds{domain="Window Manager",id="0x0:0xdedd",type="Interactive",username="DWM-1"} 1.728769283e+09
windows_logon_session_logon_timestamp_seconds{domain="Window Manager",id="0x0:0xdefd",type="Interactive",username="DWM-1"} 1.728769283e+09

@jkroepke jkroepke changed the title logon: BREAKING: replace wmi query by Win32 API calls and expose detailed logon. (click PR for more information) logon: BREAKING: replace wmi query by Win32 API calls and expose detailed logon sessions. (click PR for more information) Oct 12, 2024
@jkroepke
logon: BREAKING: replace wmi query by Win32 API calls and expose deta…
d10074a 
…iled logon. (click PR for more information)

Signed-off-by: Jan-Otto Kröpke <[email protected]>
@jkroepke
logon: BREAKING: replace wmi query by Win32 API calls and expose deta…
4e63f44 
…iled logon. (click PR for more information)

Signed-off-by: Jan-Otto Kröpke <[email protected]>
@jkroepke jkroepke marked this pull request as ready for review October 12, 2024 22:12
@jkroepke jkroepke requested a review from a team as a code owner October 12, 2024 22:12
@jkroepke
logon: BREAKING: replace wmi query by Win32 API calls and expose deta…
86fd068 
…iled logon. (click PR for more information)

Signed-off-by: Jan-Otto Kröpke <[email protected]>
@jkroepke
Copy link
Member Author

@JDA88 what did you think about that change?

Is the extra infomation worth? Or just keep the counters?

@JDA88
Copy link
Contributor

JDA88 commented Oct 13, 2024

I currently dont use this metric but the new one looks good !

@jkroepke jkroepke merged commit d1517d8 into prometheus-community:master Oct 13, 2024
8 checks passed
@jkroepke jkroepke deleted the logon branch October 13, 2024 08:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
💥 breaking-change ✨ enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jkroepke @JDA88