To be able to monitor the underlying hardware of an ESXi server, the most common method is to use the integrated CIM Server. The CIM Server reads the current operational or health status of each hardware element and represents this in the output.
But since ESXi version 6.5 the CIM Server is stopped and disabled by default. This article shows how to correctly enable and start the CIM Server (aka WBEM service) in ESXi 8.
The official documentation from VMware is Knowledge Base Article #1025757. According to this KB article, it's enough to start the CIM Server service in the vSphere UI.
However when trying to start the sfcbd-watchdog (CIM Server) service, the status switches back to "Stopped" after a few seconds.
The reason for this is that the service itself is administratively disabled (and unable to be started) by default. This his now shown in the UI though and can only be enabled using the esxcli command, directly on the ESXi server.
To be able to execute commands directly on the ESXi server(s), we first need to be able to connect to the ESXi server using SSH.
Logged in on the vSphere User Interface (using the browser and the IP address of the ESXi server), click on "Manage" (under the Host entry) in the left-side navigation. On the right side, click on the tab "Services". Scroll down the list of services until you find the "TSM-SSH" service - which is by default stopped.
Select the TSM-SSH service and click on Start above.
Now use your terminal (if you're on Linux or macOS) or a SSH client, such as PuTTY (if you're on Windows) to connect to the IP of the ESXi server. Use the "root" user with the known password (same as you've used to log in to the UI).
ck@desktop ~ $ ssh 192.168.15.115 -l root
The authenticity of host '192.168.15.115 (192.168.15.115)' can't be established.
ECDSA key fingerprint is SHA256:FVX5WJiyiTMzXO+2irzSxItA23n9f65jKnZW66V5L9M.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.15.115' (ECDSA) to the list of known hosts.
Password:
The time and date of this login have been sent to the system logs.
WARNING:
All commands run on the ESXi shell are logged and may be included in
support bundles. Do not provide passwords directly on the command line.
Most tools can prompt for secrets or accept them from standard input.
VMware offers supported, powerful system administration tools. Please
see www.vmware.com/go/sysadmintools for details.
The ESXi Shell can be disabled by an administrative user. See the
vSphere Security documentation for more information.
[root@localhost:~]
A manual start of the sfcbd-watchdog service confirms the same behaviour as in the UI:
[root@localhost:~] /etc/init.d/sfcbd-watchdog start
sfcbd-init[134838]: args ('start')
sfcbd-init[134838]: Getting Exclusive access, please wait...
sfcbd-init[134838]: Exclusive access granted.
sfcbd-init[134838]: Request to start sfcbd-watchdog, pid 134838
sfcbd-init[134838]: sfcbd not started, administratively disabled.
To definitely enable this service, we first need to enable the "wbem" service using esxcli:
[root@localhost:~] esxcli system wbem set -e true
To verify the current settings of that service we can show the details:
[root@localhost:~] esxcli system wbem get
Enabled: true
WS-Management Service: true
Enable HTTPS: true
Authorization Model: password
Port: 5989
HTTP Procs: 2
HTTPS Procs: 4
Provider Procs: 16
Keepalive Timeout: 1
Keepalive Max Requests: 10
Provider Sample Interval: 30
Provider Timeout Interval: 120
HTTP Max Content Length: 1048576
Max Message Length: 40000000
Thread Stack Size: 1048576
Provider Resource Pool Override:
SSL Cipher List: ECDHE+AESGCM:ECDHE+AES
Threadpool Size: 5
Readonly: false
Log Level: warning
Service Location Protocol PID: 0
WS-Management PID: 134939
CIM Object Manager PID: 134967
Enabled SSL Protocols:
Enabled System SSL Protocols: tlsv1.2
Enabled Running SSL Protocols: tlsv1.2
Enabled is now set to true.
Enabling the "wbem" service should also have auto-started the sfcbd-watchdog service:
[root@localhost:~] /etc/init.d/sfcbd-watchdog status
sfcbd-init[134989]: args ('status')
sfcbd-init[134989]: Getting Exclusive access, please wait...
sfcbd-init[134989]: Exclusive access granted.
sfcbd is running
If the service was not started, you can now either start the service in the vSphere UI or on the command line:
[root@localhost:~] /etc/init.d/sfcbd-watchdog start
You should now be able to communicate with the CIM server using tcp/5989:
ck@desktop ~ $ telnet 192.168.15.115 5989
Trying 192.168.15.115...
Connected to 192.168.15.115.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
This now also allows the check_esxi_hardware monitoring plugin to read the hardware status from the ESXi server.
For security reasons, don't forget to disable SSH service once the CIM Server was enabled.
john from wrote on Sep 27th, 2024:
Thanks a lot for the info! no official info as you mentioned!
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder